A TEAM of computer security researchers have gone on an online shopping spree, after discovering a series of flaws in payment software.
The problem lies in the three-pronged nature of the payment systems, which typically involve specialist merchant software that links a retailer’s website with a payment-processing company, such as Amazon Payments or PayPal. Hackers can profit by intercepting and faking communications involving the websites and the software.
In one attack, Wang and colleagues used a plug-in for the Firefox web browser to examine data being sent and received by the online retailer Buy.com. When users make a purchase, Buy.com directs them to PayPal. Once they have paid, PayPal sends Buy.com a confirmation message tagged with a code that identifies the transaction.
PayPal handles its side of the process securely, says Wang, but Buy.com was relatively easy to fool. First the team purchased an item and noted the confirmation code used by PayPal. Then they selected a second item on Buy.com but did not pay up. Instead, they used the code from the first transaction to fake a confirmation message, which Buy.com accepted as proof of payment.
Wang used this and similar techniques on various sites to obtain a DVD, a cellphone charger and a subscription to an online magazine, among other items – all for free. It is unclear whether serious fraudsters are exploiting this line of attack. Wang’s team has since returned or paid for the items they acquired. They have also notified affected companies of their findings, and they say security holes at Buy.com and Amazon Payments have since been fixed.
But the three-pronged nature of online payment systems means that there may be many other security holes ripe for criminal exploitation, says Rui Wang’s PhD supervisor Wang.
Source:-https://www.newscientist.com/article/mg21028095.600-hackers-trick-goods-out-of-online-shopping-sites.html
Information Security, SSAE 16, ISO 27001, CISA, Cert-IN