A new study out this week by researchers at Indiana University casts some serious doubts over the security protocols used by many leading online payment systems and e-commerce sites, raising concerns that the industry could be facing a dangerous fraud threat in the very near future as a result.
The report, “How to Shop for Free Online: Security Analysis of Cashier-as-a-Service Based Web Stores,” was authored by Indiana University doctoral student Rui Wang, with help from associate professor XiaoFeng Wang and representatives from Microsoft as well. It specifically cites quite a few reputable online shopping sites and payment services—Google Checkout, Amazon, PayPal, Buy.com, just to name a few—as having serious security flaws that could easily be exploited for fraudulent purposes.
Research focused wholly on the CAAS (‘cashier-as-a-service’) payment systems that are widely employed online and the team discovered that the gaping security flaws at play are largely the result of integration problems between payment systems and e-commerce platforms.
These integration issues have created an environment where criminals can trick the systems in a number of ways—from confirming payments to fraudulent or illegitimate sites, to actually changing the amounts paid for online purchases or receiving orders at no cost at all.
“Our analysis revealed the logic complexity in CaaS-based checkout mechanisms, and the effort required to verify their security properly when developing and testing these systems,” Rui Wang said. “We believe this study takes the first step in the new security problem space that hybrid web applications bring.”
The team concludes that the study’s findings could be just the beginning of what may grow into a much broader problem with online payment systems. And since the group really only studied what it calls the simplest of “trilateral interactions” between parties, they also conclude that more research is necessary to delve into some of the more complex payment tools available out there.
One thing the team does know? Better cooperation between payment providers and e-commerce companies is necessary to reverse course:
“Payment service providers have a responsibility to make it clear how to safely use the service they provide, and merchants need to do their due diligence to operate these services properly,” Wang said.
Leave us your thoughts and comments and have a wonderful weekend!