CCAvenue Payment Gateway hacked. CEO cries foul

Status
Not open for further replies.
G

Gaurish

Galvanizer
My Reaction:

At first I felt sorry for them but after I read that they were hacked using something as basic as SQL Injection which can be easily fixed. not cool:|

Further read that they were storing passwords are plan text!!! that's when all my sympathety turned into anger! bloody incompetent & irrresponsible :@

One thing is sure, I am not using CCAvenue payment gateway again. they have lost my trust:no:

CCAvenue, one of the largest online Payment gateways of India, has been compromised by a hacker who goes by the name d3hydr8.

According to HackerRegiment, this website was compromised by exploiting a SQL injection vulnerability and all the admin passwords which were apparently stored in Plain Text, have been leaked in a report which includes a list of databases, info on the tables within the databases and screenshots of the admin passwords of the CCAvenue portal.

Furthermore, it added that they have reported the issue to CERT India (Indian Computer Emergency Response Team) and are anticipating corrective action to be taken before the information becomes public through other channels.

Vishas Patel, CEO of Avenues India which runs CCAvenue, initially wasn’t sure of the damage and said he’d respond after they’ve looked into how significant the breach was. Although he added they didn’t store any credit card details or any other payment details.

In a quote to Medianama, he said:

“From our side, we’ll have to look into it. It is not possible, because of the kind of application level firewalls that we have put up. We don’t store credit card numbers or any other kind of payment details because of the Payment Card Industry Data Security Standards, and there is no credit card or payment related info on our servers. There are new standards that have come in, that is PCI DSS 2.0, which are more stringent than the earlier standards, and we have just completed the assessment under that last week.”

“More than 85-90% of our transactions are netbanking and non-credit cards related transactions. Those transactions go through the bank server, where the end customer enters usernames and passwords, and we don’t store those. They are entered on the bank servers. There is no payment related info on our servers. CCAvenue is just a redirector in this case.”

Later, he rebuffed the activity saying this is a mischevious slander against CCAvenue. He said the screenshot that has been leaked is not of their current database since it quotes the server type as Apache/2.2.14 and they have shifted to Apache/2.2.17 since 5 months.

He also said they had stored all the passwords as encrypted and not plain text as before, although users on Twitter are stating a different story.
Click to expand...

CCAvenue, India

[Update]

According to CEO Vishwas Patel it was simply a mischief. The screenshot wasn't of current database.

CCAvenue CEO Vishwas Patel Denies Authenticity Of Hacking Report; Claims Mischief - MediaNama
 
  • Like
Reactions: 1 person
WTF/

Later, he rebuffed the activity saying this is a mischevious slander against CCAvenue. He said the screenshot that has been leaked is not of their current database since it quotes the server type as Apache/2.2.14 and they have shifted to Apache/2.2.17 since 5 months.
Click to expand...

Does this mean, CCAvenue was hacked long back when they were on 2.2.14 server? :S :@
 
In short, are we secure, as we had used that, even i used that yesterday to get something from ebay :(
 
How will one 'stop' using CC Avenue. Most payment gateways on sites use this intermediary portal. SQL Injection...sigh. Plain text storage...dumb.

Should we re-do our plastics from the banks..?
 
CeDrIc said:
WTF/

Does this mean, CCAvenue was hacked long back when they were on 2.2.14 server? :S :@
Click to expand...

I've been using their services (as a merchant) for quite a few years now. I recall that they were hacked once before :( Not sure of the version of the server they were using before though.

This is a big hit to merchants and customers alike, and a big hit to the willingness of people to use online payment. And it is bad for the industry.

It is a pity there are no comparable gateways in India (= wide coverage of payment options). For reasons other than security, I've been considering shifting to somebody who gives better service.

Anyway, my sympathies are with them.
 
DishTV used to use them as a recharge gateway since their beginning, but since last month they have changed their system and payment gateway too.. I guess for good.
 
"this website was compromised by exploiting a SQL injection vulnerability and all the admin passwords which were apparently stored in Plain Text"..

Now thats the height of carelessness.
 
WTF, We must change CC/debit/ONB passwords ASAP. I have recently made lots of purchases through CCAvenue gateway on freecharge, letsbuy, mydala, snapdeal, etc.
 
I dont think there is any need to be worried about your cards as of now, as

i)There were no credit card numbers stored on their servers

ii)They did not have access to the 3Dsecure password, which is necessary for payments
 
mehrotra.akash said:
I dont think there is any need to be worried about your cards as of now, as
i)There were no credit card numbers stored on their servers
ii)They did not have access to the 3Dsecure password, which is necessary for payments
Click to expand...
Point 2 is only valid in India as experienced by a fellow TE member recently. So if some one get the details (card no., CVV, Expiry, Name) and use it outside india, there is no need for this 3d password.
 
Ok, tell me one thing, say I'm purchasing something, which uses CCAvenue as their payment gateway, and on CCAvenue gateway I'm asked to choose the method of payment and bank.

So say I choosed Internet Banking and SBI as bank, now CCAvenue redirects me to SBI Internet Banking site, I enter my username password there and proceed for payment.

Now, my question is, can CCAvenue ever know the password that I entered on my SBI Internet Baking site?? I don't think so, as it's highly encrypted and I guess, after the process, SBI just transfers the amount to the merchant(CCAvenue here). I don't think SBI would make user details visible to some 3rd Party site.

Am I right??
 
^ Yes that's right. Only risk is when you enter CC details on payment gateway but that too is now protected by MC Secure/ VBV for authentication and those details are not shared with any third party, including the payment gateway.

adi_vastava said:
Point 2 is only valid in India as experienced by a fellow TE member recently. So if some one get the details (card no., CVV, Expiry, Name) and use it outside india, there is no need for this 3d password.
Click to expand...
This is the risk as those CC details if compromised can be used in sites not participating in MC Secure/VBV, like most international sites.
 
krishnandu said:
Ok, tell me one thing, say I'm purchasing something, which uses CCAvenue as their payment gateway, and on CCAvenue gateway I'm asked to choose the method of payment and bank.

So say I choosed Internet Banking and SBI as bank, now CCAvenue redirects me to SBI Internet Banking site, I enter my username password there and proceed for payment.

Now, my question is, can CCAvenue ever know the password that I entered on my SBI Internet Baking site?? I don't think so, as it's highly encrypted and I guess, after the process, SBI just transfers the amount to the merchant(CCAvenue here). I don't think SBI would make user details visible to some 3rd Party site.

Am I right??
Click to expand...
Yes, CCAvenue doesnt know the password entered on the SBI site
 
anyone facing prblms while paying through sbi debit card from CCavenues? everytime i tried to pay...payment wasn't successful....and the mails i got contains the error msg "Invalid CardNumber / Expiry Date or Insufficent Funds"....im worrying :(
 
arun687 said:
^ Yes that's right. Only risk is when you enter CC details on payment gateway but that too is now protected by MC Secure/ VBV for authentication and those details are not shared with any third party, including the payment gateway.
This is the risk as those CC details if compromised can be used in sites not participating in MC Secure/VBV, like most international sites.
Click to expand...
Yes, but reporting those transactions as fraud and getting a replacement shouldn't be an issue if you get messages on every transaction (I do), ofc its a hassle, but just not a very big one.

I highly doubt they stored CC numbers though, I think thats in violation of many norms
 
Status
Not open for further replies.
Top Bottom