Juspay Data Breach: How Safe Are Transactions Online?
Published on : Friday 05-02-2021
The company that processes payments for Amazon and Swiggy has reported a data leak of over 100 million debit and credit cardholders.
How safe are transactions online? Well, it is anybody’s guess. But Google throws about 19,90,00,000 results and helpfully informs that it did so in 0.50 seconds. Many of these results also try to convince that online transactions are getting safer with multiple levels of security. Many offer tips – ranging from 5 to 10 – to keep the transactions safe. But when a breach occurs – as it did recently in case of Juspay – it often remains away from the public domain for months!
In a serious case of data breach, information of over 100 million debit and credit card users from payments processor Juspay had leaked on the dark web. Juspay processes payments for companies like Amazon, Swiggy, MakeMyTrip among others. The leaked data is in the form of a data dump and has been leaked through a compromised server of Juspay. Juspay confirmed the data leak in its official blog post, outlining the details of the breach. “It pains us to inform you that a data breach did happen on 18th August 2020. Non-sensitive masked card information, mobile numbers and email ids of a subset of our users were compromised,” the company said.
What is worse, though the company maintains it had discovered the breach the day it happened and had informed its merchant partners the same day, the information was not made public. That happened only when Rajshekhar Rajaharia, Entrepreneur & Internet Security Researcher, discovered the data breach in early January 2021. He found that the data dump was available for sale on the dark web. The leaked information includes non-sensitive masked card information, mobile numbers and email IDs of a subset of users. The company has said that the leaked information does not include full card numbers, order information, card PIN or password. The data on the dark web includes information such as the bank that has issued the card, card expiry date, and the last four digits of the card, masked card number, card type and the user’s name, among other details. According to Rajaharia, there could be a major risk to users if the algorithm used to hash card numbers is leaked or if the hackers figure it out on their own.
A hash is a unique and fixed-length string that is mapped to a set of data. In this case, Juspay has hashed the 16-digit debit and credit card numbers in order to process transactions. If hackers can figure out the algorithm used to generate these hashes, they could use brute force and find out what the original card numbers are. Juspay has masked only six digits out of sixteen-digit card numbers. Rajaharia says that while this is good, the safety of users rests primarily on the hashing algorithm.
What is the issue?
According to Shekhar Pawar, Founder & Executive Director, GrassDew IT Solutions Private Limited, the seller was asking for $8,000 in bitcoins for the entire data dump, which he claimed was around 100 million and about 45 million records of transactions. Juspay has said that since CVV and PINs are not stored by the company, this critical information is not compromised. According to those in the payment industry, masked card numbers are useless unless someone has access to the algorithm and key to decrypt the data, whereas fraudsters can put together the pieces and engage in a phishing attack.
What is the solution?
Payments in India are subject to two-factor authentication (they require either a one-time password or PIN), but international use does not have such requirements. The RBI has already asked banks to give customers the option to switch off their cards for international transactions through multiple channels (apps, online, or text messages).
Shekhar Pawar offers a few tips to secure web servers:
1. Unused servers should be terminated immediately after proper executing data destruction techniques.
2. All OS and software used should be latest and updated.
3. Update and patch web servers regularly.
4. Do not use the default configuration.
5. Store configuration files securely.
6. Scan the applications running on the web server for all vulnerabilities.
7. Use IDs and firewalls with updated signatures.
8. Block all unnecessary protocols and services. Use secure protocols.
9. Disable default accounts, follow strict access control policy.
10. Install anti-virus, and update it regularly. Scan the servers regularly.
