The fraud came to light, during an audit the company carried on transactions. A Razorpay spokesperson said: “During a routine payment process, an unauthorised actor(s) with malicious intent used the browser to tamper with authorisation data on a few merchant sites which were using an older version of Razorpay’s integration, due to gaps in their payment verification process. No end-consumer and no merchant data or merchant funds were affected by this incident.”
According to media reports, the hacker manipulated the authorisation process of the gateway to authenticate 831 transactions. “Razorpay has proactively taken steps to mitigate the issue permanently and eliminate future occurrences. The company has already recovered part of the amount and is proactively working with the relevant authorities for the rest of the process,” the company’s spokesperson said.
Hacking of banks and financial institutions for data theft is a well-known trend, but the Razorpay incident could be the first among payment gateway players.
Some other well-known breaches include the one at MobiKwik in 2021, when data of over 3 million users was hacked into. But data breach or hacking into systems to get customer data like KYC or passwords are very common. Hacking to steal money directly from financial institutions is still very rare.
Cybercrime and cyber attacks have gone up exponentially since 2020. According to the Ministry of Electronics and Information Technology, between 2018 and 2021 there was a fivefold jump in the number of cybercrimes and frauds.
For the financial sector, threat levels have gone up significantly. For instance, Trend Micro detected 4,497 online banking malware in India in the first half of 2021.
Kaspersky said in its threat prediction for 2022, “We are likely to witness the growth of attacks against payment systems and more advanced mobile threats.”