Online Payments Security: Loopholes That Can Bring You Down

History of banking dates back to 2000 B.C. Archeologists believe that depositing and lending have always been the human way of business and economy during renowned Roman, Chinese, and Indian empires. In fact, if we really think about it, there can actually be no trusted way of keeping earned money safe-to be used when required- other than a trusted group that also provides interest on such deposits.

From that time, quite clearly banks and their ways have evolved tremendously. Computing revolution has been the biggest step forward here. For what was confined to signatures and psychical presence, has now been replaced by plastic money and virtual presence.

A swipe here and merchant receives money from the customer, a tap there and one can purchase almost anything from distant countries. It is in fact amusing what binary digits and human brain have achieved in the last 50 years. Today, governments, businesses, and even consumers all around the world capitalize on the benefits of digital or electronic payments, and prefer it as the better option.

In fact, it has been estimated that digital payments in just our country have touched 1.2 trillion in 2014, with more than 50% coming from major cities like Mumbai, Delhi, Chennai, and Kolkata. In the coming years, digital payment popularity will also resonate in the Tier-2 and Tier-3 cities too. Recently, Nitin Chugh, head of HDFC Digital Banking Department, said that around 55% of their all banking transactions come from digital platforms, which again highlights how top banking institutions are serious about the paradigm shift.

However, is growth everything that we should be concerned about? Why every now and then there is this hint of terror amongst digital payment service providers? Why are there dozens of sites warning against internet security lapses?

How to Secure Exactly?

Have you heard of the Nordea Bank Fraud? According to available data, $1.1 million were stolen from the bank with a malicious program. It was way back in 2010, but since then many such dark activities have come into light financial institutes are repeatedly targeted.

Forget banks, even in day-to-day money transfer activities in the 21st century are prone to vulnerabilities. Think about it, online payment gateways are basically through the internet and with the right knowledge and programs, one can interfere with the process to use credentials, data, or/and money.

However, before actually looking into security and risk management opportunities, organizations need to understand real threats. Strong application security audit programs combining automated and manual intelligence can help reveal threats that can cause damage.

Phishing is probably the most common attack type with over 156 million emails being sent every single day. It is a type of attack where email, chat, or other types of communication directs users to fake platforms where they enter the requested details. According to recent estimations, 16 million emails pass through spam filters and end up in the inbox. What’s more frightening is out of these phishing emails, 8 million are opened every day.

Similarly, Cross-Site Scripting- XSS, and XSRF Cross-Site Request Forgery are also prevalent in digital payment system attacks. XSS uses a web application to bypass access controls and XSRF exploits user sessions to send unauthorized commands. Both of these vulnerabilities can be used against almost every kind of platform, including ASP, ColdFusion, .NET, Java, Perl, and PHP.

Online payment applications face a dozen similar vulnerabilities, which can be exposed using a strong application security audit program.

Risk Management – Online Payment Security as an enabler  

The electronic payment process initiates at the customers’ end and finishes at the merchants’ end using banking applications to authenticate and pay. The medium of payment can be anything from a card to online banking. Anything loose between these ends can potentially lead to exploitation.

For users’ end, things like careful two-factor authentication, strong passwords, antivirus, and secure computers are the usual tips. Of course, security is an ongoing process where banks and e-commerce websites play a critical role in customer awareness.

On Organization’s end, it needs to opt for multiple layer security, to get total application security. The use of a web application scanner, can scan all your apps and inform you about possible vulnerabilities and malware. For a deeper and proactive approach, manual penetration testing needs to be done. Once found, these weak points can be fixed and patched.

Web applications are riddled with vulnerabilities and it’s not always a plausible solution to fix them all at once. One needs to prioritize the vulnerabilities that need foremost attention, based on their level of sensitivity, and work towards fixing them. A Web Application Firewall (WAF) can be used for blocking attacks on the others. While a traditional WAF cannot achieve this, a managed WAF is more than capable of protecting your applications against such threats. A WAF not only protects your vulnerable apps but also provides protection against DoS and DDoS attacks. It can differentiate between automated and human requests, and hence protect against BOTs.

It is not just about the technical view of the risk, but from a business point of view too, strong security facilitates advanced services and higher value transactions to be moved to the internet cost-effectively. Hence security is no longer just about mitigating risks but a fundamental foundation to cost-effective business transactions and digital payments.

Indusface strongly recommends ‘TAS – Total Application Security’ for all organizations who are into Digital Transactions. The economy has come to a stage where you can’t ignore Digital Transactions anymore, securing them, is the only way out.