Payment gateways, such as CCAvenue, and PayUbiz, facilitate payments on thousands of online portals. And customers implicitly trust them to secure their transactions. But, as reported by a security researcher, a flaw in the logical design of a previous version of Popular payment gateway put its customers at risk. This was because the payment gateway did not distinguish between transactions initiated within the same time frame.

Payment gateways serve as a channel of communication, between merchants and banks, to conduct secure transactions. The gateway encrypts the transaction information, which includes the credit/debit card number, CVV, expiry date, etc. And passes on the information to the payment processor, which acts as the link between the user bank and merchant bank. The gateway confirms the payment, unless the information is incorrect. Then, the processor settles the payment with the merchant’s bank.

One Time Passwords for gateways

In order to secure transactions, 3-dimensional payment gateways add time-based One Time Passwords (OTPs) as an additional layer of authentication. The payment gateway only accepts time-based OTPs submitted within the permitted time frame. After which the OTP is not valid. Even though this additional layer of authentication should secure transactions, a vulnerable gateway, could reduce its efficacy. A payment gateway that is not able to distinguish between transactions, could permit unauthorized transactions.

Flaw in the design of Popular Payment Gateway

• Popular Payment Gateway fails to distinguish between transactions processed during a single 180 second time frame.
• So, the OTP generated for a transaction is valid for other transactions, in the same time period. Irrespective of the amount or geo-location.
• This vulnerability increases the possibilities of a man-in-the-middle attack (MITM) by which the attacker forges the request. 
• And if the OTP remains unused for the first few seconds or minutes, it allows attackers to conduct fraudulent transactions within the validity period of the OTP.

Explaining the flaw through a scenario

• A user initiates a legitimate transaction for Re.1.
• They receive an OTP, on their registered mobile number, which is valid for 180 seconds.
• Before the user applies the OTP for that transaction, an attacker intercepts the OTP and uses it to process a transaction for Rs.1000. Irrespective of the attacker’s location, and transaction amount, the fraudulent transaction is considered legitimate. And the attacker successfully receives the amount.

  

Verification of the Popular Payment Gateway flaw

CloudSEK’s research team tested Popular with various banking systems to confirm the flaw. We found that the same OTP is valid for 180 seconds or more, for any transaction, provided the OTP has not been used already. The screenshots below prove the same:

Conclusion

With the increasing number of online transactions, flaws such as Popular Payment Gateway’s make users vulnerable to threat actors. Apart from financial losses, it could impact the reputation of the payment gateway, and the online portals using it.

Note: Popular Payment Gateway became aware of this flaw on the 3rd of August, 2019. The security team at Popular Payment Gateway closed the issue and marked it as a known functionality on August 12, 2019. And publicly disclosed the flaw on August 25, 2019. Popular Payment Gateway recommends that portals using its payment gateway should fix the vulnerability, to avoid security incidents.