their apps/websites used in screenshots. They are just examples, and have not been picked because they are any more (or less) vulnerable than their competitors. 2. Logos of companies used, are obviously, the registered trademarks of respected companies. 3. Vulnerabilities discussed here are technical in nature. All entities and organizations discussed here have legal and regulatory overwatch. Gaps in regulation/legislation/policy is not covered here. 4. Negligence is not criminal intent. Oversight is not same as a malpractice. I aim to point out possible points of failures and data leakage. 5. I am not making accusations against any given entity to the degree that they are stealing/hoarding/selling your personal data and payment details, but they could, if they want to
as the payment SDK provider. Eg. Paytm is both. Freecharge has SDK, but gateway is Juspay u Loaded inside the WebView of the payment SDK u Gets card details, as well as SMS reading permissions via the SDK, via the parent app
writing style from mails and SMS ? How about NO. u Do not give SMS reading rights to all and sundry. Read them and manually enter the OTP. u Do not give notification service permissions. Full SMS data is present in notification. u Watch out for apps asking accessibility permission.
integration of into OnePlus and Indus OS • One touch recharge/balance from dialer • “one click” transactions are always security nightmare Paytm Money Request • Verification is based on OTP. • OTP can be seen on locked phone’s lockscreen. • I can steal your money if I know your number and see your mobile lying on the table Tapzo / Haptik • A super aggregator of apps is just another layer of nesting of people who handle your card details • Keeping your card on tab of a chatbot is not too smart.
or to die as a good man? - TEDDY, SHUTTER ISLAND The onus of informing the world about a security breach in a firm lies with them. Do companies try suppressing facts, until they are compelled to admit ? (Case in point = Yahoo! )