Fraud Alert: Are Payment Gateways Safe & Secure? Beware of QR Code Scam
Payment gateways, a technology or service that facilitates electronic transactions, play a crucial role in the online commerce ecosystem by ensuring the security, reliability and convenience of electronic payment transactions. It acts as an intermediary between a merchant (a business that sells products or services) and a customer, enabling the secure and efficient processing of various payment transactions, such as credit card payments, debit card payments, digital wallets, and other online payment methods. However, a recent incident in Thane (Maharashtra) raises serious questions about the security of payment gateways and their infrastructure. 
According to the Thane police, the payment gateway of Safexpay Technology Pvt Ltd (STPL) was allegedly hacked, revealing a massive scam of siphoning off Rs18,180 crore, including some money transferred abroad, which is now being probed. But more about it later. 
As Indians have quickly adopted digital payments, a surge in quick-response (QR) code scams has plagued the country, warns a report from Unit 42 at Palo Alto Networks, a cybersecurity company. This, indeed, is worrisome, especially when more and more people are routinely using QR codes for making payments through the unified payment interface (UPI). In August, UPI surpassed 10bn (billion) monthly transactions with a transaction value of Rs15.18trn (trillion).
Are Payment Gateways Safe & Secure?
News agency IANS, says that the fraud at Thane came to light after a complaint of allegedly hacking into the six-year-old STPL's payment gateway and transferring money to hundreds of bank accounts.
About Rs25 crore, which was siphoned off, found its way into the HDFC Bank account of Thane-based company Real Enterprises, which has five branches in Mumbai and Navi Mumbai, the report says quoting investigating officers.
"A probe into Real Enterprises revealed at least 260 accounts with various banks that were used for carrying out the financial frauds. A perusal of the bank statements of these 260 accounts pointed to an estimated misappropriation of a massive Rs16,180 crore, a part of which has been transferred to foreign accounts," the report says.
Thane police suspect that many more persons could be involved in the huge racket involving opening bank accounts with fake documents and floating five partnership firms with bogus papers intended to cheat the government.
As we know, payment gateways enable businesses to expand their customer base by accepting payments from a wide range of sources and help create a seamless and trustworthy shopping experience for consumers.
Payment gateway security breaches can have serious consequences for businesses and their customers. These breaches can lead to the theft of sensitive financial information and damage a company's reputation.
One of the primary issues with payment gateways (I would say with every business that uses computers or technology solutions) is the lack of regular security audits and testing of systems. Failing to assess the security of the payment gateway regularly can lead to vulnerabilities going unnoticed.
Payment gateways need to regularly conduct security audits, penetration testing and vulnerability assessments, to identify and address weaknesses.
Further, payment gateways must comply with crucial regulations like the payment card industry data security standard (PCI DSS), as it provides a framework for securing payment card data and preventing breaches.
Beware of QR Code Scam
A QR code scam is a fraudulent scheme in which cybercriminals use QR codes to deceive individuals into taking actions that compromise their security or privacy. These scams are becoming more common as QR codes are widely used for various purposes, including making payments, accessing websites and sharing contact information.
In Bengaluru alone, since 2017, over 20,600 cases of QR code scams have been registered, says a report from Times of India
According to a media report, a professor from the Indian Institute of Science (IISc) lost Rs63,000 while trying to sell his washing machine. The buyer said that he would send a QR code and the money would be credited to the professor's account once it was scanned. After scanning the code, the professor found that money was siphoned off from his account in multiple instalments.  
According to Palo Alto Networks, QR code scams are increasing in India.
"With QR codes now deeply integrated into our daily lives, related scams have surged in prominence. Cybercriminals exploit this by surreptitiously replacing QR codes in establishments such as bars, restaurants, lounges, shops, and clubs. This can result in unauthorised UPI payments and potential financial harm," says Vicky Ray, principal researcher -- Unit 42 at Palo Alto Networks. 
When individuals scan any altered QR code, it can automatically redirect them to a phishing URL, where cybercriminals can get access to user credentials as well as social media accounts, among other things. Altered QR codes are used by fraudsters to send users to malicious websites or download fake apps, steal money or information or for phishing attacks.  
Palo Alto Networks also mentions the use of 'evil twin' or hotspot honey-spots in the threats, tactics, and procedures (TTP) modules used by cybercriminals in ransomware and extortion. "In this scenario, threat actors establish an insecure Wi-Fi network, enticing users with free internet access upon scanning their QR code. Once connected, hackers intercept and eavesdrop on the data  transmitted, pilfering personal or confidential business information, online banking credentials, and credit card details."
In these circumstances, it is essential to stay cautious while using QR codes for accessing any website, sharing information or for any online transaction. 
Here are a few more tips to avoid becoming a victim of a QR code scam...
  • Verify the sender's identity and the legitimacy of the request before taking any action.
  • To stay safe from QR code scams, it is essential to exercise caution, use common sense and be vigilant when scanning QR codes. 
  • If you are unsure about the legitimacy of a QR code, it is best to avoid scanning it or to verify its source before taking any action. 
  • Additionally, keeping your devices and software up to date with security patches and using reputable security software can help protect you from various scams and threats.
Stay Alert, Stay Safe!
Veeresh Malik
8 months ago
Whilst there are many variations of scams going, one of the easiest to avoid is when anybody asks you to scan a QR code to receive change back for a payment, as was attempted on me a few weeks ago. Gave 100/- cash for 55/- worth of eggs, and the seller asked me to scan a QR code to receive the balance 45/-; opted to buy 55/- worth more of eggs instead and haggled a 10/- discount.

The risks involved in scanning unknown, or even known, QR codes is still not fully understood - restaurant menus, for example.

Are we then reverting to cash for small transactions? Well, unless you are really tech savvy, and even then, it may be a good idea to carry cash instead of scanning anything and everything.
Smart One
8 months ago
If you have one voter prime minister and one voter constable near your vote booth then they should protect you from fraudulent fellow voters. Simply simple yes true agreed with me thanks.
8 months ago
Very informative article.
8 months ago
Unless we have a robust legal system these type of frauds will occur. the anonymity mask gives the fraudsters confidence and our legal system ensure these go scot free or a minor slap. Unless this is given death penalty ( as it destroys families) or 20 years in remote cellular jail, this cannot be stopped. Only expense on security audit will keep increasing
8 months ago
Online Fraud occurs involving 3 parties ie Tricked User by Hackers, an unchecked Space between Payment Gateway Firewalls & Malware, lacks of Credible Security Intelligence to keep the final Delivery Payment Gateway utterly getting Vulnerable arising out of complete day to day basis updating Security Patches by Technology Vendors & System Administrators. Due Diligence of Security Audits facilitating Malwares to intrude Payment Gateway Server construed as major deficiency of Online Frauds. Now, in case of compensation of financial loss, can it be devolved onerous responsibility upon User for Involuntary slips or lackadaisical maintenance of Computer Security System as Ultimate Delivery Platform for release of Fraudulent Transactions without checking its Veracity with reference to Transaction History, Nature of Transactions by Users, Allowing Fraudulent Transactions by ignoring system related Posting Restrictions beyond One or Two Transactions as Customized in Operating Software of Psyment Gateway Server?
8 months ago
one important point that needs to be highlighted is that for RECEIVING money, one does not need to scan any QR code.
Free Helpline
Legal Credit