Data of 100 million credit, debit cardholders leaked on Dark Web

Juspay acknowledged a breach on August 18, 2020, but the data seems to have surfaced only now as a dump offered for sale — by several persons or one person using many IDs — on the Dark Web
The first week of the year has recorded what could well be the biggest data leak in a while. The transaction data of about 100 million Indians, reportedly lifted from fintech service provider Juspay, was found being sold on the Dark Web.

The Bengaluru-based digital payments platform, Juspay, processes transactions for many customers including big guns like Amazon, MakeMyTrip, Airtel, Flipkart, Uber and Swiggy. Juspay acknowledged a breach on August 18, 2020, but the data seems to have surfaced only now as a dump offered for sale — by several persons or one person using many IDs — on the Dark Web.

The breach and data leak, or leaks, took place sometime between March 2017 and August 2020, according to security researcher Rajshekhar Rajaharia, who first tracked down the data on the Dark Web. The earliest records pertain to March 2017, while there are no data records after August 2020. 

Earlier, Juspay had claimed: “On August 18, 2020, an unauthorised attempt on our servers was detected and terminated when in progress. No card numbers, financial credentials or transaction data were compromised."

However, the data dump contains a lot of sensitive information. The leaked details of at least 20 million users includes the card brand (VISA/ Mastercard/Amex), the card expiry date, the first six and last four digits of the card, a masked card number (with “xxxx” used as masking for hidden digits), the type of card (credit/debit), the name on the card, the issuing bank, card fingerprint (a detail that uniquely identifies the card to Juspay, which uses an algorithm to encrypt and store it), card International Security ID No (ISIN), which is the first six digits, the customer ID, merchant account ID, etc.

In all, at least 16 fields of card and transaction-related data have been leaked for at least 20 million Juspay users. In addition, the dump contains email ids, phone numbers and names. These details would have come from e-commerce sites, which pass on contact details while requesting Juspay to process transactions. For example, you book an order for chilli beef fry, or ghee roast pork on Swiggy; Swiggy asks Juspay to run the payment; Swiggy sends contact details to Juspay in case there’s any issue.  

Now this data in itself may be enough for phishing scams. Since emails, phone numbers, issuer bank details etc exist, a social hack may work even if the user has changed cards.

Let’s say a hacker calls the user pretending to be from the bank, or from Juspay or Amazon, with some excuse. A smooth, talking hacker who quotes the masked card number and transaction details may convince the user to give more critical details. This data may also be enough to swing an identity theft, by changing the associated email and phone number so that a hacker can pretend to be the user to request, say, a second card, or take a loan.

In addition, the ‘masked’ card data is vulnerable to hacks. The masked number shows the first six and last four digits. Since Indian cards are 16-digit, that leaves six masked digits to be discovered. There are several ways the entire card number may be decoded.

One is by figuring out the cryptographic method used by Juspay to create and store the “fingerprint” for cards saved in its database. They could then decrypt the number. Another method is based on using the Luhn algorithm, also known as the Modulus 10 algorithm.

IBM computer scientist Hans Peter Luhn created this method of verifying the validity of cards, social security numbers, and so on. The Luhn algo is in public domain and routinely used to correct typing errors.

Simplifying, every alternate digit starting from the right can be added up and multiplied to generate a number called a checksum. That checksum should end in a zero for a valid card, making it a multiple of 10. Using Luhn plus brute force, the masked digits can probably be calculated.

As we keep saying when these leaks occur, there is little redress possible in practical terms. There’s also no direct way to check if you’re exposed in this specific breach but services like HaveIBeenPwned will check if your personal data is floating around.

Safe card usage 

The last line of defence versus a hack is the three-digit CVV on the card’s reverse, which must be quoted in an online transaction. Most online Indian card transactions also involve some two-factor authentication, usually via a secret code number sent to a registered phone. But if a hacker changes the registered phone number, this may not be enough to protect you. The advice: Use a “virtual credit card” for every online transaction when you can’t pay cash on delivery.



Business Standard is now on Telegram.
For insightful reports and views on business, markets, politics and other issues, subscribe to our official Telegram channel