The nightmare of the Juspay data breach is far from over for the company and its customers. There’s a huge cache of critical customer data up for sale on the dark web, and although some of the data might by encrypted, cybersecurity researchers believe it’s just a matter of time before hackers crack the code.
Earlier this month Juspay revealed that it discovered the breach on 18 August, when an automatic system alert was triggered due to a sudden increase in the usage of system resources on a server that formed part of its payment system. Following the discovery, Juspay said it terminated the affected server and sealed the entry point for the intrusion.
In wake of the incident, Juspay carried out a full-scale system audit and informed its merchants of the cyberattack the same day. The investigation revealed that hackers were able to gain unauthorized access by exploiting an unrecycled Amazon Web Services (AWS) access key. According to Juspay, close to 35 million customer accounts with masked card data and card fingerprints were breached.
However, Rajshekhar Rajaharia, an independent cybersecurity researcher and former crime analyst for the Indian government who first highlighted the data leak, said the number could be higher: “When the seller on the dark web sent a sample of the dataset, it comprised the entire MySQL data dump, which consists of 10 crore (100 million) customer accounts.”
The seller, going by the name “Data” in dark-web circles, put the stolen data on Øbin.net, a Pastebin-like site that encrypts the documents it hosts, allowing users to share the encryption key and download link with others. The seller also used the Telegram messaging app to carry out negotiations and bargains. Telegram is popular with hackers as it enables them to set self-destruct timers on messages and media.
“The hacker started at $8000 (roughly ₹590,000) as the asking price for the data, then stepped down to $6000. He ultimately settled for $5000 for the Juspay data dump,” said Rajaharia.
In addition to the stolen data from Juspay, Rajaharia said the same hacker put up customer information purportedly from three more Indian startups: 8 million stolen customer records from ClickIndia, a classified ad posting site; 1 million customer accounts for sale from ChqBook, a net banking firm for small businesses, and 1.3 million customer accounts from WedMeGood, a matrimonial site.
“I’ve been able to verify that the stolen data from ClickIndia and WedMeGood is genuine,” Rajaharia said.
Why the Juspay data breach will continue to be a concern — even years later
Juspay said it protects customer accounts in accordance with the Payment Card Industry Data Security Standard (PCI-DSS). The payments company said it uses masked card data and card fingerprints.
The trouble is, card-fingerprinting is not foolproof. Here’s why:
Card fingerprints help payment processing companies to detect duplicate cards without having to refer to the card number. The fingerprint is basically a hash value of the 16-digit card number that uniquely identifies the debit or credit card by matching it with the customers’ Permanent Account Number (PAN). Hashing is a process that is far simpler to perform in one direction than the other: calculating the hash of a card number should be easy; finding the card number that corresponds to a given hash value should be hard. Commonly used hashing algorithms include MD5 (Message Digest-5), SHA-2, SHA-256, or CRC32.
The MD5 hash function, for instance, encodes the data into a 128-bit fingerprint. Although MD5 is one of the most commonly used algorithms, it’s infamous for its hash collision vulnerabilities. A hash collision occurs when two different inputs to a hash function (card numbers or documents, say) produce the same hash result.
Hash collisions can be found by brute force, trying all possible inputs, but flaws in some hashing algorithms mean shortcuts can be used to find collisions. It’s still time-consuming, but hackers have done it in the past and can do it again.
A card number with six digits masked means 1 million combinations (10^6) must be tried to find the true card number. That, Rajaharia said, is not hard to crack: “A simple program run on your personal computer can generate 1 million combinations in minutes.”
All the hacker has to do then, he said, is match the computer-generated hash value to the card fingerprint. “Once you’ve matched the hash value to the fingerprint, you get the complete card number.”
Even the SHA-1 algorithm, once considered uncrackable, was shattered by Google in 2017. Since then, easier and more practical ways around it have been devised by hackers.
Juspay could maintain that the hashing algorithm it uses is confidential information and hackers wouldn’t know it. But all it takes is one careless or disgruntled employee to disclose this information to the bad guys.
“The biggest risk factor is that there’s the whole data dump available on a public domain and that information of customers including names, customer IDs, banking details, and most importantly hashed card numbers can be accessed by hackers,” said Rajaharia. “If the hash values of the cards are cracked, even two years from now, all this data can be leaked on the dark web.”
Koushik Sivaraman, threat research lead at CloudSEK, also warned that older hashes like MD5 and SHA-1 can be hacked: “With decent computing power, hackers could crack MD5 hash types within a week.” However, major payment processing firms — especially those that store customers’ credit card information — use SHA-256, a member of the SHA-2 family of cryptographic hash functions, he said. “Hackers would need immense computing power to crack data encoded in SHA-256. But then, if they somehow get access to the encrypted card numbers, they could probably do it.”
Although SHA-256 is harder to crack, that can also deter companies from using it: “As the data has to be decrypted every time, the access time really scales up. This impacts user functionality,” Sivaraman said.
Although Reserve Bank of India’s (RBI’s) mandate for payment aggregators and payment gateways instructs companies to implement data security standards and best practices like PCI-DSS, PA-DSS, and latest encryption standards, it doesn’t specifically mandate SHA-256. And the PCI-DSS requirement 4.1 advises against the use of SHA-1, but doesn’t prohibit it.
The road ahead — for Juspay and Indian fintech
Juspay has advised its merchant partners to refresh their API keys and invalidate the old keys. The payment company will also be discontinuing access key-based automation and switch to role-based access controls that use temporary security credentials.
In addition, the company has committed to tighten internal access control protocols, invest in enhanced threat monitoring tools, and engage with threat intelligence experts.
The Juspay data breach incident is a learning opportunity not just for the company itself, but for the digital payments industry as a whole.
Saurabh Sharma, senior security researcher at Kaspersky (APAC), said companies tend to overlook internal vulnerabilities. “This can prove to be very damaging to their reputation and business if exploited by the bad guys,” he says.
Among best practices companies can adopt, Sharma suggested ongoing network and server evaluations, proactively detecting zero-day vulnerabilities and further incentivizing bug bounty programs.
Copyright © 2021 IDG Communications, Inc.