SecurityLah - the Asian Cyber Security Show
SecurityLah - the Asian Cyber Security Show
S2E12: iPay88 breach and notification - Part 1/2
Recently, a Mal;aysian payment gateway named iPay88 released a press release stating that they have been breached. Team #securitylah breaks down the press release to make sense of what happened.
Hey Kat, welcome back. Hi hi hi. Good to have you and Sky on the show. My goodness, it's been like forever man. Oh my god. So long. You know? Both of you were doing so well. Ah ya, cannot lah. We need our full force you know. Yeah man. Yes. Then only the podcast sounds good, you know? Betul betul. Missing the gang. Yeah. Hey Kat, do you know about a company called IPay88 ah? Yeah. Ladies and gentlemen, welcome to SecurityLah Podcast Season 2. Yes yes, I know IP88. Because of my full time daytime job, I have actually come across IP88 and even attended their events. Their payment gateway right? Oh their payment gateway. So what do they do essentially? I mean from what you understand? Well they actually, you know how when we make purchases online or do e-commerce and e-shopping and stuff like that. So they actually provide the services to allow consumers and people like you and me to make the payment via online. Oh wow, so they'll be processing stuff like credit card information right? Whether debit or credit card right? Yep yep. Ah okay. No because you know why? I just read this news clipping that was saying that you know they had a breach and I don't know. I was actually not so clear as to what the breach is about. Did you guys have a chance to know what was happening? Yeah actually I think I actually even saw the announcement which they made announcing that a breach had happened. From what I recall about the announcement which they made, it was like also very vague. It was like it just informed of a breach but I don't think it was very helpful as like not much more information was given but then that's just me. I mean did you get to see the announcement? Do you feel that actually there was like enough information which they shared? Would it have fulfilled you know regulators requirements and stuff like that? I mean from my point of view I think they were being too general in their comments. It is basically a scripted information given by marketing rather than the real thing now. But to be fair to them we don't have a law against those things. My positive outlook was at least they came forward and said they did whether it was a forced thing or not we don't know but better than some banks who you know after so many years they still refuse to admit that there was a breach. Okay so I just managed to google and get an article. It seems in the statement this company IP88 said that investigation was initiated on May the 31st. Now it's August so you're talking about June, July, August. Three months leh. Wow that's don't you guys think that's a bit too long to say that you had a breach? Yeah at least if they informed earlier then the I mean their customers could take some necessary measures kan? I use my online transactions thoroughly. I mean I buy domains, I buy books, I practically do everything online. And I know I've definitely have encountered an IPay88 pay page and you know you put in your credit card and then it gives you a challenge and says that okay please put in your OTP so that we can validate a transaction and all that. You know I definitely have done that so now it dawns to me yeah I would have done that but you know if they had a breach and they started investigation in May doesn't it make sense for you to at least issue a statement in May to tell your customers hey your data can you may have been compromised. So you know you should keep a lookout you know to actually tell the customers three months after. Imagine if the transaction has been done, billed two to three months ago now I go and check I'm like from what I know my knowledge about banking process is you have 30 days to dispute your transactions right. So if you don't dispute the transactions it's considered final and done and if you're gonna come now after three months and then you're gonna come and say oh we are sorry your your card has been breached three months ago and now I go back check my transactions I'm gonna have a problem say this doesn't look like my transactions I don't buy anything from Victoria's Secret I mean I'm here right so there's no reason for me to go to Victoria's Secret and buy stuff so it's I shouldn't my card shouldn't be used in Victoria's Secret hello you know so that's gonna be a red flag for me right you know if the guy buy books in Amazon I probably give it a miss because I'd be like yeah most likely that's me you know but the guy goes to Victoria's Secret guy or girl or they or whomever goes to Victoria's Secret and buy something then it's definitely not me so I'm gonna have a problem now trying to make this claim the bank is gonna say look you missed your 30-day period you know the 30-day period is it written somewhere yeah yeah it's it's part of your your claims process so what they do is the way it works is you have a billing date every month right so the billing date will generate whatever transactions you did before and they usually give you 20 to 30 days to make payment without charging you interest so during that 20 30 days if you have anything that you're not sure you're supposed to raise it as a dispute now here's the thing that a lot of Malaysians do not know there's a benefit of using credit card and there's also a disadvantage of using debit cards so most people what they do is they tend to use debit card because they want to limit how much they can spend good but the problem is this when you use a debit card it goes out from your account which means the bank will pay using the money you have in the account right so if someone cleans up your debit card that means your money is gone okay credit card is a bit different it's like a loan in waiting so the bank carries the liability so what happens for that 30 days or whatever so if you dispute actually you don't lose money bank loses money that is why as a merchant merchant meaning the person who has the credit card terminal or the seller they have to put in a deposit so in the event that such a fraud happens the bank can say this transaction is disputed we are going to claw back that amount from your merchant account so in that sense that's why the this payment ecosystem is kind of bit secure but it depends on what mode you use it you see one question though how does ipay 88 come into the picture in terms of the entire payment flow let's say if i buy something using my touch and go at the back end we are still using ipad 88 so the way it works is ip 88 is a payment gateway so what they do is they are responsible in processing payments so they can either process payments directly or they have a backend bank that does clearing for them so the only difference is i'm sure you would have heard of the standard called pcidss yeah so in those standards uh they define what level of processor you are if you're just a website who's using ip 88 then you probably don't have a lot of stringent requirements for you to meet but if you're not a website you actually hold the card data so in this case ip 88 holds the card data because some users may say save my information so that in the future i can make this payment right so in that instance ip 88 or any payment gateway is going to store your card data and pcidss which is the standards for data security defines that you must have adequate protection uh you must have encryption the database and all that kind of stuff right so there's a whole set of standards that you can go to pcidss and google pcidss and they'll tell you what are the standards you're supposed to meet so now the the thing is this they've just mentioned a breach as i'm reading i don't know where did the breach happen so did the breach happen at the payment gateway itself where you're processing the payment did the did the breach happen at the database server where all the cards are stored there's really nothing from the the notice uh that was that was listed out and one thing i noticed is that the official notice that's issued by ip 88 the contact details at the bottom refers to a pr agency so it seems to me that like what you rightfully said it's a it's a canned message right that's not right it's not right well the thing is this it's arguable to say whether it's wrong or right it's a standard reply that yeah so it's it's it's a standard thing to say uh you know uh uh we are we are currently looking at it uh we want to know what happened um it reminds me of a couple years ago i think it's a couple years ago and fsi had a massive it meltdown and the same thing oh we're having an it glitch and that's it but the whole nationwide branch operations was down right so until today we have no clue what happened why and we also hear you know issues of some fsi suddenly somebody account getting cleared and all that so you know there's really not much information as a customer i have got quite a bit of information but i do not know whether we are the right platform to share or not yeah i think both of you have really exciting jobs because like i'm i bet you have so much insider information that you're not able to share are we are we able to share this here as long as you're not bound by nda go right ahead if you have a hanging on your head i would suggest not to you know uh not really not really nda because you see you and i know i mean just like when you were in your previous job i mean i get to talk to people like you and sometimes we share information over a cup of tea yes so you know and i've seen that um actually the the the whole thing boils down to if i am uh not wrong i think it is the the bridge at the card level meaning i can actually use your card to buy things now because i have clear text information on your username and your password enjoying the show so far subscribe now so that you don't miss out on the latest episode we are available on spotify apple podcast google podcast and many other platforms visit podcast. securitylah.asia to get the links to subscribe yes and i was told that there are easily hundreds of thousands of users affected we're not talking about a few cards here you know we are talking a lot a lot of transactions and the thing is these transactions are actually affecting users that's the reason why i think later you're going to share about the abm article right that's the reason why abm comes up and say hey why should we be doing the cleanup when the information was actually leaked out from the payment gateway operator yeah that's what we are hearing now so here the the problem is that you know as as a user or as a customer i will look at my bank to safeguard my money simple right whatever it is i will i will say okay bank x i'm your customer so you make sure that you know you do whatever you need to do plan whatever you need to plan put whatever infra whatever not you know you do whatever you need to do to make sure that my card and my information stays secure because you see there's no point for me having a debit card or a credit card and i can't do online transactions it defeats the purpose right so i should be able to do my transactions securely so for example i do a lot of transactions with amazon i i host my own stuff and also buy tons of books there because unfortunately Malaysia has very very uh sorry to say lousy collection of it books so i get most of my books from from amazon right so i bundle like 20 30 books and then i buy one shot right so i i that's me i'm i'm as a customer so so my risk profile in the bank will probably be quite high because i do a lot of online transactions so for me my bank is supposed to take care of me so that's why i will look at the banks so ironically like what you said earlier abm which is an acronym for the association of banks malaysia issued a statement and it was so funny because just a couple of weeks before they issued that statement i was conducting uh i was conducting a public session and and in that talk i shared my secret i said one way for me to know if a breach has happened is i monitor for these keywords your security is important to us somewhere along those lines or we take your security very seriously somewhere along those lines everybody and like clockwork i see abm's press release and those keywords match exactly that so i'm left scratching my head i'm like okay so reading through um since this is ipa ipa 88 is a is a huge uh payment processor in in malaysia or at least around asia they handle quite a large volume of transactions so grantedly that they would be processing a whole load of uh at least malaysian we talk about malaysian contacts so at least malaysian credit card card information so there's a likelihood that some of the people there may have been you know may have been used the card details may have been used for nefarious transactions or illegal transactions you know i i've got uh listening to the both of you experts i i have as of now just two questions right uh if if things are as what sky said as in uh the bridge was at the card level users are affected and then the webs the website where you do the transactions already have the pre-filled the information pre-filled already i don't know that which would mean that uh all the required details to be able to do a transaction is already there on the website so what do you think users should do should they change their card is it going to be enough and or just like i don't know just completely and most of it you have to go to change more than just their the their payment information but um yeah the issue the personal details which they the issue here is uh cat the banks are still in the process of notifying the card holders oh dear the question is do they know how much of credit card information has been out now from the from the pr release of ip88 doesn't indicate anything doesn't even say that how many percent of their user base nothing there's practically nothing to lean on you know on the on the day of the preacher i mean of the day of the notification i was told that uh there was actually a zoom call for all the banks if yeah if bank negara treats that so high profile i my guess is it has to be this must be one of your your inside info it was like it was like you know i somebody just texted me you know and say hey bro uh do you know what happened yesterday how come they call for 8 pm meeting i was like oh my goodness how actually i knew about the bridge from someone who was inquiring in one of the security list asking hey did ipay88 get breached does anyone know anything about it yeah so that's how the the the cat got out of the bag quite early months i had the ip88 bridge you know our cat no no no our cat now here with us i'm here so so the the baller was actually thrown you see the the unfair thing was i mean i spoke to a couple of cios after that they didn't share anything with me or i mean i've got to clarify this none of the information that was that i said was actually coming from any of the cios or the head of security but their comment was you know now they are left with the entire list of uh users and they have to inform the users that they are transaction you see the problem was some of the users actually don't know i wonder how many users actually know you know because i know i've used ip88 and and i never got any notification what about you sky and cat did you guys get any notification no i you see the thing is that's why i asked you the question just now you see we do a lot of payments like touch and go, grab and all that but these are the merchants at the front the back end is ip88 am i right yeah true yeah so you don't really know because you like for example if i top up now i don't know that the back end is actually ipa 88 i i'm not sure even if it is or if if it isn't but the key thing is uh this is from the oven uh let me put a this uh disclaimer here none of the banks have spoken to me on this all right this one your your your private secret yes information that web we call it gray web all right so the transactions were very small it is below 10 ringgit most of them oh wow then that's going to be difficult man now because you're a banker yourself right so i mean ex banker okay so that's going to be difficult yes because you see if you have don't don't don't say you have a lot of money if you have 600 or 700 ringgit you're not going to be looking at seven ringgit six ringgit transactions every day yeah that's going to be difficult man reminds me of that issue of the one cent yeah who stole one cent from from the interest of everyone you know so that's wow that's going to be so difficult to know and the thing is this you have such a big user base for you to steal so even if you spend five thousand ringgit our Malaysian population is about 32.7 million okay say you take 10 million okay safe safe bet 10 million five ringgit times 10 million wow is it more difficult to detect when the transactions are so small but yes it's more difficult to because it doesn't affect anything that's the problem you have those amount that creates red flags but these are so small you don't see that's the issue and the the guy who does it or the group who does it they know the banking system very well okay and this is uh yeah so i'm just reading this article here also and you could this could be the reason why uh this article reports that ipay88 stated there's been no further suspicious activity since 20th of july precisely maybe because the transactions are so small it doesn't flag anything up most likely most likely yeah i don't even know if it has stopped or not but the thing is i mean i don't want to uh put real figures on it but most of the banks who are most of the banks are affected that's one statement i can make secondly most of the affected account is actually in in each banker i'm talking about every each bank is six digit in nature wow that's a lot man that's yeah we are not we are not talking about like 200 users here uh you know girl got a few hundred users the got a few no we're not talking about that we're talking about six digits oh dear okay that's a lot of accounts so one one cio was telling me i don't even know where to start to inform what do you want me to say because you see as a user when somebody say when somebody calls you and say cat i'm sorry to say that there has been like 26 transaction in your account of six ringgit each that has been fraudulent now the first thing you do is you scream because why like like doc say just now you're supposed to be protecting my money you know i don't care what happens at the end my money is with the bank you return the money that's it so the ball is actually at the bank's feet you know yeah yeah yeah but here's the thing you see i mean clone cards and all that is not something new to the banks and i'm talking about 20 years ago uh i was using a foreign bank not a not a malaysian bank and they just call me one day and say uh sir we believe that your card has been cloned we're going to send you a new one no further message nothing i checked my bill everything was in order so if you ask me the technology existed long time ago i'm sure now it shouldn't be much of an issue for them to actually track and block those kind of transactions so yeah so the banks can't detect they can't track thanks for joining us this week on securitylah make sure to visit our website at security lah dot asia where you can subscribe to the show in itunes spotify or rss so you'll never miss a show[ Silence ]