It’s Boom Time For ‘White Hat’ Hackers As Indian Payments Go Digital
They are called ethical hackers or white hats. They prowl the world wide web looking for loopholes in IT systems. They are the good guys, looking for the bad guys who may get to your data and exploit it.
Now as the pandemic forces a range of businesses online, particularly financial transactions and payments, it may be a boom time for hackers and ethical hackers alike.
30-year old Rajshekhar Rajaharia is an ethical hacker. He doesn’t like calling himself that though. “Too many people who don’t know what hacking is call themselves ethical hackers these days,” he said. “A security researcher is a better name for someone like me.”
Rajaharia, who has been doing this since 2008 when he was in class 12, is in the limelight for flagging off the latest instance of credit card data breach that India has seen.
On Jan. 2, he found out that about 10 crore card details were available on the dark web, a term used to describe forums frequented by cybercriminals. The details were leaked from the servers of Juspay, a company that processes payments from Amazon, Flipkart, Swiggy, MakeMyTrip, Airtel, among other big brands.
Rajaharia went public with the breach a few days before the company acknowledged it. This wasn’t the first time he brought data breaches to light. In 2019, he disclosed that a breach at Just Dial led to details of nearly 10 crore credit card users finding their way onto the internet. And, way back in 2008, when he started out with a small assignment with the Rajasthan police, he helped them track down internet address of local fraudsters.
“On forums hosted on the dark web, you will often find advertisements by hackers about something that they have stolen from a server. Depending on the quality of data and the amount of work involved, the hackers will put a price on the data dump, while also offering a sample to check whether it is genuine,” Rajaharia said while explaining how he and other ethical hackers chance upon a data breach.
The Juspay Breach
When he noticed the breach emerging from Juspay, Rajaharia alerted the company by tagging their official Twitter handle as the company did not have a designated contact person listed on their website.
“I found out that the data stolen from Juspay is going at a rate of about $5,000-6,000 on the dark web,” he said. He proceeded to match mobile numbers with names of users provided in their emails to check whether the data was authentic. “After this cursory check, anyone with knowledge of how security systems work can verify if the sample data is genuine or not. This data available on the dark web is genuine private information of users.”
Juspay admitted to the breach in a Jan. 5 blog on its website. The company acknowledged that, on Aug. 18, 2020, a breach was found in its data stores through an unrecycled access key, a set of credentials necessary to verify one’s devices to access data on a server. The access keys usually go through recycling for better security.
Juspay said in its blog that about 3.5 crore records with masked card data and card fingerprint were breached. Card data on servers is masked, where only a few of the 16 digits are specified, with the rest of the data encrypted. The company said that merchants it works with have been informed about the breach and that it’s working toward better security standards.
“We did identify some gaps as we learnt more from our recent experience and have taken several measures involving policy changes and further investment in cyberthreat mitigation tools,” the blog said.
In another statement posted on its website on Thursday, Juspay said that it has hired Verizon Business to conduct an independent Payment Card Industry Forensic Investigation. The company also appointed PricewaterhouseCoopers to undertake a comprehensive audit of policies, protocols, and technologies.
The breach is also being investigated by a team at the Reserve Bank of India, with the help of representatives from industry body Payments Council of India, a person with direct knowledge of the development said. The RBI and PCI have issued notices to all payment companies asking them to review their security systems and strengthen any protection necessary, the person said on the condition of anonymity.
According to this person, the scope of the investigation is to find whether Juspay had followed all security protocols the regulator mandates and whether enough efforts were made to protect customers against any potential fallout.
While the company acknowledged the data breach, it claims this data cannot actually be used for transactions. Rajaharia says this isn’t entirely true. It is possible for hackers to figure out what is known as the “hash key algorithm” for fingerprint data, which is used to decrypt the masked data. “Once a hacker does that, it’s like you putting your 16-digit card number on the internet for everyone to see,” he said.
According to Juspay, this is an incorrect assessment of card fingerprinting.
“Cardfingerprint is not a hash value derived using the 16-digit card number, as incorrectly discussed in some media articles,” it said in a response to queries sent by BloombergQuint. “It’s a hash value derived using a random number (UUID2) and first four digits of card number. It is called a card fingerprint because it is a reference to the actual fingerprint stored in the secure vault, which is secure/un-breached.”
Translation: the company maintains that while data was compromised it was not enough to allow for misuse of the cards.
More Digital. More Vulnerable?
The Juspay incident is only the most recent data breach. There have been others before. More will follow. The question being asked is whether the frequency of such breaches is increasing as more and more transactions go digital.
Are white hats or ethical hackers getting busier?
According to Rajaharia, too many payment companies are pushing development through application programming interfaces or APIs, since it allows quick deployment of services. While this approach makes your front end look great, it increases vulnerabilities. “The engineers developing APIs have tough targets to meet. Security or authentication do not figure in the major things they have to worry about. Security is a separate function from developing programmes and requires a different mindset,” he says.
Trishneet Arora, founder and chief executive of the cyber security firm TAC Security, agrees. Companies spend far less on security than they do on other aspects of developing their services.
“The RBI mandates regular audits of cyber security frameworks at banks and payment companies through qualified cyber security professionals,” Arora said. “But the regulator can only create regulations, it cannot get into the business practices of each company. It’s up to the firm to ensure that compliance is thorough.”
In its March 2020 guidelines, specifically addressed to payment aggregators and payment gateways like Juspay, the RBI seeks immediate reporting of data breaches to itself and the Indian Computer Emergency Response Team or CERT-IN. The guidelines require these companies to carry out and submit quarterly internal and annual external audit reports, bi-annual vulnerability assessments of penetration test reports, to the regulator.
While breaches do happen, the effective loss to the customer is minimal.
By the time the customer finds out that a particular company has faced a breach, the problems are already solved. As such, customers are unlikely to face any issues, Arora said. “Even in the event that their private information is used to make any unauthorised transactions, the liability is taken by the company providing the service so there is no real loss to the customer.”
So why the hullaballoo about data breaches, particular from ethical hackers like Rajaharia? It’s a way to get publicity, Arora said.
“It is true. We do it for the publicity because it helps us put our name out there and hopefully someone will hire us for security work. But the fact is that we are also informing customers about data breaches when companies don’t,” Rajaharia says, countering Arora’s view. “All customers deserve to know that their private information is on some server they don’t know about.”
According to Rajaharia, companies either completely deny any breach or remain unavailable. Complaints sent to regulators and cyber security bodies such as CERT-IN also do not reveal to the public whether any action was taken or the breach was resolved. “In such situations, we can only go to the public and hopefully build some pressure,” he says.
Payment companies regularly receive warnings from independent security advisers and ethical hackers, according to Sandeep Srinivasa, founder, RedCarpet.
“The point we have to remember is that anything can be hacked. The best way to deal with this problem in payments is to move toward tokenisation, which would reduce the areas which can be hacked out there,” Srinivasa said.
Besides, all large payment firms make sure that they hire consultants who are capable of providing PCI-DSS or Payment Card Industry Data Security Standard certification, which is a very high barrier. “So if a large security firm has certified my framework, why should I listen to someone sending me an email?”