Many QR code payment services are being developed under the service name such as “○○ Pay”, which is supporting the expansion of cashless payments in Japan.
With cashless payment, competing services have started one after another because it is possible to build an economic zone centered on that service and acquire more user information. On the other hand, as a result of rushing to enter the intensifying QR code payment service market at an early stage, some services have serious quality problems, and users are worried about them.
Therefore, in this article, we will introduce examples of quality problems that occurred while the QR code payment service was being developed.
Cases of problems with QR code payment services
For users to use the QR code payment service, it is necessary to charge legal currency and link with a credit card, so a registration of personal information including financial services is essential. Therefore, the system provided must be a complete service that does not leave any vulnerabilities in in-service operation and account management.
However, some services have found vulnerabilities that pose a major challenge for QR code payment services. It is unauthorized use of QR code payment. The seriousness of the situation was revealed, such as reports of fraudulent use from multiple users on the Internet.
QR code payment services are often linked to credit cards, and this fraudulent use has endangered personal financial information.
Overview and time series
The fraudulent use of this QR code payment service was discovered shortly after the service was released. Posts that have multiple users suffering the same damage will begin to be confirmed on SNS.
The service provider who recognized the unauthorized use first blocked the use of the service from overseas. After that, we finally set up a support center to call attention to IDs and passwords. At the same time, the charging function from the credit card will be stopped to prevent the damage from spreading.
In addition, we took measures to suspend new registration to the service and established a countermeasure organization. Furthermore, the damage finally subsided by stopping the login to the QR code payment service from the linked app. And finally, the result was that the service was terminated.
The amount charged at the end of the service was refunded to each user, and the business related to the QR code payment service was completely terminated.
Problems are seen in the case
From this case, let’s look at the problems in the system and operation of the QR code payment service.
No two-factor authentication (or two-step verification)
The cause of the abuse was account takeover. As long as the service is connected to the network, there is no way to prevent cyber attacks on your account. Therefore, it is necessary to eliminate information security vulnerabilities by performing two-factor authentication (or two-step verification).
If you install two-factor authentication, even if the user reuses the worst ID and password (it is set a strong password for each), even if it receives a cyber-attack such as a list type attack This is because it prevents you from breaking into your account.
However, in this case, “two-factor authentication” was not applied as a system. This can be said to be a leak at the requirements definition stage. In other words, it is a specification bug, and it is a part that lacks consideration for general use cases such as reusing passwords.
Specifications that can change email address information on the password reset screen
The password reset system specifications were also vulnerable. This is because it was a specification that a third party could easily reset with their address.
Being able to set a reset email address on the password reset screen means that anyone who can log in to your account is free to change their password. With such specifications, the existence of a password is meaningless. Originally, the e-mail address used when resetting the password must be set in advance or the specifications must be such that a separate setting screen is prepared.
This is not something that is bothered to be considered in the requirement definition, but it is something that everyone involved in system construction must be aware of as the basis of information security.
Email address setting items only hidden by CSS
The above problem “Items that can change the email address” cannot be solved unless the function for each item is deleted from the password reset screen. Just by using CSS to programmatically “hide” it, it is in a state of “not visible on the screen, but its function remains”.
It can be interpreted that the vulnerability is left unattended. That’s because it’s not a solution. After all, you can easily specify the email address to reset your password with just one line of the CSS program.
The functional level that was insufficient for QR code payment service in the case
Then, what kind of function was insufficient as an information security measure for the QR code payment service in this case?
The QR code payment service is used by presenting a smartphone. The first thing to consider is that not all smartphones are owned by an individual. Depending on the user, there may be a pattern of using multiple units properly.
At this time, the function that should be realized as information security is to provide security at the level of two-factor authentication or higher (multi-factor authentication).
The ability to securely access accounts on multiple terminals using SMS and apps that issue one-time passwords raises the level of information security authentication in payment systems.
Program refurbishment level
Looking at the cases, it can be said that the level of program repair for system malfunctions is low. Even if you look at the CSS code example on the password reset screen, it can be said that the procedure of just hiding it from the screen is too sloppy.
Alternatively, it may not have been possible to secure the cost aspects such as the repair period and personnel to provide a separate e-mail address setting function for a password reset.
In any case, what was lacking here was a development system for carefully repairing defects in the payment service. Looking only at the service refurbishment results, I get the impression that the level of developers is low.
The need for a sufficient verification period
The quality problem this time should have been a basic system defect that could be grasped in advance if a sufficient verification period was set.
However, it may have been difficult to secure a sufficient development period even in system development due to the rush to release due to the rise of overheated service competition and the impatience of management that wants to release immediately.
At the development stage, some engineers and senior management should have noticed that there was a problem with information security. Even so, as a result of forcing an early release, caused the greatest damage among the possible risks and even resulted in a service outage.
It is important to ensure a certain verification period for any service. Moreover, if it is a service that provides payment, it can be said that it is the minimum necessary to protect users.
It is necessary to further carefully verify the parts that should be suppressed in the upstream process such as requirement definition and improve the quality.
The introduction of payment services such as QR code payment must be provided as a system that eliminates all vulnerabilities. Cashless payments will become established in the future society. QR code payment services are also expected to continue to be used as one of the means.
That is why it is necessary not only to identify the necessary functions in the actual usage scene but also to take countermeasures against possible vulnerabilities and prepare for the verification period.
If you ever want to know about similar things, check out the Facebook page Maga Techs.