People who are constantly using Mastercard Internet Gateway Service should carefully check every transaction, for there is a drawback in the validation protocol, which is absolutely ignored by Mastercard.
The crack in the MIGS protocol was recently discovered by an independent researcher Yohan’s Nugroho. He states that this system flaw allows cyber criminals to fake the payment system, forcing merchants to accept invalid transactions as successful ones.
Nugroho states that this is a system client bug, which is a fault of the hashing methods of Mastercard, but the company doesn’t want to change the bug. – “But if you in cipher the value, the bug may be removed” – says Nugroho.
According to the researcher, hackers may input the invalid payment into the third party billing services, in its turn the payment goes around the Mastercard paying system and makes the request right to the vendors.
Yohan mentions that instead of validating the inputs on the trading side, they are checked only by the side of the client. The data does not reach the Mastercard Company, which makes it possible for the hackers to fake it.
In other words, hackers may pass invalid payments, which are actually accepted as fully legitimate transactions. The confirmation should be made by the merchant’s side, but there is usually no control from the users when they are approving their bank requests.
The researcher confirms that different large companies, like Fusion payments, are sensitive to such hacking attacks. The company has awarded the researcher with a 500$ prize, and have implemented certain actions to change the issue.
“Since the beginning Fusion Payment did not check Mastercard IGS signature. That means that the data may be changed and labeled as successful. It’s quite simple – enter any credit card number, receive a failed response from Mastercard, change the data, and the payment becomes successful.
There is a claim that hackers actively use this bug in India, for there is a wide number of an unaware Mastercard user. What is even worse is that such hacking method may be used in any financial systems based on MIGS, and yet, Mastercard does not hurry to fix the issue.
There is another researcher, who was rewarded for 8500$ for finding the bug and reporting it to the Mastercard representatives, but they are only beginning to acknowledge the problem. The researcher has contacted the company’s security officials and did not receive any response.
The article is going to be updated as we keep contacting the Mastercard officials, yet the merchants should be careful, for some payments may only seem valid, in fact, they are fake.
The Mastercards senior vice president of external communication has stated that he has checked the claims of the researchers. His comments concerning their system are uncertain, yet he states that there might be a misconfiguration on the merchant’s sites, which causes the error. Mastercard is providing specific training and resources for the merchants to avoid issues in the future.