Caveat Cardholders! A UK security publication reports that Worldpay’s payments processing system had been compromised in the past year. Through an apparent vulnerability in the transfer of both credit card and personal information, fraudsters could have been handed a major data hacking opportunity. The following article further states that Worldpay had corrected the problem earlier this year.
Technology industry watchers have castigated payments processing service Worldpay for potential operational vulnerabilities. Worldpay is billed as a secure payment gateway for businesses that incorporates the worlds of online payments, card machines and telephone payments.
It is precisely the Worldpay Merchant Portal that Randy Westergren has a problem with. As a senior software developer at XDA Developers, Westergren claims he has found “multiple vulnerabilities” in the Worldpay Merchant Portal. He further states that this is not the first time he has uncovered compliance issues with this kind of payment gateway technology. Westergren explains that he encountered the concerns when working with setup and testing inside the Worldpay API and Merchant Center web portal.
“This request was vulnerable such that any authenticated user of the system could view the credit card transactions of any other merchant’s business, i.e. a simple IDOR (Insecure Direct Object References). While the full credit card number is not displayed in this interface, the last four digits and the expiration date are [visible] and this is valuable information for an experienced attacker,” explained Westergren.
This is not the end of the issue list highlighted by Westergren. He further details a similar IDOR vulnerability in the online Merchant Center found when using an interface through which a merchant can configure a WebPay form. This is essentially a preconfigured form used on merchant sites to accept credit cards (posting directly to Worldpay’s servers).
Westergren confirmed that Worldpay fixed the problems after being notified of them earlier this year.
Usually data breaches become known after the damage has been done. It is not clear if that’s the case here. Unfortunately, the reporter does not specify if an attempt was made to contact Worldpay (even if they refused or did not respond to inquiries) about this story—something that should be done given that they are at the center of this report.
Overview by Raymond Pucci, Associate Director, Research Services at Mercator Advisory Group
Read the full story here