Akash Mahajan
A blog about Technology and Life


JusPay non denial blog post rant

Posted on

Disclaimer - I use Swiggy all the time, so I am pissed with the way Juspay is handling their communication about the breach. This is basically a technical rant which asks questions they have obscured in their disclosure. If this triggers you, please visit /r/awww and smile at cute things.

Juspay disclosure post obscures bad security practices IMHO

The JusPay blog post talking about the breach is full of BS. Since my credit card would have possibly leaked as a customer of Swiggy, I was keen to understand what must have happened by reading the post to feel assured. Due to my background with Cloud Security and AppSec I realised that the whole post is wrapped in language to make it sound like it was not really their fault!

Isolated System

Juspay : August 18, 2020 cyberattack limited to an isolated system.

My thoughts

As we get into the details, they admit it was a "storage" system

Isolated "Storage" System

My thoughts

Restricted Isolated Storage System

Juspay : The breach was restricted to an isolated system...

My thoughts

Impact

Juspay : About 3.5 Cr records with masked card data and card fingerprint (which is non-sensitive information) were breached.

My thoughts

Ecosystem is a vulnerability

Juspay is not an isolated case. Many payment companies and B2C companies have been compromised. With lockdowns due to COVID this has assumed even larger propotions. But this is a failure at multiple levels. The payment processor stores our data but has no obligation to inform end customers even 6 months after the fact. Companies like Swiggy who actively encourage consumers to store Credit Card details are also guilty of sweeping this under the rug. Security companies who have some idea of securing APIs pretend to secure IaaS platforms such as AWS.

In India we have extremely weak consumer protection. In the absence of disclosures (which is due to absence of law), if card data is misused, our police is woefully short of capability to investigate and banks really good at passing the buck.

For me, my take away is to find a virtual credit card and use that. Short of that, I am planning to stop using credit cards for online shopping.