Hackers, Fraudulent Customers Steal Rs 7.38 Crore From Payment Gateway Firm Razorpay

Hackers and fraudulent customers have stolen Rs 7.38 crore by tampering and manipulating the authorisation process of Razorpay Software to authenticate 831 failed transactions, according to a police complaint lodged by the payment gateway company. 
 
In his complaint to the South East Cyber Crime Cell lodged on May 16, Razorpay's Head of Legal Disputes and Law Enforcement Abhishek Abhinav Anand said the company was unable to reconcile receipt of Rs 7.38 crore against 831 transactions. On contacting its 'authorisation and authentication partner' Fiserv, a fintech and payments company, it was communicated to Razorpay that these transactions had failed and were not authorised or authenticated, the complainant said.
 
Following the communication from Fiserv, Razorpay conducted an internal investigation and found out 831 transactions against 16 unique merchants of Razorpay, from March 6 to May 13 this year "to a tune of Rs 7,38,36,192", the complainant said. 
 
"These 831 transactions were marked as failed or unsuccessful by Fiserv, owing to authentication and authorization failure. However, it is found out that certain unknown hackers and fraudulent customers have tampered, altered and manipulated the ‘authorization and authentication process'...," Anand said in his complaint. 
 
"Due to this, false altered communications as ‘approved' were sent to Razorpay system against the 831 transactions, resulting in losses to a tune of Rs 7,38,36,192 to Razorpay," Anand further said. 
 
On receiving the false altered communications, Razorpay further sent confirmation to their merchants for fulfilment of order and made settlements to its merchant, he stated. In this connection, Anand furnished the details of the fraudulent transactions along with date time and IP address, along with other relevant details to the police for inquiry. The police said they are investigating the matter. Meanwhile, the Razorpay said its payment gateway is at par with the industry standards on data security. 
 
"During a routine payment process, an unauthorized actor(s) with malicious intent used the browser to tamper with authorization data on a few merchant sites which were using an older version of Razorpay's integration, due to gaps in their payment verification process," the company spokesperson said in a statement. 
 
"The company has conducted an audit of the platform to ensure no other systems, no merchant data and funds and neither their end-consumers were affected by this incident," the statement read. 
 
He said the company is ISO 27k, PCI-DSS and SOC 2 compliant, which applies end-to-end transaction data security features, combined with strong authentication and authorisation protocols to protect businesses from potential threats. 
 
"Razorpay has proactively taken steps to mitigate the issue permanently and eliminate future occurrences. The company has already recovered part of the amount and is proactively working with the relevant authorities for the rest of the process," the statement further said.
 

User

  Loading...
  Loading...

To continue


Please
Sign Up or Sign In
with

Email

We are listening!

Solve the equation and enter in the Captcha field.

Changes in Our Business Model
 
 
25th Sept 2020
 
Greetings from Moneylife Advisory Services
 
Between financial years 2019-21, SEBI has come up with extensive changes to investor advisor regulations. On Sep 23, 2020, SEBI had issued new additional guidelines. This comes just two months after extensive changes announced in July 2020. Earlier, in December 2019 there was an ad hoc circular
 
As a result of these changes, IAs, cannot accept fees through credit cards, will have to sign a 26-clause investor agreement, have to maintain physical record written & signed by client, telephone recording, emails, SMS messages and any other legally verifiable record for five years. IAs were already asked to record the suitability and rationale for every piece of advice given, sign them and store them for five years.
 
While these extensive and frequent changes, designed to strengthen the conduct of IAs are well-meaning, these have sharply increased compliance efforts and cost. We, being online advisors, find many of changes harder to implement, compared to advisors working in the physical space. We will have to have an army of advisors, administrative and tech staff to be compliant. If we do this, we will have to divert money to these areas and the cost of our service will double. We want to remain the least-cost service in the market to benefit more and more people. In the circumstances, we are forced to change our business model from “advisory” to “research”. This will mean the following:
 
What remains the same:
  • Recommendations on insurance, investment and Lion stocks, will continue as a part of the MAS premium subscription. Our strength has always been research and this will remain available to you through our recommendations.
  • The magazine and all textual content will remain as part of the service
  • We will have to suspend the restructuring tool.
 
What changes:
  • The interactions in Ask / Handholding will offer investment advice but not specific to your situation. It will offer information on investment products and also clarify your doubts about various financial products. It will be a forum for information, not for advice. This will be implemented with immediate effect and our guidelines in Ask, reflect this now.
 
Over the next few weeks our site and our communication to you will reflect these and other additional changes.
 
We feel this will not affect you much in terms of what really matters in investing: knowing what to buy and when to buy. This is our edge and it will still be available to you.
 
img
Debashis Basu
Founder