My Two Cents on the PayHere Hack

In a post titled “The Worrying State of Cybersecurity in Sri Lanka” published by me last year; I emphasized that cybercriminals are targeting high-profile online assets owned and operated by the Sri Lankan government and business establishments with increasing effect. Today, one year and two months later PayHere a popular Internet Payment Gateway Service Provider in Sri Lanka announced they are under attack. Their website remains unresponsive at the time of this writing. In this post, I would like to offer you my two cents on the incident.

The Scale of the Hack

According to this notice on Twitter, the attackers broke in and defaced the website before transferring large volumes of data to their servers. The notice also says the stolen data includes the database dump and the source code which they are planning to release on Twitter later today. There’s no way to verify the credibility of these claims, unfortunately. According to this notice on PayHere’s official Facebook page, the attackers have compromised their SMS Gateway as well.

The notice suggests the attackers might have gotten away with PII or personally identifiable information (contact numbers, email addresses, etc.) of anyone who made payments through the PayHere IPG. That means if you have ordered products and services from an e-commerce website designed to receive payments through PayHere, chances are high your PII is already compromised. It is difficult however to accurately assess the scale of the hack based solely on the word of the attackers.

The Gravity of the Hack

According to the attackers, the payment gateway is not compliant with “PCI DSS” and PayHere has lied about its security. Companies like PayHere must comply with 12 requirements to receive the PCI DSS certification. I do not know which one of these requirements PayHere failed to follow. If they lied, however, from now on we have to think twice before providing our payment card details to businesses using the PayHere IPG to accept payments online.

Another concern is that leading financial institutes on the island such as Sampath Bank and Seylan Bank have forged partnerships with PayHere in the past. The extent to which these banks are linked with PayHere is not clear at the moment. Nevertheless, we cannot completely rule out the possibility of the networks owned by these banks getting compromised in the event PayHere gets hacked again. Such incidents have happened before. Consider how the retail giant Target was hacked, if you need an example.

Response from PayHere

PayHere in a lousy Tweet and a Facebook post announced they are under attack but the developers are active in resolving the issue. There was no formal announcement or press release, however. They reassured payment card details were not exposed but did not comment on the fate of the personally identifiable information. Did they inform the SLCERT? I have no idea! Frankly speaking, I feel PayHere management is not doing enough to warn their end-users or the customers of those end-users.

I am a frequent buyer at Jump Books an online bookshop that uses the PayHere IPG to accept card payments on its website. Hence it’s possible the attackers were able to compromise my own personally identifiable information and that of many others. Unfortunately, not even Jump Books alerted me to the incident. They should have but they did not. There is a notice on their checkout page saying “PayHere Online payment gateway is temporarily disabled due to a technical issue from our payment partner” and that’s it.

Wrap Up

Please exercise caution if you have ordered products and services from e-commerce websites designed to receive payments through PayHere. If the attackers managed to walk away with your personally identifiable data such as contact number, and email address, they could use those details to compromise your information security via phishing attacks. Beware of website links in emails, text messages, and WhatsApp messages you might receive in the days to come even if you trust their origins.

I am curious to know, however, how did PayHere leadership manage to post a casual notice on Social Media and move on even after cybercriminals exploited a vulnerability in their widely used software product. It indicates that we need a reliable and powerful data protection bill. I know a bill has been passed in the parliament, but I doubt whether it has got teeth? The PayHere management will not have gotten away so easily if the bill in question has the power to hold local software vendors accountable.

Updates:

Monday, April 4, 2022

A day after the incident PayHere announced on Twitter and Facebook that the IPG is partially back online. As of 5:06 pm on Monday, April 4, 2022, however, the PayHere website is offline once again. In the meantime, I would like to share a few thoughts about the announcement. In it, the PayHere Management said, they have “tightened” the security of their infrastructure while investigating the incident further with the help of a cybersecurity firm. All these measures towards improved security are good, but not good enough. Here’s why?

These measures are reactive measures. Not proactive measures. If the attackers have already walked away with Personally Identifiable Information, then tightening the security is like closing the stable door after the horse bolted. Further, the PayHere management should have sought the assistance of a cybersecurity firm before the incident and carried out “Penetration Tests” regularly. Hiring professionals to investigate the incident now is more like conducting a postmortem and it’s of no benefit to the other parties affected.

Monday, May 2, 2022

After one month has gone by since the breach, PayHere published a detailed blog post on Sunday, April 1st, 2022. You can read that post here. However, on Monday, May 2nd, 2022, contrary to #PayHere assuring its clients, credit card information was not leaked, HIBP (Have I been Pawned) reported otherwise.

It mentioned that partially obfuscated credit card data (card type, first 6 and last 4 digits plus expiry date) have been exposed in the leak. I am glad the PayHere management reassured credit card details were not exposed but they might want to set the record straight here because Have I been Pawned is a service with global recognition and credibility.

---

I seek to foster thoughtful and respectful dialogue. Toward that end, I require that you use your full name when commenting. Also, any comments with profanity, name-calling, and/or a nasty tone will be deleted.