Sunday, November 27, 2016

Paytm POS app rolled back on Security Concerns

Image result for paytm merchants

Paytm which has been in the news ever since the demonetisation drive in India, had rolled out a POS app. This app has been rolled back citing security concerns highlighted by the concerned parties.

The current app allows payment via QR code. Customer scans the QR code of the merchant via the app to make the payment. Transferring money instantly to the destined account/ wallet. This is a secure way to make a payment because QR code payments use tokens to make the transaction. 

What was the problem with the new POS app?



This new feature would require the customer to key in his card number and PIN into the Paytm app of the merchant. 

As we are aware of key loggers and other screen grabbing softwares which can be installed by the merchant in his device, the unaware customer keys-in his card details into the Paytm app of the merchant while being unaware that it is being recorded by the key logger app thus the customer's card data is compromised.

Paytm has said repeatedly that it is a PCI-DSS (Payment Card Industry Data Security Standard ) and conducts several security audits. One of the main requirement to comply to PCI DSS is that the merchant should not hold card data of its customer in it's systems. While it might be true that Paytm does not hold customer card data, but this new feature in this application would allow the customer to pay by entering his card details just like any other e-commerce site's payment page. The same risks you would face while entering the card details online, you would face the same here except the added risk that the payment you do is not on your device but that of the merchant.

Image result for pos device

As many would agree that the same type of attack can be performed on the POS by installing some malware / malicious code. It is true that such an attack can be performed but it requires some deep knowledge of the working PED/ POS device and being able to post / transmit the data. There are encrypted PED/ POS devices but even they can be fused with malicious code. But the hack (if you would like to call it that) is not universal to all devices. There are many vendors of POS devices in the market and each have different set of instructions/operations, thus hacking such a device actually needs extensive knowledge of the device and the system it is placed inn. 

But in case of the POS that was in the Paytm app it is vulnerable to key-loggers and performing a  keylogging attack doesnt need an expert. It is fairly easy to install an app from the app store and set the keystrokes entered on the device to be mailed every set period of time.

Paytm has said that it will rollout the app after getting additional certifications.


No comments: