Your Tech Story

Privacy\

data leaked

Tension grows as over 100 million Credit, Debit Cardholders’ data leaked on the dark web

Tension grows among civilians as a security researcher discovers that the personal data of millions of cardholders’ have been compromised. According to this recent discovery, personal information like full name, email address, phone numbers, and the first and last four digits of the card has been revealed on the dark web. Due to this glitch, the bank account and other sensitive data of 100 million debit and credit cardholders are at stake.

The leakage of sensitive information on the dark web seems to have been caused by the platform of Juspay. Just pay is a digital payment service that processes transactions for many Indian and global multinational companies like Swiggy, Amazon, etc. With India getting accustomed to the digital payment system, there is a huge potential for phishing attacks if proper security is not established.

Nature of data leaked

It was cybersecurity researcher, Rajshekhar Rajaharia, who discovered the data leak last week on the dark web. He informed Gadgets 360 about the leaked data and that it was up for sale on the dark web by some hacker. According to the files shared with Gadgets 360, the data of the cardholders’ that has been leaked is between the time frame of March 2017 to August 2020. The data surfaced on the dark web included personal details of Indian cardholders. From customer IDs to the expiry date of the cards were fully visible on the site.

Apparently, the transaction details have not been leaked on the dark web. But, the information leaked is enough to cause phishing attacks by the hackers after combining the personal details available in the dump. Since the hacker put the information on the sale, Rajaharia also informed that the hacker was contacting buyers in Telegram for negotiation. The payment was demanded in Bitcoin.

Research on the data leak

Rajaharia on further research found that the hacker was selling the information on the dark web in the name of Juspay. The company on being contacted confirmed that there was a data leak in the month of August but didn’t provide any further details. Rajaharia continued his investigation and further verified the direct link of leaked data with Juspay. He received some of the dump sample files from the hacker which he compared with a Juspay API Document file. He said, “both were exactly the same.”

data leak

Juspay’s founder acknowledges the data leak

Vima Kumar, the founder of Juspay, informed Gadgets 360 that the company detected an unauthorized attempt on 18th August of this year. He further mentioned that it was terminated in progress. Kumar, in an email, claims that no personal data like card number, financial credentials, or transaction data was compromised. But he also accepted that data “Data records containing non-anonymized email, phone numbers and masked cards used for display purposes (contains first four and last four digits of the card, which is not considered sensitive), were compromised.”

Kumar mentioned that the masked card data which is non-sensible data for display leaked has two crore records. And the card vault is connected to a different PCI compliant system and it was never accessed. In response to this comment, Rajaharia said that the masked card numbers can be decrypted if a hacker figures out the algorithm used for the card fingerprints. Kumar defended his statement saying that Juspay does hundreds of rounds of hashing with multiple algorithms. These algorithms are not possible to reverse engineer even if given enough computing assets.

To prevent such attacks again Juspay has identified the security gaps in the company and made two-factor authentication (2FA) compulsory for all the tools accessed by the team members. However, it is hard to predict the capabilities of hackers these days after the recent data breach in the American government system that shook the internet.

Not even cybersecurity

Rajaharia is convinced that the security system of Juspay is still not strong enough. He said that there still exists a configuration issue on the company’s site that redirects its users to malicious websites. A company as big as Juspay which has around 50 million daily users including major clients like Swiggy, Airtel, Flipkart, Uber, etc should be more vigilant. The company holds the highest level of compliance given by the PCI Security Standards Council to such payment merchants. So now it is their responsibility to ensure the safety of its users.

Apple

Privacy activist Max Schrems’ hits Apple with new complaints of consent breach

Yesterday, a privacy activist group called Noyb founded and led by Max Schrems filed a complaint against the US tech giant Apple. A specific complaint has been filed with German and Spanish data protection authorities regarding the tracking tool of Apple. According to Max Schrems, Apple’s online tracking tool saves user data on iPhone without their consent. This is strictly against European law and also the first time Apple has been accused of such a major action that questions its privacy rules.

In response to this allegation, Apple has made it clear that the company is very strict and superior in terms of privacy protection. Apple will also tighten the rules further with the launch of iOS 14. Unfortunately, Apple’s plan to launch the new OS has been shifted to sometime earlier next year.

Why complain was launched against Apple?

Noyb brought the complaint against Apple regarding the company’s online tracking tool that automatically generates a tracking code while setting it up. This tracking code is called the Identifier for Advertisers (IDFA). This code is used by Apple and third-party applications to track the online behavior of the users and consumption preferences. By tracking these data, it will be easier to send the users targeted advertisements that might interest him or her.

Apple

According to Noyb lawyer, Stefano Rossetti, these codes are placed in the iPhones without user consent and it is a clear breach of European Union privacy laws. Stefano further gave a reference to the EU’s e-Privacy Directive according to which a user’s prior consent is required for the installation and use of such information. He also said that the complaint is not launched to make Apple pay higher fines but to establish a clear principle where tracking must not be the rue but an exception. He also demanded that instead of restricting IDFA it should rather be deleted. But, the planned new rules of Apple will not change this as it restricts the third-party apps from accessing such private data but not Apple.

German and Spanish market

Kantar Group in early 2019 revealed that 24.3% smartphone users across five major European market uses Apple’s iPhone. According to Counterpoint Research, currently one out of four smartphones sold in Europe is the iPhone which is very impressive growth. An accusation as big as this is most probably going to affect Apple’s European market. According to Noyb, the claims on behalf of German and Spanish consumers were handed to the Spanish data protection authority. The authorities counterpart in Berlin led by Austrian Schrems has also said it received the complaint against Apple. And, this privacy advocacy group has already won two trials against Facebook. Spain’s privacy protection authorities denied making any comments regarding this.

Apple hits back

In response to the claims by Noyb, Apple said that the claims were factually inaccurate and the company is looking forward to making it clear that the privacy regulators should examine the complaint. Moreover, specifically in response to the comment regarding IDFA, Apple said that “does not access or use the IDFA on a user’s device for any purpose”. Apple said that the company always targets on how to make the privacy of a user more protected and secure. And, iOS 14 gives the users control over whether they want to link the apps with the third party for targeted advertisement. Apple also said that the company’s practices comply with European law. The US tech supports and advances the aim of the GDPR and the e-Privacy Directive which makes sure users have the full power and control over their data. 

More about Max Schrems

Max Schrems is a famous Australian activist who also founded NOYB- European Center for Digital Rights. He studied law at Santa Clara University. He is mostly famous because of the campaigns against Facebook for its privacy violations. Max accused Facebook of violating European privacy laws and allegedly sending personal data to the US National Security Agency (NSA). In 2018, he also filed suit against both Google and Facebook for coercing their users to accept data policies. He didn’t only target these two companies but also every other major tech giants around the world.