Hackers take payment e-commerce firms for a ride

Like most other millennials, 23-year-old Sunny Nehra from the small town of Jind in Haryana, dreamt of the high life. From a humble, middle class family, he had only three things going for him — a sharp mind, good at computer coding, and a fast laptop. 

He allegedly made full use of both. On Wednesday, Delhi Police arrested Nehra from the deluxe suite of a five-star hotel, and then three  other hackers. They are charged with duping e-commerce and payments companies of almost Rs1 crore, exposing how vulnerable these new-age tech companies are to attacks. 

While these companies claim to be spending a bomb on cyber security, the hackers managed to beat the system with no more than a few high-powered laptops. This apparent gang of ‘digital shoplifters’ had apparently developed expertise in digitally emptying promotional e-vouchers, exploiting the security vulnerabilities of famous e-commerce websites. And, using the proceeds for a luxurious life. According to the police, an e-commerce firm named Voucha Gram India Pvt Ltd, which has an online website, www.gyftr.com, alleged this was hacked and e-vouchers worth about Rs1 crore were digitally stolen. This was after the hacking of an online payments gateway called ‘PayU’. 

“The complainant had provided voluminous data, requiring careful analysis. This data had been procured from various e-merchant firms. The analysis revealed e-vouchers which were digitally shoplifted belonged to companies like MakeMyTrip, Amazon, Flipkart, Big Bazar, Reliance Digital, Myntra.com, Yatra.com, Dominos Pizzas, Prestige, Titan, Provogue, Shoppers Stop and other online shopping companies. The total financial loss to the complainant was assessed to be about Rs92 lakh,” said Ishwar Singh, deputy commissioner of police (south).

The police sought data from PayU, Amazon, Flipkart, Reliance Digital, etc. Soon, a detailed analysis of the logs revealed the primary suspect, using this digital money equivalent to fund a lavish lifestyle.  

“One of his hacker friends informed him that PayU, a leading payment gateway, was suffering from vulnerability and could be tested for data tampering. He started testing it and soon discovered that it was allowing ‘change in parameters on the processing page’, which is data tampering,” Singh added. 

PayU says their payment gateway is PCI-DSS compliant, at par with industry standards on data security. “PayU protects transaction data integrity by way of check-summing important transaction data exchanged between merchant, PayU and bank. When merchants send data to PayU, they are expected to send a check-sum of the data in the transaction request. 

The check-sum is recomputed by PayU from source data and compared with that sent by the merchant. If these don't match, the transaction request is deemed tampered with and failed. A similar activity is expected during the transaction response, wherein the merchant must recompute the check-sum on the response raw data and compare the result with the check-sum sent by PayU, and dishonour the transaction in case of any discrepancy. 

In this case, the merchant did not implement the response check-sum test. In such cases, tampering of response data by malicious users will occur, resulting in the merchant facing the repercussions,” said Prashant Susarla, technical head at PayU India.

Nehra was allegedly staying at Leela Ambience, Gurgaon. A raid was conducted and he was taken into custody. Based on his interrogation, the other three were arrested.

“This is a classical case of exploitation of data. Digital wallets and mobile wallets are extremely unsafe. There are only a couple of Reserve Bank notifications on it. The sector is unregulated; there are no minimum parameters to follow. A majority of the service providers do not focus on cyber security,” said Pavan Duggal, an advocate who specialises in the area of cyber and e-commerce law.