Popular payment gateway provider flaw: Transactions with same OTP

Popular payment gateway provider flaw: Transactions with same OTP

February 18, 2020
Green Alert
Last Update posted on
February 3, 2024
Beyond Monitoring: Predictive Digital Risk Protection with CloudSEK

Protect your organization from external threats like data leaks, brand threats, dark web originated threats and more. Schedule a demo today!

Schedule a Demo
Table of Contents
Author(s)
No items found.

Payment gateways, such as CCAvenue, and PayUbiz, facilitate payments on thousands of online portals. And customers implicitly trust them to secure their transactions. But, as reported by a security researcher, a flaw in the logical design of a previous version of Popular payment gateway put its customers at risk. This was because the payment gateway did not distinguish between transactions initiated within the same time frame.

Payment gateways serve as a channel of communication, between merchants and banks, to conduct secure transactions. The gateway encrypts the transaction information, which includes the credit/debit card number, CVV, expiry date, etc. And passes on the information to the payment processor, which acts as the link between the user bank and merchant bank. The gateway confirms the payment, unless the information is incorrect. Then, the processor settles the payment with the merchant’s bank.

Flow of payment gateway transactions
Flow of payment gateway transactions

One Time Passwords for gateways

In order to secure transactions, 3-dimensional payment gateways add time-based One Time Passwords (OTPs) as an additional layer of authentication. The payment gateway only accepts time-based OTPs submitted within the permitted time frame. After which the OTP is not valid. Even though this additional layer of authentication should secure transactions, a vulnerable gateway, could reduce its efficacy. A payment gateway that is not able to distinguish between transactions, could permit unauthorized transactions.

Flaw in the design of Popular Payment Gateway

  • Popular Payment Gateway fails to distinguish between transactions processed during a single 180 second time frame.
  • So, the OTP generated for a transaction is valid for other transactions, in the same time period. Irrespective of the amount or geo-location.
  • This vulnerability increases the possibilities of a man-in-the-middle attack (MITM) by which the attacker forges the request. 
  • And if the OTP remains unused for the first few seconds or minutes, it allows attackers to conduct fraudulent transactions within the validity period of the OTP.

Explaining the flaw through a scenario

  • A user initiates a legitimate transaction for Re.1.
  • They receive an OTP, on their registered mobile number, which is valid for 180 seconds.
  • Before the user applies the OTP for that transaction, an attacker intercepts the OTP and uses it to process a transaction for Rs.1000. Irrespective of the attacker’s location, and transaction amount, the fraudulent transaction is considered legitimate. And the attacker successfully receives the amount.

    Popular payment gateway flaw: Sample scenario that exploits flaw
    Sample scenario that exploits flaw

Verification of the Popular Payment Gateway flaw

CloudSEK’s research team tested Popular with various banking systems to confirm the flaw. We found that the same OTP is valid for 180 seconds or more, for any transaction, provided the OTP has not been used already. The screenshots below prove the same:

Popular payment gateway flaw: Parallel transactions generating the same OTP
Parallel transactions generating the same OTP

Conclusion

With the increasing number of online transactions, flaws such as Popular Payment Gateway’s make users vulnerable to threat actors. Apart from financial losses, it could impact the reputation of the payment gateway, and the online portals using it.

Note: Popular Payment Gateway became aware of this flaw on the 3rd of August, 2019. The security team at Popular Payment Gateway closed the issue and marked it as a known functionality on August 12, 2019. And publicly disclosed the flaw on August 25, 2019. Popular Payment Gateway recommends that portals using its payment gateway should fix the vulnerability, to avoid security incidents.

Author

Predict Cyber threats against your organization

Related Posts

Redirect Chain: Advertisement Services being Abused by Threat Actors to Redirect Users to Malware, Betting, Adult Websites

Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.

CVE-2023-20887 Leads to RCE in VMware Aria Operations for Networks

CVE 2023-20887 was discovered in the VMware Aria Operations with a CVSS score of 9.8 which leads to VMware Aria.

Ongoing Active Trojanized 3CX Desktop App Potentially Affecting 600K Users Globally

On 29th March, 2023 there were reports of malicious activity originating from a signed 3CX desktop application. CrowdStrike’s Falcon Overwatch has claimed to have observed malicious activities from both Windows and macOS binaries.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Vulnerability Intelligence

min read

Popular payment gateway provider flaw: Transactions with same OTP

Popular payment gateway provider flaw: Transactions with same OTP

Authors
Co-Authors
No items found.

Payment gateways, such as CCAvenue, and PayUbiz, facilitate payments on thousands of online portals. And customers implicitly trust them to secure their transactions. But, as reported by a security researcher, a flaw in the logical design of a previous version of Popular payment gateway put its customers at risk. This was because the payment gateway did not distinguish between transactions initiated within the same time frame.

Payment gateways serve as a channel of communication, between merchants and banks, to conduct secure transactions. The gateway encrypts the transaction information, which includes the credit/debit card number, CVV, expiry date, etc. And passes on the information to the payment processor, which acts as the link between the user bank and merchant bank. The gateway confirms the payment, unless the information is incorrect. Then, the processor settles the payment with the merchant’s bank.

Flow of payment gateway transactions
Flow of payment gateway transactions

One Time Passwords for gateways

In order to secure transactions, 3-dimensional payment gateways add time-based One Time Passwords (OTPs) as an additional layer of authentication. The payment gateway only accepts time-based OTPs submitted within the permitted time frame. After which the OTP is not valid. Even though this additional layer of authentication should secure transactions, a vulnerable gateway, could reduce its efficacy. A payment gateway that is not able to distinguish between transactions, could permit unauthorized transactions.

Flaw in the design of Popular Payment Gateway

  • Popular Payment Gateway fails to distinguish between transactions processed during a single 180 second time frame.
  • So, the OTP generated for a transaction is valid for other transactions, in the same time period. Irrespective of the amount or geo-location.
  • This vulnerability increases the possibilities of a man-in-the-middle attack (MITM) by which the attacker forges the request. 
  • And if the OTP remains unused for the first few seconds or minutes, it allows attackers to conduct fraudulent transactions within the validity period of the OTP.

Explaining the flaw through a scenario

  • A user initiates a legitimate transaction for Re.1.
  • They receive an OTP, on their registered mobile number, which is valid for 180 seconds.
  • Before the user applies the OTP for that transaction, an attacker intercepts the OTP and uses it to process a transaction for Rs.1000. Irrespective of the attacker’s location, and transaction amount, the fraudulent transaction is considered legitimate. And the attacker successfully receives the amount.

    Popular payment gateway flaw: Sample scenario that exploits flaw
    Sample scenario that exploits flaw

Verification of the Popular Payment Gateway flaw

CloudSEK’s research team tested Popular with various banking systems to confirm the flaw. We found that the same OTP is valid for 180 seconds or more, for any transaction, provided the OTP has not been used already. The screenshots below prove the same:

Popular payment gateway flaw: Parallel transactions generating the same OTP
Parallel transactions generating the same OTP

Conclusion

With the increasing number of online transactions, flaws such as Popular Payment Gateway’s make users vulnerable to threat actors. Apart from financial losses, it could impact the reputation of the payment gateway, and the online portals using it.

Note: Popular Payment Gateway became aware of this flaw on the 3rd of August, 2019. The security team at Popular Payment Gateway closed the issue and marked it as a known functionality on August 12, 2019. And publicly disclosed the flaw on August 25, 2019. Popular Payment Gateway recommends that portals using its payment gateway should fix the vulnerability, to avoid security incidents.