Payment gateways, a technology or service that facilitates electronic transactions, play a crucial role in the online commerce ecosystem by ensuring the security, reliability and convenience of electronic payment transactions. It acts as an intermediary between a merchant (a business that sells products or services) and a customer, enabling the secure and efficient processing of various payment transactions, such as credit card payments, debit card payments, digital wallets, and other online payment methods. However, a recent incident in Thane (Maharashtra) raises serious questions about the security of payment gateways and their infrastructure.
According to the Thane police, the payment gateway of Safexpay Technology Pvt Ltd (STPL) was allegedly hacked, revealing a massive scam of siphoning off Rs18,180 crore, including some money transferred abroad, which is now being probed. But more about it later.
As Indians have quickly adopted digital payments, a surge in quick-response (QR) code scams has plagued the country, warns a report from Unit 42 at Palo Alto Networks, a cybersecurity company. This, indeed, is worrisome, especially when more and more people are routinely using QR codes for making payments through the unified payment interface (UPI). In August, UPI surpassed 10bn (billion) monthly transactions with a transaction value of Rs15.18trn (trillion).
Are Payment Gateways Safe & Secure?
News agency IANS, says that the fraud at Thane came to light after a complaint of allegedly hacking into the six-year-old STPL's payment gateway and transferring money to hundreds of bank accounts.
About Rs25 crore, which was siphoned off, found its way into the HDFC Bank account of Thane-based company Real Enterprises, which has five branches in Mumbai and Navi Mumbai, the report says quoting investigating officers.
"A probe into Real Enterprises revealed at least 260 accounts with various banks that were used for carrying out the financial frauds. A perusal of the bank statements of these 260 accounts pointed to an estimated misappropriation of a massive Rs16,180 crore, a part of which has been transferred to foreign accounts," the report says.
Thane police suspect that many more persons could be involved in the huge racket involving opening bank accounts with fake documents and floating five partnership firms with bogus papers intended to cheat the government.
As we know, payment gateways enable businesses to expand their customer base by accepting payments from a wide range of sources and help create a seamless and trustworthy shopping experience for consumers.
Payment gateway security breaches can have serious consequences for businesses and their customers. These breaches can lead to the theft of sensitive financial information and damage a company's reputation.
One of the primary issues with payment gateways (I would say with every business that uses computers or technology solutions) is the lack of regular security audits and testing of systems. Failing to assess the security of the payment gateway regularly can lead to vulnerabilities going unnoticed.
Payment gateways need to regularly conduct security audits, penetration testing and vulnerability assessments, to identify and address weaknesses.
Further, payment gateways must comply with crucial regulations like the payment card industry data security standard (PCI DSS), as it provides a framework for securing payment card data and preventing breaches.
Beware of QR Code Scam
A QR code scam is a fraudulent scheme in which cybercriminals use QR codes to deceive individuals into taking actions that compromise their security or privacy. These scams are becoming more common as QR codes are widely used for various purposes, including making payments, accessing websites and sharing contact information.
According to a media report, a professor from the Indian Institute of Science (IISc) lost Rs63,000 while trying to sell his washing machine. The buyer said that he would send a QR code and the money would be credited to the professor's account once it was scanned. After scanning the code, the professor found that money was siphoned off from his account in multiple instalments.
According to Palo Alto Networks, QR code scams are increasing in India.
"With QR codes now deeply integrated into our daily lives, related scams have surged in prominence. Cybercriminals exploit this by surreptitiously replacing QR codes in establishments such as bars, restaurants, lounges, shops, and clubs. This can result in unauthorised UPI payments and potential financial harm," says Vicky Ray, principal researcher -- Unit 42 at Palo Alto Networks.
When individuals scan any altered QR code, it can automatically redirect them to a phishing URL, where cybercriminals can get access to user credentials as well as social media accounts, among other things. Altered QR codes are used by fraudsters to send users to malicious websites or download fake apps, steal money or information or for phishing attacks.
Palo Alto Networks also mentions the use of 'evil twin' or hotspot honey-spots in the threats, tactics, and procedures (TTP) modules used by cybercriminals in ransomware and extortion. "In this scenario, threat actors establish an insecure Wi-Fi network, enticing users with free internet access upon scanning their QR code. Once connected, hackers intercept and eavesdrop on the data transmitted, pilfering personal or confidential business information, online banking credentials, and credit card details."
In these circumstances, it is essential to stay cautious while using QR codes for accessing any website, sharing information or for any online transaction.
Here are a few more tips to avoid becoming a victim of a QR code scam...
- Verify the sender's identity and the legitimacy of the request before taking any action.
- To stay safe from QR code scams, it is essential to exercise caution, use common sense and be vigilant when scanning QR codes.
- If you are unsure about the legitimacy of a QR code, it is best to avoid scanning it or to verify its source before taking any action.
- Additionally, keeping your devices and software up to date with security patches and using reputable security software can help protect you from various scams and threats.
Stay Alert, Stay Safe!
The risks involved in scanning unknown, or even known, QR codes is still not fully understood - restaurant menus, for example.
Are we then reverting to cash for small transactions? Well, unless you are really tech savvy, and even then, it may be a good idea to carry cash instead of scanning anything and everything.