Credit cards users, it is time to give it a second thought before entering your card details as the data is easily accessible to the public on the Internet. Millions of secured credit card transactions data have been exposed publicly over the internet for the past three weeks.
These leaked credit card transactions were stored in a database belonging to Paay, a card payments processor based in New York. Like other payment processors, the company verifies payments on behalf of selling merchants such as online shopping, online stores, and other businesses to avoid fraudulent transactions.
Even up till now, here is no security measures in place to restrict access to the database on the server, and anyone can freely access the credit card data stored for online shopping.
Anurag Sen, a Security researcher, found the loophole into the database of the Paay company. He revealed that more than 2.5 million card transaction records are found in the database. When the information was conveyed to Paay, the database was pulled offline.
On April 3, Paay company co-founder Mr Yitz Mendlowitz said that they are currently in the process of deprecating. As a result of the process, an error occurred on the database which exposed the data to the public without the requirement of a password to access the information.
The database holds daily records of card transactions dating back to September 2019 from various merchants. Information that can be gleaned of each transaction include credit card numbers, expiry dates and the amount spent on the transaction.
The data does however contain partially masked copies of each card number. Furthermore there are no cardholder names or card verification values which will at least ensure that it would be difficult to use the credit card information for fraud.
There have been many security lapses that have occurred this year alone with this incident the third payments processor to allow a security lapse. In January 2020, Sen found other payments processors which experienced a similar data breach to Paay which exposed a database storing 6.7 million records to the public.
Earlier this month, another security researcher Ashot Oganesyan also identified two more payment sites databases were left exposed for several months.
Even government payment processors are facing security issues as data on court fines collections and utility bill payments for the residents across Arkansas and Oklahoma were exposed and years of transactions data were available to the public on the internet. The unprotected web directory of payment processors of two sites courtpay.org and utilitypay.org were exposed and up to 3 years of transactions were accessible.
The database was left exposed for at least five months as per data from BinaryEdge. The Binary Edge scans the internet for exposed systems and databases. The security flaw has only recently been rectified on Monday.
Mendlowitz stated that the Paay company informed between 15 to 20 merchants that the company has engaged an unnamed forensic auditor to investigate the scope of the security lapse.