As per the media report, on Thursday “A Payments” based startup in New York left millions of credit card transaction records on a display for anyone to see on the Internet. This happened for nearly 3 weeks before it got discovered and was secured. Anurag Sen who is a security researcher discovered the database belonging to card payments processor “Paay”, TechCrunch reported after signaling the company about the finding.
Paay pulled the database offline after becoming aware of the issue. Paay co-founder Yitz Mendlowitz was quoted as saying, “On April 3, we spun up a new instance on a service we are currently in the process of deprecating.” Further saying it as an error that the database was left exposed without any password.
On behalf of selling merchants, paPaay verifies payments in order to avoid any fraudulent transactions, but as there was no password on the server, anyone could access the inside data. After a review of a portion of the database by TechCrunch unveiled that every transaction made consists of the credit card number, expiry date, and event the amount each transaction contained credit card number and expiry date besides the amount paid. Since the data did not include cardholder’s name as well as card verification values, the leaked information did not become fruitful to the fraudsters to misuse it. Mendlowitz, however, said that his company does not store card numbers.
This kind of exposed information could have led to a bigger threat during this time of crisis, when fraudsters, hackers want to cash in their own pockets at the expense of others.
Google recently reported that it got more than eighteen million malware and phishing emails daily related to COVID-19 scams, that too just in one week from April 6 to April 13.
Also, Hackers are creating scam sites similar to COVID-19 relief packages. Financial incentives news and news like fears about coronavirus are been used by these scam websites to try and trick people so that people are using the websites or clicking on links. Since January, a total of 4,305 domains relating to new stimulus/relief packages have been registered globally as founded by Check Point Researcher. In March 2020, a total of 2,081 new domains were registered -38 malicious and 583 suspicious. 473 new domains were registered in the first week of April which included 18 malicious and 73 suspicious domains.