Do you know how Amazon and Swiggy process their payments on their platform, and is it really safe?
As many of us don't know, it's Juspay. Juspay is the reliable service provider for online transactions used by Amazon, Swiggy, Ola and many other enterprises. There was a case of data breach that appeared last year in August 2020 against Juspay. Due to the data breach, around 3.5 crore data with masked card number and personal information was in doubt.
Shockingly, on Monday, Juspay admitted the claim. The claim got confirmed after the expert internet researcher, Mr. Rajshekhar Rajaharia came up on his social media. The expert has also shared a sample of the stolen data which was open for sale on Dark web.
Talking to a renowned daily newspaper, Mr. Rajshekhar Rajaharia stated:
"The database was put for sale by an unknown person who was dealing through Telegram,"
As explained by Juspay in its blog,
"An old unrecycled AWS access key was exploited and that enabled the unauthorised access. An automatic system alert was triggered due to a sudden increase in the usage of the system resources on the data store. Our incident response team immediately engaged and was able to trace the intrusion and stop it. The server used in the hack was terminated and the entry point for this intrusion was sealed,"
"About 3.5 crore records with masked card data and card fingerprint (which are non-sensitive information) were breached. The masked card data is used for display purposes and cannot be used for completing a transaction,"
Talking about the delay in confirmation, Juspay stated,
"We verified that our secure data store, which hosts the confidential card numbers, was not accessed or compromised. Thus, all our customers were secure from any kind of risk. Our priority was to inform the merchants and, as a measure of abundant precaution, they were issued fresh API keys, though it was later verified that even the API keys in use were safe."
Moreover, it is found that hackers are selling the data on Dark Web with the hashed card numbers and other information. Hence, anyone who understands the Juspay algorithm can unlock the card numbers, which is a real threat!
Besides, the payment service provider assured that the company never saves CVV or PINs on their server. Consequently, the hackers only have the card numbers with them which is futile to lead to any mischief activity.
Nevertheless, in India, we have two-factor authentication such as OTP and PIN to process any online payment. Rest assured that our bank balance is safe, whereas the hackers still have the personal information.
ISOEH (Indian School of Ethical Hacking) is a reputed cyber security institute in India. We strongly advise people to use the internet wisely. Never save your card details on the online platforms.
Keep following ISOEH for more useful resources.