PREAMBLE: The publishing of this article has been intentionally delayed to provide banks with a fair opportunity to rectify vulnerabilities. The article will continue to be updated as soon as we deem information can be disclosed publicly.
We have been monitoring the security of local payment gateways since the publication of the logjam TLS vulnerability in May 2015. This allows for a man-in-the-middle attacker to read and modify “secure” data in transit.
In layman’s terms, specific to the payments industry – this means that card data, including sensitive CVV2 data can be stolen on the fly. Some browsers may flag a warning indicating that the connection is insecure, but based on our test conducted with merchants using vulnerable gateways, we have been told by merchants to “Just click accept. Site is secure” (sic).
For consumers, this begs the questions if your personal information are safe in transit. Evidently, this also proves that banks need to take new proactive approach in securing their customer’s data.
Case 1: Nera i2pay
(update: rectified as of 15 September 2015)
– Sean Lam and Wooi Siang Lee