Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based...
Transcript of Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based...
![Page 1: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/1.jpg)
Renuka Kumar1, Sreesh K., Hao Lu1, Atul Prakash1
1 University of Michigan
Security Analysis of Unified Payments Interface and Payment Apps in India
![Page 2: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/2.jpg)
Early Indian Payments Apps - WalletsPayment Service
Provider
Add Money to Wallet
Paytm
Paytm Paytm
India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment
Add Money to Wallet
![Page 3: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/3.jpg)
Mobile Payments using Unified Payments Interface
UPI Payment Service
Add bank account
Financial Institution
Add Bank Account
BHIM G Pay
In 2016, the National Payments Corporation of India launched UPI to enable free instant micro-payments from a mobile platform
![Page 4: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/4.jpg)
4
155 Banks Live on UPI 1.3 Billion Transactions
$34 Billion USD*
*https://www.npci.org.in/product-statistics/upi-product-statistics
As of June 2020
![Page 5: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/5.jpg)
In this research, we conduct a security analysis of UPI 1.0, a complex black-box
application layer protocol used by several Indian payment apps and its
design choices
![Page 6: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/6.jpg)
Factor 1Device fingerprint
Cell number + device info
“device hard-binding”
Factor 2 Factor 3
UPI’s “Broad Guidelines”
User’s primary cell number (UPI ID) must be registered with the bank out-of-band
PasscodeOptional
UPI PIN6-digits of debit card +
expiry date
User Profile Setup Authorize Transactions
![Page 7: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/7.jpg)
7
Objectives of Protocol Analysis
● Uncover the client-server handshake step-by-step● Collect from each step
○ Credentials required ○ Leaked user-specific attributes
● Find alternate workflows that can be exploited ● Triage the findings to determine plausible attack vectors
![Page 8: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/8.jpg)
Reverse Engineering Barriers
8
Protocol Analysis
Unpublished protocol and no back-end access to UPI servers
Analyze the protocol through the lens of UPI apps
Evading App Defenses
Security defenses are many and differ for each app
![Page 9: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/9.jpg)
9
Evading App DefensesDefenses
● Obfuscated● Use encrypted communication● Emulator detection built-in● Requires a physical SIM card to be present on the phone
○ Makes dynamic analysis difficult● UPI apps undergo a thorough security review in India
Approach:A combination of static reverse-engineering, code instrumentation and traffic analysis
![Page 10: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/10.jpg)
Setup
● Client: India’s flagship app- “BHIM”○ Reference implementation of a UPI app○ Instrument and repackage BHIM
■ Map GUI with the handshake traffic● Confirm findings on other popular UPI 1.0 apps (Paytm, PhonePe etc.)● Mobile OS: Android
![Page 11: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/11.jpg)
UPI 1.0 HandshakeAn Attacker View
![Page 12: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/12.jpg)
12
Threat ModelVictim (Any good user)
● Installs BHIM from Google Play● Uses a properly configured phone● Prevent unauthorized physical access by untrusted parties
Attacker (Any good attacker)● Uses a rooted phone● Can use any tool at his disposal to reverse engineer apps● Releases a useful unprivileged trojan app that somehow enters a victim’s phone
![Page 13: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/13.jpg)
13
Is the Threat Model Realistic?For the attack to succeed, the victim must have installed the Trojan app
Threat because of PHAs are very real: ● 53% of attacks are because of preinstalled PHAs on low cost cell
phones● India is in the top 3 countries with the most number of PHAs
pre-installed *.
*https://source.android.com/security/reports/Google_Android_Security_2018_Report_Final.pdf/
![Page 14: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/14.jpg)
Factor 1Device fingerprint
cell number + device info
“device hard-binding”
Factor 2 Factor 3
Attacking User Profile Setup
Passcode
Optional
UPI PIN
6-digits of debit card + expiry date
User Profile Setup Authorize Transactions
![Page 15: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/15.jpg)
2
1
Device Hard-binding Default Workflow
BHIMUPI Server
Device Details
Registration Token
Send SMS with Token
Device Binding Success
BHIM
BHIM
Save device info
Verify cell#
Read user’s cell phone from device
3
![Page 16: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/16.jpg)
2
1
Device Hard-binding Default Workflow
BHIMUPI Server
Device Details
Registration Token
Send SMS with Token
Device Binding Success
BHIM
BHIM
Save device info
Verify cell#
Read user’s cell phone from device
3
Attacker’s ViewTo attack Step 2, compromise the
protections provided the cell phone company
![Page 17: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/17.jpg)
2
1
Device Hard-binding Default Workflow
BHIMUPI Server
Device Details
Registration Token
Send SMS with Token
Device Binding Success
BHIM
BHIM
Save device info
Verify cell#
Read user’s cell phone from device
3
BUT...
Attacker’s ViewTo attack Step 2, compromise the
protections provided the cell phone company
![Page 18: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/18.jpg)
BHIMUPI Server
Attacker Device Details
Registration Token
Send Cell# + Token as HTTP msg
Send OTP
Device Hard-bindingAlternate Workflow
Attacker enters victim cell number from on an attacker
device
Attacker can induce a failure in step 2 of default workflow by
turning on airplane mode
BHIM
BHIM
Alternate workflow may allow an attacker to bind her cell phone with a cell number registered
to bank account of another user
![Page 19: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/19.jpg)
BHIMUPI Server
Attacker Device Details
Registration Token
Send Cell# + Token as HTTP msg
Send OTP
Breaking Device Binding
Attacker enters victim’s cell number
Trojan needs RECEIVE_SMS permission to read OTP
ATTACKER PHONE
BHIM
BHIM
![Page 20: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/20.jpg)
To break device binding, attacker only needs a user’s cell number and an OTP from that number
![Page 21: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/21.jpg)
UPI Server
Send Passcode
Send Passcode
Add Bank Account
Leak Passcode
BHIM
Use an overlay on BHIM’s passcode entry screen
No additional permissions required
BHIM
BHIM
BHIM
![Page 22: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/22.jpg)
Passcode is a secret shared with the payment server and
not the bank
For third-party payment apps like GPay, passcode is a secret shared with Google payment server
![Page 23: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/23.jpg)
The attacker is never prompted for a bank-related secret at any
point in the user registration workflow
![Page 24: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/24.jpg)
Add Bank Account
Attacker can start bruteforcing with the most popular banks
BHIMUPI Server
Choose Bank
Bank Acct#, Name
UPI server appears to allow brute-force attacks. An attacker can learn of all bank accounts of a user
![Page 25: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/25.jpg)
UPI server reveals sensitive bank info without the user providing any bank specific secrets
Add Bank Account
BHIMUPI Server
Choose Bank
Bank Acct#, Name
![Page 26: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/26.jpg)
BHIMUPI Server
Bind Device + Cell
Device Bind Successful
Send Passcode
Add Bank Account
BHIM
BHIM
New UPI User vs. Existing User
BHIMUPI Server
Bind Device + Cell
Device Bind Successful
Send Passcode
Bank Acct#, Name
BHIM
BHIM
For an existing user, attacker can sync a user’s bank account through UPI without providing any
bank-related secrets
![Page 27: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/27.jpg)
DemoAttack on Existing User
![Page 28: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/28.jpg)
Preconditions for Attack
● Attacker disables BHIM’s client-side defenses○ Installs repackaged version of BHIM
● Victims device is already compromised with the trojan● Learning cell number
○ Attacker can get the cell number starting with no knowledge of a user○ Cell number is not a secret and widely circulated in India
![Page 30: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/30.jpg)
30
Authorize Transaction: UPI PIN
● UPI PIN can be leaked the same way as the passcode.
Setting UPI PIN● Requires partial card details printed on a card ● Transactions require complete card number + secret PIN shared
with the bank
Setting UPI PIN requires only partial debit card info and NO secret - a lower bar in India
![Page 31: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/31.jpg)
Unlike mobile wallets where money may only be lost from the wallet, here the attacker can empty a user’s bank account.
31
The Damage!
![Page 32: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/32.jpg)
There are 155 UPI apps and an attacker can use any of the
apps to leak information
Security Hole
![Page 33: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/33.jpg)
33
Conclusion● We uncover core security holes in the workflow of UPI 1.0
○ Using an attacker-controlled app, we show how an attacker can attack a user’s bank account and steal money from him
● Responsibly disclosed the vulnerabilities to CERT-IN and makers of UPI in 2017○ Contacted all the app vendors
● UPI 2.0 released in August 2018○ Fixed the alternate workflow we exploit, but other security
holes remain● Other attack vectors that could potentially compromise UPI 2.0
○ SMS spoofing, loss of user’s device or compromising the system
● Calls for proper security vetting of the proprietary protocol since discussions are on to make UPI global[2]
https://government.economictimes.indiatimes.com/news/digital-payments/upi-hits-1-billion-transactions-in-oct-plans-to-go-global/71799413
![Page 34: Inter face and Payment Apps in India Security Analysis of ...India was predominantly a cash-based economy and while payment apps existed, they were not the chosen mode of payment Add](https://reader034.fdocuments.us/reader034/viewer/2022051809/60142d9bd8c38548957fb6c0/html5/thumbnails/34.jpg)
This material is based on the work supported by the National Science Foundation under grant number 1646392.
Contact: [email protected]
Thank You!