Everyone can see your credit card details. Seriously.

Transcript

1. DISCLAIMER : 1. Some popular companies have been named and

   their apps/websites used in screenshots. They are just examples, and have not been picked because they are any more (or less) vulnerable than their competitors. 2. Logos of companies used, are obviously, the registered trademarks of respected companies. 3. Vulnerabilities discussed here are technical in nature. All entities and organizations discussed here have legal and regulatory overwatch. Gaps in regulation/legislation/policy is not covered here. 4. Negligence is not criminal intent. Oversight is not same as a malpractice. I aim to point out possible points of failures and data leakage. 5. I am not making accusations against any given entity to the degree that they are stealing/hoarding/selling your personal data and payment details, but they could, if they want to

2. We are hungry ! Let us order some food

3. I order a chicken wrap We have an order of

   Rs. 191 on FAASOS

4. Payment Method Selecting Freecharge

5. Mobile Verification Freecharge verifies my number has a connected wallet

6. Enter card details Paying with freecharge, where I have an

   account, but no wallet balance

7. Going to Payment gateway Juspay is the merchant processor.

8. My bank’s payment gateway So I am paying 191 rupees

   to Snapdeal on a page powered by Wibmo

9. I ordered food worth Rs. 191 on Faasos

10. I ordered food worth Rs. 191 on Faasos and paid

    using Freecharge

11. I ordered food worth Rs. 191 on Faasos and paid

    using Freecharge via Juspay’s gateway

12. I ordered food worth Rs. 191 on Faasos and paid

    using Freecharge via Juspay’s gateway on Wibmo’s card processing page

13. I ordered food worth Rs. 191 on Faasos and paid

    using Freecharge via Juspay’s gateway on Wibmo’s card processing page on a Xiaomi smartphone

14. I ordered food worth Rs. 191 on Faasos and paid

    using Freecharge via Juspay’s gateway on Wibmo’s card processing page on a Xiaomi smartphone while typing on Swiftkey keyboard
15. None

16. Surprise fact My bank statement shows a payment to Snapdeal_com_CCA

17. Bonus gifts 3 messages from Axis Bank 2 messages from

    Freecharge 4 messages from Faasos

18. Everyone can see your credit card details. Seriously - ARNAV

    GUPTA

19. ” “ Only the paranoid survive - ANDREW S GROVE,

    COFOUNDER/CEO INTEL Let us assume, everyone is evil and wants to steal your card

20. So how exposed are we LET US TRACK OUR PATH,

    FROM OUTSIDE INWARDS AND SEE WHO GOT ACCESS TO WHAT

21. The smartphone manufacturer u Has access to all data entered

    and all OTPs received u Can access all network data u Can siphon E2E encrypted data at presentation layer

22. Custom keyboard apps u Can log your keystrokes, virtually giving

    access to all personal / payment details typed u Can ask for access to mails / SMS to “learn your words”

23. The merchant app u The app on which you are

    buying the product, is the one inside which you are entering your payment details u Such apps mostly have SMS reading permission (to auto retrieve OTP)

24. The payment SDK u Could be provided by Freecharge /

    Juspay / Paytm / Mobikwik / PayUMoney / Razorpay etc. u Works as a WebView inside the app u You type your card details into this WebView u App developer implements this like a black box

25. The payment gateway u May or may not be same

    as the payment SDK provider. Eg. Paytm is both. Freecharge has SDK, but gateway is Juspay u Loaded inside the WebView of the payment SDK u Gets card details, as well as SMS reading permissions via the SDK, via the parent app

26. The card authentication system u Implemented by the bank, but

    usually using off-the- shelf solutions u Generate OTP and/or verifiy password u Providers like Wibmo, who are independent entities from banks

27. Are underlying layers targeted ? You bet. YOUR CARD DETAILS

    ARE NOT HACKED SPECIFICALLY, BUT A BACKDOOR IN XYZ PHONE BRAND LEAKS 100000 CARD DETAILS.

28. ” “ 3.2 million debit card details are compromised HITACHI

    HACK, INDIA, 2016 Hitachi Payment systems servers hacked, which powers ATMs and POS machines. Over a million debit card PINs feared compromised.

29. ” “ Deliberately installed spyware by Adups and Baidu found

    in BLU, Lenovo, ZTE and Xiaomi phones. REPEATEDLY IN 2014, 2015, 2016 Call-home spywares, which read texts, MAC/IMEI numbers, call logs repeatedly found in multiple Chinese phones and laptops.

30. How do I stay safer ? Solutions from an user’s

    perspective

31. The safest solution = COD

32. The safest solution = COD Illegal tender bro!

33. The safest solution = COD

34. Web is more secure than mobile WEB MOBILE Merchant App

    Payment SDK Gateway | Settler Bank Browser Merchant Gateway Bank

35. Web is more secure than mobile WEB u Hardware keyboard

    – safe unless PC has malware u Easy to make sure HTTPS connection and TLS certificate MOBILE u 3rd party Software keyboard – easily logged u No idea about underlying network characteristics

36. Use virtual credit cards u Most banks allow creating them

    u Upside : Limited exposure u Downside : Tedious process to create, and valid only for few days usually

37. Create an “e-spending” account u NOTE: Credit card payments are

    easier to stop than debit cards. Once paid, money gone u Create a bank account dedicated for eCommerce u Keep an amount that is acceptable loss u Top it up every month u BONUS: Helps curb spending

38. Judiciously give app permissions u Keyboard wants to learn your

    writing style from mails and SMS ? How about NO. u Do not give SMS reading rights to all and sundry. Read them and manually enter the OTP. u Do not give notification service permissions. Full SMS data is present in notification. u Watch out for apps asking accessibility permission.

39. Do not use random phone brands I am no “Make

    In India” promoter or Apple fanboy, but seriously, stay away from Chinese manufacturers.

40. How do I build it more secure? Solutions from a

    developer’s perspective

41. Provide in-app keyboard u For entering sensitive data, provide in-app

    keyboard layout. Educate users why. u Most banks have on-page keyboards for passwords already

42. Chrome custom-tabs u Instead of internal WebView, use Chrome custom

    tabs to go to gateway u Remove need of mobile payment SDK. Reuse your own web payment interface u The onus of security shifts to Google
43. None

44. Prefer all-in-one vendors u Payment gateway cum merchant settlers are

    better – fewer players involved u Settlement and refund process are faster u Avoid losing user trust by showing multiple payment portals u Get billed on your name

45. Use dynamic non-sniffable secrets u Passwords are static – hack

    once, profit multiple times. u OTPs travel over unencrypted layers – can be sniffed. u ICICI Debit Card 16-box-letter code design is an efficient solution

46. The questions that remain Plugging the remaining holes, and the

    way forward

47. A few more perilous cases Freecharge in OS • Deep

    integration of into OnePlus and Indus OS • One touch recharge/balance from dialer • “one click” transactions are always security nightmare Paytm Money Request • Verification is based on OTP. • OTP can be seen on locked phone’s lockscreen. • I can steal your money if I know your number and see your mobile lying on the table Tapzo / Haptik • A super aggregator of apps is just another layer of nesting of people who handle your card details • Keeping your card on tab of a chatbot is not too smart.

48. ” “Which would be worse: To live as a monster,

    or to die as a good man? - TEDDY, SHUTTER ISLAND The onus of informing the world about a security breach in a firm lies with them. Do companies try suppressing facts, until they are compelled to admit ? (Case in point = Yahoo! )

49. ” “ So who takes the fall that covers it

    all again ? - YURI KANE (RIGHT BACK, 2010) When your refund is late, who is in possession of the money? If it is a fraudulent transaction, who covers what amount of liability ?

50. ” “ Don’t go penniless trying to go cashless THANK

    YOU @championswimmer