CCAvenue Gateway Hacked

[krishnandu.sarkar]

Quote:

CCAvenue, one of the largest online Payment gateways of India, has been compromised by a hacker who goes by the name d3hydr8.



According to HackerRegiment, this website was compromised by exploiting a SQL injection vulnerability and all the admin passwords which were apparently stored in Plain Text, have been leaked in a report which includes a list of databases, info on the tables within the databases and screenshots of the admin passwords of the CCAvenue portal.

Furthermore, it added that they have reported the issue to CERT India (Indian Computer Emergency Response Team) and are anticipating corrective action to be taken before the information becomes public through other channels.

Vishas Patel, CEO of Avenues India which runs CCAvenue, initially wasn’t sure of the damage and said he’d respond after they’ve looked into how significant the breach was. Although he added they didn’t store any credit card details or any other payment details.

In a quote to Medianama, he said:

“From our side, we’ll have to look into it. It is not possible, because of the kind of application level firewalls that we have put up. We don’t store credit card numbers or any other kind of payment details because of the Payment Card Industry Data Security Standards, and there is no credit card or payment related info on our servers. There are new standards that have come in, that is PCI DSS 2.0, which are more stringent than the earlier standards, and we have just completed the assessment under that last week.”

“More than 85-90% of our transactions are netbanking and non-credit cards related transactions. Those transactions go through the bank server, where the end customer enters usernames and passwords, and we don’t store those. They are entered on the bank servers. There is no payment related info on our servers. CCAvenue is just a redirector in this case.”

Later, he rebuffed the activity saying this is a mischevious slander against CCAvenue. He said the screenshot that has been leaked is not of their current database since it quotes the server type as Apache/2.2.14 and they have shifted to Apache/2.2.17 since 5 months.

He also said they had stored all the passwords as encrypted and not plain text as before, although users on Twitter are stating a different story.

Source : CCAvenue, India’s Payment Gateway gets hacked. CEO cries foul - TNW India

WTH??? How they can store passwords in plain text and SQL Injection?? They are not even this much secure

Not going to use it anymore...

[asingh]

I just cannot believe this. SQL Injection and then storage of passwords in plain text. What the heck.

How can you not use it, most gateways go via CC Avenue.

[Vyom]

The more I hear of such hacks, more I start to believe of the impending doom of 2012!

OMG! That's just not happening dude!!! CCAvenue!

My telephone bill, railway ticket booking... and even the recent digit subcription I did.. was all through the CCAvenue!

I dont want to spread panic... but... We are DOOMED!

[baccilus]

Where did 2012 come into this? Common man. From what I have seen, I have only ever entered passwords in the SBI site. Never in CCavenue site. But I will still keep an eye on my bank account.

[ico]

This is ridiculous. Plain text?

[furious_gamer]

CCAvenue is a bunch of fools to store password as plaintext. Even a small company will encrypt the password and store it.

BTW In my prev company we used CCAvenue. Too bad such famous PG provider doomed by simple SQL injection, which a school going kid can do.

[Pratul_09]

Quote:

Originally Posted by asingh

I just cannot believe this. SQL Injection and then storage of passwords in plain text. What the heck.

How can you not use it, most gateways go via CC Avenue.

thinkdigit also uses the same gateway, this is hightime we look after the security aspect of payment gateways. before making a purchase we must verify the security.

Verisign certified.

[furious_gamer]

They are already hacked a few before IIRC.

[Vyom]

So how many options we have other than CCAvenue?
And can anyone clarify what SQL injection actually is? Since supposedly even a school kid can crack?

[iinfi]

i dont think this news is true ....

[krishnandu.sarkar]

Well, asingh is right, max. vendors use CCAvenue as their payment gateway, no idea what should we do next.

Quote:

Originally Posted by vineet369

So how many options we have other than CCAvenue?
And can anyone clarify what SQL injection actually is? Since supposedly even a school kid can crack?

SQL injection - Wikipedia, the free encyclopedia

Quote:

Originally Posted by iinfi

i dont think this news is true ....

Dude, read the news, CCAvenue themselves accepted it, and the source is not fake, it's reliable.

[Vyom]

Quote:

“More than 85-90% of our transactions are netbanking and non-credit cards related transactions. Those transactions go through the bank server, where the end customer enters usernames and passwords, and we don’t store those. They are entered on the bank servers. There is no payment related info on our servers. CCAvenue is just a redirector in this case.”

Reading the above quote, I am relieved again. Since most of my transactions are through Net Banking

[krishnandu.sarkar]

Yes, that's right, but I think I've used CC few times. Can't remember though.

[gagan007]

me too..and I have used credit card all the time

[dreatica]

Quote:

Originally Posted by krishnandu.sarkar

Yes, that's right, but I think I've used CC few times. Can't remember though.

Me too ? So after all the hype of PSN, and now ccavenue. The last payment made for digit subscription, 2 weeks back.

[krishnandu.sarkar]

So what should we do now?? Is there anything that we can do??

I have registered for Mastercard Secure Code at the very beginning after getting the Card, but never got any site which asks for it to verify it.

[dreatica]

Quote:

Originally Posted by krishnandu.sarkar

So what should we do now?? Is there anything that we can do??

I have registered for Mastercard Secure Code at the very beginning after getting the Card, but never got any site which asks for it to verify it.

thats what I also want to know ? What to do know ? Call the bank and ask them to cancel my cc ?

Now, I remember I make the electricity, water, phone and god knows what else through ccavenue.

@krishnandu.sarkar I get the master secure code page whenever I make the payments. Why you don't get it ?

[buddyram]

This January i renewed my digit subscription through the same CCAvenue. I got a message stating that the login details which i entered would be transferred through an unencrypted channel. I was apprehensive about that but still there was no other go, trusting digit i carried on with the payment!

[krishnandu.sarkar]

^^Yup that's right, whenever I bought anything, after making payment through SBI Net Banking, when it redirects it says it's going to send the data through unencrypted channel, and I used to go with it. And I guess many of us did that too.

@dreatica I've no idea, I registered for Mastercard Secure Code at the very beginning after getting my Card, but never asked for that while making payment. I can't remember particular services I used but it never asked for that password. I guess not all sites are compatible with it, so the sites which are compatible with it, asks for the password, others just make the transaction normally. One I can remember is Vodafone.in which I use for my recharge needs.

[gagan007]

@dreatica: for some gateways it doesn't ask the password..I am not sure why!

[Thor]

Krishnandu , thanks for bringing this to our notice.

This is such a setback now. Just when people of India were getting in the thick of things when it comes to the online shopping , transactions etc , CCAvenue , one of the most used and trusted Payment Gateway craps on our confidence . This is just horrible. Most of the time I have used HDFC Netsafe card which is good for only 1 transaction , looks like thats the way to go from now onwards.

This incident has now made me wonder, how secure really is Online shopping / marketing in Indian sites . If a payment gateways site can be hacked ( because of their earth shattering stupidity, negligence, etc etc ) , can the shopping portals be trusted ?

[Garbage]

Updated: CCAvenue CEO Vishwas Patel Denies Authenticity Of Hacking Report; Claims Mischief - MediaNama

[furious_gamer]

^^ looks conflicting. They claim they updated their server 5 months back but reports saying that its done very recently. Shame on CCAvenue

[asingh]

Payment Gateway CCAvenue Hacked [Updated/Open Questions]

[krishnandu.sarkar]

Quote:

Originally Posted by Thor

Krishnandu , thanks for bringing this to our notice.

Welcome, But I didn't find this, I got the news from other forum and thought of sharing here too.

[dreatica]

So what are these store passwords ? I never made any userid to use ccavenue ? Is this employee's database ?

http://www.hackerregiment.com/wp-con..._passwords.jpg

and the ccavenue peoples are lying that they updated the apache 5 months back. They have updated yesterday :

Netcraft What's That Site Running Results

[krishnandu.sarkar]

Yes, they are the admin passwords. Not of users.

I guess their N/W admins are too noob to know that these things can be find out easily

[dreatica]

Check this out :

Updated: CCAvenue CEO Vishwas Patel Denies Authenticity Of Hacking Report; Claims Mischief - MediaNama

The credit card numbers are not stored anywhere in our database, as per PCI norms. Only the first six and last 4 card numbers of the last 15 days are stored. And those are also BSI encrypted, for which there is a key, and to open that there is a master key, and those keys are not stored online anywhere. It is there with our head of security, who is the only person with access to it. The encryption has been in place on our servers for the last four years.

I made the last payment from ccavenue to digit on 18th, If the last 15 days is true, my A@@ is saved coz I just bump it for 16 day as the database was hacked on 4th may.

[sygeek]

CCAvenue hacked by SQL Injection...I mean WTF? Never realised CCAvenue would be this insecure, and to add to the stupidity, all the database of admin's login information was stored in plain text

[doomgiver]

lol, even script kiddies can do a sql inject.

are these the people to whom we trust our money?