CCTV's "Weekly Quality Report": Hidden Concerns of Mobile Payment

CCTV's "Weekly Quality Report": Hidden Concerns of Mobile Payment
Introduction: CCTV's "Weekly Quality Report" today broadcasted the program "The Hidden Concerns of Mobile Payment", focusing on the security issues of mobile payment. The following is the transcript of the program: [Studio] Let's work together to create a high-quality life. Welcome to watch "Weekly Quality Report". Not long ago, an organization released a set of statistics. In 2013, the scale of my country's third-party payment market reached 16 trillion yuan, of which the total amount of Internet payment was close to 9 trillion yuan, an increase of 30.04% over the previous year. With the continuous popularization of mobile Internet, mobile payment has increased more rapidly. In 2013, the amount of mobile payment has exceeded 1 trillion yuan, an increase of 556.75% over the previous year. It is precisely because of such an amazing development speed that the security issues of online payment and mobile payment are more worthy of our attention. In the investigation, we found that the security of online payment and mobile payment is really not enough to make consumers feel completely at ease. [Text] Recently, reporters have received reports from mobile phone users that their bank card deposits have suddenly disappeared. A user from Fujian said that his bank card was used to make six transactions of 2,000 yuan each online using third-party payment methods such as Alipay and NetEase Pay. [Concurrent] Telephone interview with a mobile phone user in Quanzhou, Fujian Reporter: When was the money stolen? It was 10 a.m. on April 15. [Text] Coincidentally, the police in Yangzhou, Jiangsu Province disclosed to reporters a case of bank card fraud in which more than 60,000 yuan was stolen from the bank card of the person involved. [Concurrent] Zhu Kai, instructor of Hangji Police Station, Guangling Branch, Yangzhou Public Security Bureau, Jiangsu Province From January 25 to 26, his Agricultural Bank of China bank card was stolen many times by unidentified people through these online payment platforms, with a total value of more than 60,000 yuan. 【Text】 The police said that the strange thing was that before the bank card was stolen, the bank card, U shield and password for online banking security were not lost. What was even more strange was that during the whole process of the theft, the mobile phone bound to the bank card did not show any reminder text messages of account changes. It was not until the person swiped the card to make a purchase that he found out that the bank card had been stolen. The police investigation found that most of the more than 60,000 yuan stolen was used to recharge phone bills, buy game cards and other online consumption. According to the existing security precautions of third-party payment platforms such as Alipay, only when the four security protection keys of account number, login password, payment password and SMS verification code are mastered at the same time, it is possible to swipe the card and transfer money through the third-party payment platform online. Moreover, for each card consumption or transfer, the bank will also send an account change reminder text message to the user's mobile phone that has customized the SMS reminder service function. So, who is stealing other people's bank cards quietly? An independent third-party organization in Beijing that specializes in network security research has conducted statistical analysis on news reports about bank card fraud through Alipay in recent years and found that in some cases, private information was leaked due to personal carelessness of users, such as someone using a duplicate ID card to reissue a mobile phone card, which ultimately led to bank card fraud. In a considerable number of other cases, users passively had their bank card funds stolen due to network insecurity. [Concurrent] Network security expert Wan Tao Passive behavior means that you just go to a Wi-Fi, go to a cafe to have a drink, do your work there, and use it normally, and you will be tricked. You will visit normal websites and open normal apps. In this case, your phone will be controlled. [Text] Smartphones mainly include Apple iOS and Android systems. At present, due to the openness of the Android operating system, once security loopholes are exposed, the threat to user information security will be greater. So, does this mobile phone operating system have security loopholes, and can criminals use these loopholes to invade users' phones and secretly use Alipay and other third-party payment platforms to steal users' bank cards? After careful research, experts found that some smart phones do have system security vulnerabilities, which are enough to pose a serious threat to the security of users' mobile phones. Zhuge Jianwei: Associate Researcher at Tsinghua University, Head of the Research Group of "Linux/Android Operating System Security Vulnerability Detection", a major national special project. [Concurrent] Mobile Security Expert Zhuge Jianwei Now we have obtained the user's Xiaomi 2 mobile phone. Through our technical analysis, we found that there are many security vulnerabilities in it. [Text] Professional technicians reproduced the complete process of using this mobile operating system security vulnerability to attack the mobile phone and secretly steal the user's bank card. [Concurrent] Mobile Security Expert Zhuge Jianwei The attacker will set up a public phishing Wi-Fi, and configure such a wireless router to use it as a node for the user's mobile phone to access the Internet, a man-in-the-middle attack. If the user uses his mobile phone to connect to such a public Wi-Fi in order to save traffic, the user's Internet traffic will be hijacked to a laptop or PC designated by the attacker. 【Main text】 Experts said that once the Internet data flow of mobile phone users is hijacked by attackers, any web page opened by users may actually be secretly inserted with malicious attack programs by attackers, which will take advantage of the security loopholes of mobile phone browsers and then automatically implant new Trojan programs in users' mobile phones. This Trojan program will further take advantage of the root privilege escalation loopholes in the kernel of the mobile phone operating system, which will be used to obtain the highest authority that originally belonged to the system itself, which means that the attacker has gained full control of the mobile phone. 【Concurrent】Mobile phone security expert Zhuge Jianwei In other words, he can read all the user's private information stored in the mobile phone, and can control any application (program) installed on the mobile phone. 【Main text】 The reporter noticed that when the user entered the Alipay account and password on the mobile phone, these extremely important account authentication information were almost simultaneously exposed on the attacker's computer screen. According to the process design of Alipay, a single payment amount of 200 yuan must be confirmed by the SMS verification code before the payment operation can be completed. However, expert analysis found that after the attacker gained full control of the mobile phone, the security prevention function of the SMS verification code was equivalent to being ineffective. [Concurrent] Mobile security expert Zhuge Jianwei At the same time, he can also use the Trojan program on the mobile phone to intercept a verification code sent by Alipay to the user's mobile phone. [Text] The reporter saw that when the technician used the Alipay account and password he had just obtained to initiate a transfer of 555 yuan, the SMS verification code originally sent by the Alipay platform to the user's mobile phone did not appear on the user's mobile phone screen, but appeared on the attacker's computer screen. After the technician entered this verification code, the balance of 555 yuan in the user's Alipay account was immediately transferred away. In addition, the SMS notification of account changes was also blocked, and no prompt information appeared on the user's mobile phone screen. [Concurrent] Mobile security expert Zhuge Jianwei This new attack method allows the attacker to transfer your money very calmly without the user noticing. 【Text】 Experts warn that this technique of using the security loopholes of the mobile phone operating system to attack the user's mobile phone and steal bank cards through third-party payment platforms such as Alipay is not advanced. As long as ordinary network attackers track some public security loopholes or purchase related attack programs and Trojan programs through the underground industry chain, they can complete the attack on the Alipay account and steal the user's bank card funds. The researchers then expanded the scope of research and found that several mobile phones on the market have similar security loopholes. 【Concurrent】 Mobile phone security expert Zhuge Jianwei In addition to the Xiaomi 2 model, models such as Samsung's Galaxy S4, Google's Nexus 4, and some models of Huawei and Lenovo also have such ROOT privilege escalation security loopholes, that is, a loophole that allows attackers to obtain the highest authority of the mobile phone. 【Text】 The reporter noticed that the experts analyzed and tested these mobile phones with system security loopholes, and installed several mainstream mobile phone security software on the market. However, when professional technicians used this system security loophole to conduct Alipay transfer attack tests, these security software did not seem to show security protection. [Concurrent] Mobile security expert Zhuge Jianwei This attack mode combines the use of browser vulnerabilities and local root privilege escalation vulnerabilities to conduct further attacks, completely blocking the operation of 360 Mobile Guard, thus rendering it ineffective. We also further analyzed and found that this attack mode is also effective against some mainstream mobile security software on the market, such as Tencent Mobile Manager, and can also make them lose the effect of protecting mobile phones. [Text] After further analysis and testing, experts also found that this Android system security vulnerability allows attackers to not only steal bank cards from the Internet through third-party payment platforms such as Alipay, but also completely erase the traces of the attack after achieving the purpose of the attack, which is equivalent to stealing user bank cards without a trace. [Concurrent] Mobile security expert Zhuge Jianwei After he makes a malicious transfer, he can completely erase the Trojan program and all the logs. In this way, even if you report a case and hand over the phone to the police, the police (currently) have no way to find a clue of the attacker through evidence analysis. 【Host】 【Text】 The mobile phone operating system is the basis for the operation of all mobile phone applications, which is equivalent to the brain of the mobile phone. Experts from the national authoritative research institution of network security revealed to reporters that the objective existence of security vulnerabilities in the Android operating system has opened the door to attack mobile phones, making mobile payment applications such as Alipay face serious security threats. 【Concurrent】 Dr. Du Yuejin, Director of the National Engineering Laboratory for Network Security Emergency Technology Mobile payment has a complete set of methods to ensure your security, but if there is no safe environment, your various security guarantees will be seriously threatened. 【Text】 Reporters learned that the construction and improvement of mobile phone operating systems cannot be done once and for all, and there is always a game of defense and attack. However, experts pointed out that timely patching of system security vulnerabilities and improving security levels are the responsibilities that mobile phone operating system manufacturers cannot shirk. Article 32 of the People's Bank of China's "Regulations on the Administration of Payment Services of Non-financial Institutions" stipulates: Payment institutions shall have the necessary technical means to ensure the security of payment services. In other words, third-party payment manufacturers such as Alipay cannot evade their obligations and responsibilities to ensure the security of application software. The People's Bank of China's "Regulations on the Administration of Testing and Certification of Payment Service Business Systems of Non-financial Institutions" and "Specifications for Compliance and Security Testing of Technical Standards for Payment Service Business Systems of Non-financial Institutions - Online Payment Part" clearly require the testing of "client identification information security" such as user-entered accounts and passwords. If sensitive data such as account names and passwords are found to be leaked, they will be classified as having serious problems. In this way, the test results of the entire business system of the third-party payment platform will be judged as "non-compliant" with the specifications. [Concurrent] Dr. Du Yuejin, Director of the National Engineering Laboratory for Network Security Emergency Technology This is like I am a traditional bank. I provide you with banking services. I allow you to use the tools I provide you to perform banking business operations. As a result, the tools I provide you have problems. The problem is that you are exploited by others and then damage your interests. From the perspective of the operator, you are indeed responsible. [Text] After research, analysis and testing, experts found that the reason why attackers can obtain important authentication information such as mobile phone users' Alipay accounts and passwords is precisely because they can insert stubs into the Alipay application, implant malicious program fragments, and monitor user input. [Concurrent] Mobile security expert Zhuge Jianwei Alipay application lacks some mechanisms to resist reverse analysis, and there is no verification of the modified Alipay application, so the modified Alipay application can still connect to the server as before to complete the login and transfer operations. [Text] The reporter then conducted a telephone interview with Alipay on the security precautions of the Alipay application being inserted with malicious program fragments. [Concurrent] Alipay 018 Customer Service Reporter: Can you find out that the Alipay software in the user's mobile phone has been tampered with? Customer Service: Yes. Didn't you just tell me the account number and I checked it here. Reporter: Then only the user can tell you, right? Yes. Reporter: Then why can't you take the initiative to remind the user? We are gods! [Text] In the complex and changeable network environment, the probability of security incidents on third-party payment platforms such as Alipay is not low. According to data released by the People's Bank of China in 2011, the probability of online banking security incidents in my country is only one in a million. However, as of now, Alipay claims that its risk probability is one in 100,000. [Concurrent] Alipay company technicians: The risk rate should be around one in 100,000. In this process, we cannot guarantee that all users' Alipay accounts are safe. [Text] Reporters found that after users' bank cards were stolen through Alipay and other third-party payment platforms, in addition to claiming compensation from Alipay and other third-party payment platforms, they can only wait until the police solve the case to recover the stolen money to recover the losses. Public reports show that it is difficult for victims to get their money back as they wish when they claim compensation from third-party payment platforms. One user's Alipay account was stolen for 50,000 yuan, but Alipay refused to compensate. Reporters learned from the police that even if the bank card theft case is successfully solved, it is not a simple matter for the victims to get back the stolen funds. [Concurrent] Instructor of Hangji Police Station in Yangzhou City, Jiangsu Province: After the suspects were brought to justice, we followed the case to the procuratorate and the court according to relevant laws and regulations. After the prosecution was filed, civil compensation would be attached. [Text] The police revealed that with the popularization of mobile Internet, network security issues involving mobile payments and other aspects have become increasingly prominent. In order to reduce the security threats brought by mobile payment to users and avoid user losses, in addition to strengthening the security responsibilities and obligations of application software manufacturers, it is urgent to take preventive measures. Experts remind users to avoid using free Wi-Fi that does not require a password, and also be careful not to fall into the trap of phishing Wi-Fi networks with similar names. It is best to turn off the automatic connection function of mobile Wi-Fi to avoid automatic scanning and connection to phishing Wi-Fi networks without passwords. In addition, two mobile phones can be used, one for logging in to Alipay and other third-party platforms to swipe the card, and the other mobile phone number is used exclusively for receiving verification codes from mobile banking or third-party payment platforms, so as to increase the difficulty for network attackers to obtain personal privacy information and reduce the risk of bank card theft. [Studio] Experts say that in the current Internet era, there is no permanent solution to various Internet security issues. Third-party platforms such as Alipay have also set up multiple thresholds for the security of users' funds and information. Passwords, SMS verification codes, etc. are effective security barriers. However, as criminals are becoming more and more sophisticated in stealing user information, existing security measures are also in urgent need of updating and upgrading to more effectively protect users' funds. Unfortunately, from our current investigation, the security protection measures of third-party platforms such as Internet payment and mobile payment are not enough to prevent attacks from criminals, which undoubtedly leaves users with huge security risks. Well, thank you for watching the "Weekly Quality Report", see you next week at the same time.

As a winner of Toutiao's Qingyun Plan and Baijiahao's Bai+ Plan, the 2019 Baidu Digital Author of the Year, the Baijiahao's Most Popular Author in the Technology Field, the 2019 Sogou Technology and Culture Author, and the 2021 Baijiahao Quarterly Influential Creator, he has won many awards, including the 2013 Sohu Best Industry Media Person, the 2015 China New Media Entrepreneurship Competition Beijing Third Place, the 2015 Guangmang Experience Award, the 2015 China New Media Entrepreneurship Competition Finals Third Place, and the 2018 Baidu Dynamic Annual Powerful Celebrity.

<<:  Apple smart house vs. Google smart house, which one do you want to live in?

>>:  Goal-line technology works for the first time! Benzema's goal for France is valid

Recommend

How to increase the number of APP downloads from 0 to 3 million?

In April of this year, I was looking for product ...

Why do these European and American countries restrict the use of facial recognition technology?

In the past few years, facial recognition technol...

The sales volume of domestic brands has exploded, accounting for a much larger proportion than the total sales volume of German and Japanese brands

The domestic brand, which had experienced 14 cons...

Mom, wearing thermal underwear or not has nothing to do with chronic cold legs!

“There is a kind of cold that makes your mother t...

From the perspective of influencer monetization, let’s talk about the three main monetization models: advertising, rewards, and e-commerce.

As a user product, short videos have unified the ...

Marketing campaign self-checklist!

Events have become one of the most effective ways...

Please answer, is this a peony or a peony?

Pop quiz! What flower does the English word "...

During Oscar season, iPad says it can make movies?

Apple unveiled its latest iPad ad hours before th...

How to determine whether a website is sandboxed? What should I do if the website enters the sandbox period?

As a website SEO optimization worker, we may enco...

ASO optimization: the main factors affecting ASO, key points of optimization at the APP product level!

As of April this year, the total number of applic...

A complete guide to live streaming sales on the top 10 platforms

Highlights: Behind the crazy live broadcasts, mos...

The truth behind the globally controversial "room temperature superconductivity" incident turns out to be like this!

Produced by: Science Popularization China Author:...

"Healthy through eating" series | Be careful! Eating like this can easily cause your stomach to fail

...

App Store keyword algorithm adjustment: popularity increased, vocabulary expanded, and coverage increased!

Over the past weekend, we monitored that some cha...

Rare! These days, you must get up early!

According to astronomical science experts, from A...