A TEAM of computer security researchers have gone on an online shopping spree, after discovering a series of flaws in payment software.
\nThe problem lies in the three-pronged nature of the payment systems, which typically involve specialist merchant software that links a retailer’s website with a payment-processing company, such as Amazon Payments or PayPal. Hackers can profit by intercepting and faking communications involving the websites and the software.
\nIn one attack, Wang and colleagues used a plug-in for the Firefox web browser to examine data being sent and received by the online retailer Buy.com. When users make a purchase, Buy.com directs them to PayPal. Once they have paid, PayPal sends Buy.com a confirmation message tagged with a code that identifies the transaction.
\nPayPal handles its side of the process securely, says Wang, but Buy.com was relatively easy to fool. First the team purchased an item and noted the confirmation code used by PayPal. Then they selected a second item on Buy.com but did not pay up. Instead, they used the code from the first transaction to fake a confirmation message, which Buy.com accepted as proof of payment.
\nWang used this and similar techniques on various sites to obtain a DVD, a cellphone charger and a subscription to an online magazine, among other items – all for free. It is unclear whether serious fraudsters are exploiting this line of attack. Wang’s team has since returned or paid for the items they acquired. They have also notified affected companies of their findings, and they say security holes at Buy.com and Amazon Payments have since been fixed.
\nBut the three-pronged nature of online payment systems means that there may be many other security holes ripe for criminal exploitation, says Rui Wang’s PhD supervisor Wang.
\nSource:-https:\/\/www.newscientist.com\/article\/mg21028095.600-hackers-trick-goods-out-of-online-shopping-sites.html<\/p>\n","protected":false},"excerpt":{"rendered":"
A TEAM of computer security researchers have gone on an online shopping spree, after discovering a series of flaws in payment software.<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[9,12],"tags":[],"class_list":["post-1870","post","type-post","status-publish","format-standard","hentry","category-banking","category-itsec"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9AH7Q-ua","_links":{"self":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/1870","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/comments?post=1870"}],"version-history":[{"count":0,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/1870\/revisions"}],"wp:attachment":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/media?parent=1870"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/categories?post=1870"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/tags?post=1870"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}