A recent report from eBay sheds some new light on its payments arm, set to go solo later this year.
Google, PayPal, Amazon Payments, e-retailers and e-commerce platforms are cited.
Major e-payment systems, e-retailers and e-commerce platforms—including Google Checkout, PayPal, Amazon Payments, Buy.com, JR.com, nopCommerce and Interspire—have payment system security software flaws that can be exploited to confirm payment to an illegitimate web site or to receive products for free or at reduced prices, according to a report by a team of researchers from Indiana University and Microsoft Corp.
The payment security study, “How to Shop for Free Online: Security Analysis of Cashier-as-a-Service Based Web Stores,” was headed by Indiana University doctoral student Rui Wang and his supervisor, associate professor XiaoFeng Wang. They attribute the security flaws primarily to the way in which online payment systems are integrated with e-commerce technology platforms, asserting that those connections open up ways for criminals to trick the systems into changing the amounts paid for online purchases on e-commerce sites or redirecting payments to other web sites.
The research team, which also includes Shuo Chen and Shaz Qadeer of Microsoft Research, says its findings may be just an early sign of what could potentially be much broader flaws in online payment systems. The team’s research so far has only touched on what it calls “the simplest trilateral interactions” among payment services providers, e-commerce platforms and online retailers. The researchers say further study is needed to explore more complicated applications in multi-retailer e-commerce marketplaces and auction sites—which the team says could be even more error-prone.
"Our analysis revealed the logic complexity in CaaS-based checkout mechanisms, and the effort required to verify their security properly when developing and testing these systems,” Rui Wang says. CaaS stands for cashier-as-a-service, or a payment system hosted on the Internet by a payment services provider. “We believe this study takes the first step in the new security problem space that hybrid web applications bring."
Wang says the research team has notified all companies named in their study and has been working with them to repair security vulnerabilities.
In comments provided to Internet Retailer, PayPal said the report did not find any security flaws in PayPal’s checkout system. “It’s a flaw in the way third parties implement it,” a spokeswoman says, adding that PayPal provides recommendations on how secure the system. “They just need to encrypt their checkout buttons; it’s pretty simple.”
Google declined to comment on the study, but a spokesman says the company provides online merchants with extensive fraud-detection and prevention applications and services. NopCommerce and Interspire did not immediately return calls for comment.
Amazon, No. 1 in the Internet Retailer Top 500 Guide, also did not immediately return a request for comment, but it has already acknowledged and remedied the security void noted in the study, taking such steps as releasing new software code that support instant payment notifications. It also publicly thanked Wang for his work.
“While our investigations have found no evidence of misuse, the change is necessary to ensure proper verification of payment notifications,” Amazon says in a posting on its web site. “Thank you to Rui Wang of the School of Informatics at Indiana University for reporting this issue.”
XiaoFeng Wang, however, says payment service providers should take a more effective and proactive role in ensuring their systems are properly deployed. “We believe that though most of the problems we discovered are indeed caused by the merchant software’s integration of payment services, these payment services also need to shoulder part of the responsibility,” Wang says. “Particularly, they need to provide more guidance on securely integrating their services into merchants’ systems, for example, the information that merchants need to check to ensure the security of the payment process.”
Wang adds that payment services providers should also give merchant software developers tools to analyze their service integration. “The integration can become very complicated,” he says.
Buy.com and JR.com, the only two retailers noted in the study large enough to be in the Internet Retailer Top 500 Guide, did not immediately return calls for comment. Buy is No. 32 in the Guide, JR.com is No. 106.
The researchers say they were able to show how someone could manipulate the e-mail payment notification system within Amazon Payments to make a payment on one e-commerce site result in a payment confirmation to a different site. They say their research showed, for example, that a criminal could set up his own e-commerce site to receive payment for a product purchased from another site using Amazon Payments, while the payment notification went to the unsuspecting legitimate site.
They noted that the security flaw discovered on Buy.com differed from others in the study. The study notes that Buy, a unit of Japan-based Rakuten, offers PayPal Express as a payment service that uses tokens to identify payments, and that it’s possible for criminals to exploit the use of the tokens to make fraudulent payments. “If you go to Buy.com to make a purchase, you get a token to complete the purchase, but it’s possible to reuse that token twice while paying only once,” Wang says.
Wang says the research team’s work shows that payment services providers and online merchants need to work more closely together.
“Payment service providers have a responsibility to make it clear how to safely use the service they provide, and merchants need to do their due diligence to operate these services properly,” he says.