The Delhi police has arrested four youth on the charges of hacking leading shopping sites including Amazon and Flipkart. The police are acting on the complaint of Voucha Gram India, an ecommerce company that runs the website www.gyftr.com. Voucha Gram has complained that the website was hacked, and gift vouchers of leading companies including MakeMyTrip, Amazon, Flipkart, Big Bazar, Reliance Digital, Myntra, Yatra, and others have been stolen. Ishwar Singh, deputy commissioner of police (DCP) confirmed,
“The total financial loss to the complainant was assessed to be about Rs. 92 lakh.”
The arrested include Sunny Nehra, Prakhar Aggarwal, Azad Choudhary, and Tejveer Sheoran. Singh explained how Nehra went ahead,
“One of his hacker friends informed him that PayU, a leading payment gateway, was suffering from vulnerability and could be tested for data tampering. He started testing it and soon discovered that it was allowing ‘change in parameters on the processing page’, which is data tampering.”
Cyber payments unsafe?
The heist is a blow to both online payment portals like PayU and Paytm, and the government, which has been pushing for a cashless society. Advocate Pavan Duggal, a specialist in cyber laws, confirms this,
“Digital wallets and mobile wallets are extremely unsafe. There are only a couple of Reserve Bank notifications on it. The sector is unregulated; there are no minimum parameters to follow. A majority of the service providers do not focus on cyber security.”
However, companies are quick to their defence. Prashant Susarla, technical head at PayU India clarifies,
“PayU protects transaction data integrity by way of check-summing important transaction data exchanged between merchant, PayU and bank. When merchants send data to PayU, they are expected to send a check-sum of the data in the transaction request. In this case, the merchant did not implement the response check-sum test. In such cases, tampering of response data by malicious users will occur, resulting in the merchant facing the repercussions.”
Due diligence is a default activity that everyone should follow. However, when such untoward incidents take place, it exposes the vulnerability of online transactions. The hackers used simple techniques to invade the website. This could happen to anyone. Merchants would do well to employ a good security system on their websites.