JusPay non denial blog post rant

Posted on January 05, 2021

Disclaimer - I use Swiggy all the time, so I am pissed with the way Juspay is handling their communication about the breach. This is basically a technical rant which asks questions they have obscured in their disclosure. If this triggers you, please visit /r/awww and smile at cute things.

Juspay disclosure post obscures bad security practices IMHO

The JusPay blog post talking about the breach is full of BS. Since my credit card would have possibly leaked as a customer of Swiggy, I was keen to understand what must have happened by reading the post to feel assured. Due to my background with Cloud Security and AppSec I realised that the whole post is wrapped in language to make it sound like it was not really their fault!

Isolated System

Juspay : August 18, 2020 cyberattack limited to an isolated system.

My thoughts

What was this system?
Was it a server which had weak credentials or was it not patched?
If it was isolated, how come the attacker was able to access it? Why wasn't this in a private network (AWS VPC)

As we get into the details, they admit it was a "storage" system

Isolated "Storage" System

My thoughts

Storage can mean anything; RDS Server, A file on disk, Elastic Search instance, Mongo/Redis Key Value
Unrecycled access being compromised sounds like a AWS Access Key and Secret Key that got leaked.
The interesting thing to know would be where did the key leak from
- Even if an access key was leaked, why would that key allow access to the "isolated" system which had real user data

Restricted Isolated Storage System

Juspay : The breach was restricted to an isolated system...

My thoughts

Now we have a storage system which is isolated but also being used for being shown on merchant UI.
Merchant UI seems like an backend B2B app
The isolated storage system seems like a database backend supporting a web application

Impact

Juspay : About 3.5 Cr records with masked card data and card fingerprint (which is non-sensitive information) were breached.

My thoughts

Since there is no mention of the timeline on the 18th of August, to me it looks like there was significant lag between an alert being generated and any kind of incident response
Calling the incident response immediate after losing 3.5 crore (35,000,000 records) reeks of PR speak
While they claim they were following best security practices, suddenly a system audit found a class of security issues which they fixed after the breach!

Ecosystem is a vulnerability

Juspay is not an isolated case. Many payment companies and B2C companies have been compromised. With lockdowns due to COVID this has assumed even larger propotions. But this is a failure at multiple levels. The payment processor stores our data but has no obligation to inform end customers even 6 months after the fact. Companies like Swiggy who actively encourage consumers to store Credit Card details are also guilty of sweeping this under the rug. Security companies who have some idea of securing APIs pretend to secure IaaS platforms such as AWS.

In India we have extremely weak consumer protection. In the absence of disclosures (which is due to absence of law), if card data is misused, our police is woefully short of capability to investigate and banks really good at passing the buck.

For me, my take away is to find a virtual credit card and use that. Short of that, I am planning to stop using credit cards for online shopping.