Search This Blog

Showing posts with label Payment Apps. Show all posts

Chinese Loan App Case: ED Freezes Rs 46.67 Crore Worth Funds Of Payment Gateway Apps

 

The Enforcement Directorate has carried out raids against Chinese “controlled” loan apps and investment tokens. The ED froze Rs. 46.67 cr. worth funds kept at the Bengaluru premise of payment gateways accounts of Easybuzz, Razorpay, Cashfree, and Paytm in connection with the HPZ token case over alleged irregularities in the operation of instant app-based loan-giving companies that are controlled by Chinese personals. The funds have been frozen and seized under the Prevention of Money Laundering Act (PMLA).

The investigation was carried out on September 14th at various business and residential premises in Delhi, Ghaziabad, Mumbai, Lucknow, and Gaya over the money laundering case probed against an app-based token named HPZ and related entities. The case is based on an FIR filed in October 2021, registered by the Kohima police’s cybercrime unit in Nagaland.

According to the ED, the HPZ token was an app-based token that lured victims to invest in the company, promising a doubling of their investments and large gains to the customers against investments by investing in mining machines in bitcoins and other cryptocurrencies.

“Payments were received from users through UPIs and other payment gateways/ nodal gateways/ individuals. Part amount was paid back to the investors and remaining amount was diverted to various individuals and company accounts through various payment gateways/ banks from where partly it was siphoned off in digital/virtual currencies. After that, the fraudsters stopped the payments and the website became inaccessible” states the ED.

Allegedly, the companies sourced the personal data of the victims at the time of downloading the loan apps even when their interest rates were “unsurious”. ED thus initiated a probe under the criminal sections of the PMLA after many debtors reportedly ended their lives. The debtors were being harassed and threatened by these loan app companies over the personal data available on their phones. The ED claims, that one such Loan app entity, labeled M/s Mad- Elephant Network Technology Private Limited in an agreement with X10 Financial Services Limited was operating several loan apps, namely Yo-Yo cash, Tufan Rupees, Coco cash, etc.) Similarly, Su Hui Technology Private Limited, in agreement with M/s Nimisha Finance India Private Limited, had operated loan apps.

In a meeting held on September 8, Finance Minister Nirmala Sitaraman reviewed the issues pertaining to the illegal loan apps. The meeting was attended by top officials from the ministry and RBI officials. It is being decided that appropriate measures shall be taken to check the operations of such apps. 

Payment API Flaws Exposed Millions of Users’ Data

 

Researchers discovered API security flaws impacting several apps, potentially exposing the personal and financial information of millions of consumers. 

According to CloudSEK, around 250 of the 13,000 apps published to its BeVigil "security search engine" for mobile applications utilize the Razorpay API to conduct financial transactions. 

Unfortunately, it was discovered that about 5% of these had disclosed their payment integration key ID and key secret. This is not an issue in Razorpay, which caters over eight million businesses, but rather with how app developers are misusing their APIs.

Many of the applications exposing API keys have over a million downloads, including those in health and fitness, eCommerce, travel and hospitality, healthcare, and pharma. The applications are based in India, where CloudSEK is also situated. Here is a list of the applications that are affected:
  • One of India’s leading steel trading companies
  • Online grocery app 
  • Nepalekart (Instant Recharge to Nepal): Now remediated 
  • Top education app in south India 
  • Gold merchant 
  • Health app 
The company explained, “When it comes to payment gateways, an API key is a combination of a key_id and a key_secret that are required to make any API request to the payment service provider. And as part of the integration process, developers accidentally embed the API key in their source code. While developers might be aware of exposing API keys in their mobile apps, they might not be aware of the true impact this has on their entire business ecosystem.” 

“CloudSEK has observed that a wide range of companies — both large and small — that cater to millions of users have mobile apps with API keys that are hardcoded in the app packages. These keys could be easily discovered by malicious hackers or competitors who could use them to compromise user data and networks.” 

The compromised data might include user information such as phone numbers and email addresses, transaction IDs and amounts, and order and refund details. 

Furthermore, since similar apps are typically linked with other programmes and wallets, CloudSEK cautioned that much more could be at risk. 

According to the organization, malicious actors may utilise the leaked API information to execute mass purchases and subsequently start refunds, sell stolen information on the dark web, and/or conduct social engineering operations such as follow-up phishing campaigns. 

All ten of the compromised APIs have now been disabled. Nonetheless, CloudSEK encouraged developers to consider the possible effect of such vulnerabilities early in the development process.  

This is due to the fact that invalidating a payment integration key would prevent an app from functioning, resulting in substantial user friction and financial loss. 

CloudSEK concluded, “Given the complexities of regenerating API keys, payment providers should design APIs such that, even if the key has not been invalidated, there are options to minimize the permissions and access controls of a given key.” 

“App developers should be given a mechanism to limit what can be done using a key at a granular level, like AWS does. AWS has put in place identity and access management (IAM) policies that can be used to configure the permissions of every operation on an S3 bucket. This practice should be more widely adopted to minimize what threat actors can do with exposed API keys.”