Decomposition Of PayTM: Impact, Threats, And Vulnerabilities

Decomposition of PayTM

PayTM is e-commerce enterprise and is Payments Bank Company. Their company is purely B2C e-commerce based.

This report will highlight the decomposition of the PayTM application. PayTM’s impact on Indian society will be elaborated in details. Various kinds of threats associated with PayTM will be discussed in details. Along with the threats, the vulnerabilities will be showcased in the report. The security measures will be well discussed as well in the report.

The company named One97 is one of the e-commerce enterprises and they cater the services like mobile wallets, OTA bookings and revenue payments generation. PayTM is apart of this organization. PayTM is not only e-commerce enterprise, rather it is Payments Bank Company (Akazue 2015). They utilize a single commission system model to conduct their business activities and their business is purely B2C e-commerce based. PayTM provides their service via their websites and mobile applications, they integrate wallet and payment on the online platform. The customers choose products according to their convenience, put it in the cart, apply promo codes and finally order them. Later the seller prepares the item for dispatch and then ships it to the customer. The whole shipping procedure is carried out by courier service. The seller gets his revenue by selling the item to the customers. PayTM charges only twenty percent of the revenues of the product and in turn provide customers to the sellers. The other business that is carried out by PayTM is payments bank.

PayTM can be utilized for paying the utility bills. The customers pay for the DTH bills, phone bills, electricity bills via the e-wallet facility of PayTM. The customers are not limited to that, they pay their loans and home EMI, insurance premiums via e-wallets of PayTM. The customers first transfer their money from their respective bank to their respective e-wallets of PayTM. The transactions are then continued through e-wallets. Other than that they sell gold via their websites. PayTM acquires a high commission while customers buy any items from their site (Akazue, Aghaulor and Ajenaghughrure 2015). The customers also prefer to pay their bills online via PayTM as they can get discounts or coupons on each purchase. PayTM also charges a minimal fee while customers want to use promo codes or coupons. Once they put the money from the bank to their e-wallet of PayTM they will not be able to put it back to their bank account. The customers can use the e-wallet money according to their convenience at any time.

PayTM in India Development

The e-wallet is a source of income for PayTM. In India, at the time of dfemonetization, PayTM e-wallet comes handy and then the customers use the money of their e-wallet account to purchase their valuables and everything (Akazue 2015). PayTM has collaborated with UBER and IRCTC. The customers can now travel UBER cars from their PayTM e-wallet. They cater around about three percent discount to the transaction total and the rest they pay the rest to the sellers.

The e-commerce industry has flourished to a great extent due to the advent of PayTM and with the usage of smartphones, tablets the e-commerce has become more predominant. The compound annual growth has increased in India up to thirty-four percent since the year 2019 solely because of PayTM. This is the reason, the public sectors are adopting e-commerce to enhance their activities (Aljawarneh 2015). PayTM is making India digital and the India Prime Minister advised Indian citizens to use PayTM at the time of demonetization. The Prime Minister motive is to make digital and along with that, he wants to make India corruption free. Thus he has taken the approach to use PayTM and also suggest everyone. The Government wants to impose a right amount of tax on every item and if anyone pays via PayTM then it will be impossible for the anyone to evade tax, every transaction of money will be recorded and this data will be available online and in the database of  PayTM. Thus as the transaction will be recorded everytime the corruption will significantly reduce (Awan and Memon 2016). Thus PayTM has made significant impacts on the Indian economy and this software is gradually becoming famous at every corner of India.It is hoped the whole India will digitalise with the aid of PayTM.

 

Fig 1: PayTM and its services

(Source: Awan and Memon 2016, pp-425)

The threats associated with e-commerce are as follows-

Human elements

The main motto of the business owners must be to secure their workplace first and PayTM is no exception. PayTM may have the highest security architecture but have to consider the insiders. The insiders may steal the vital information of the system and the database also there can be another kind of data breach as well. The data can be leaked and the whole system and the database will be vulnerable to threats. Again, the employees show laziness and they do not bother installing security software in their system. The lack of antivirus software can put the database in risks and so the important data like customers’ data can be at risk as well. Also, some employees do not want to change because so they do not install the software (Becker, Alper and Lee 2014). Even they do not want to change the operating system, hardware and software components as well, this leads to the disruption and thus the system becomes vulnerable to threats and risks. That is why PayTMneds to take proactive steps to mitigate those risks related to human elements.

Threats associated with PayTM

Threats related to e-commerce servers

PayTM include all the sensitive information of the customers alongside the sensitive information of the employees. The intruders garner that information and exploit the system for their advantages. Thus the hackers carried out their attacks via the ransomware and malware. The attack also involves the DDoS attacks and phishing schemes. By means of phishing the intruders acquire the personal information of the customers and in this way, the customers’ bank account details can be hacked. Even the DDoS attacks are equally dangerous, the authorized users will not be allowed to access their own system. The other type of threats that is related to the server is a technological failure of the system. The computer system can fail due to the loss of packets (Deshmukh, Chhangani and Thampi 2016). The weak network configuration can be the cause of the failure as well. Again sometimes the software codes on basis of which a software is developed get corrupted or bugs can be found while the software is tested. Therefore, PayTM must be aware of their website as well as the mobile site. Misconfiguration can cause harm to the severe extent to these companies. The customers can lose their hard earned money by this misconfiguration or computer failure. There is also a risk of operating system failure as well. The Windows operating system can fail, can get corrupted, can get attacked by the virus so the unstable operating system is another failure that must be taken into account. Again the-the threats associated with the hackers can be classified into the active attack and passive attack (Europe 2014). The malicious activities include the monitoring the insecure transmission over the Internet and so this a passive attack, the other attack is the active attack where the data transmission is not only monitored but also it is modified for selfish needs of the intruders.

Malicious Code Attacks

Viruses and Worms

The virus and the worms are the two major threarts or better can be said for the enemies for the ecommerce and the electronic payment enterpriss like PayTM. A  worm basically spreads without any human interaction and it replicates itself and causes harm to greater extent whereas the virus is the dangerous threat which spread by the hackers and though it is less harmful compared to the worms yet the virus can be equally devastating as well. The virus requires a file attached and if that file is opened somehow the virus spreads into the system (Fetscher 2016).  The virus makes serious damage to the files stored on the hard disk, so sometimes the hard drive requires formatting to get back to the initial scenario. In this way, the PayTM can face huge data loss due to virus attacks. Also due to the worm’s attacks, many computer systems can stop functioning thus affecting the e-commerce server like PayTM server. Due to the ceratin shut down of systems the customers may face issues while they are transacting money or carrying on online shopping.

Trojan Horses

PayTM requires updating of the server and the database that is why sometimes they download patches for the software. To enhance the security and also to enhance the business operations sometimes the e-commerce organisations like PayTM downloaded software to scale up the business operations, however, if that software is not downloaded from any trusted website then there can be a chance of Trojan virus attack. Also along with that, the defence mechanisms should proactively work in these scenarios. Therefore, there is a chance of data breach all the time (Flanagin et al. 2014). If the employees of the organization by mistake explore the software, the virus will spread throughout the system and make it vulnerable. They will steal all the vital and sensitive operation of the database.

Logic Bombs

A logic bomb is somewhat similar to Trojan Horse and works in an almost similar way. This virus software release the rogue code after an application is deployed in the e-commerce server after a significant amount of time.

Transmission Threats

Denial of Service Attacks

The Denial of Service Attack is responsible for denying authorised access of the users. The authorized users access the system and found that the system has been hacked and is being controlled by any other person or individuals, the intruders if access the PayTM server, then this can be disastrous. The customer’s bank account details and the account money and the e-wallet money will be compromised as a result of the attack. They can leak the sensitive information, they can even use to shut down the server. The shutdown of the server will cease all the information of the PayTM and the company can face huge loss for that (Franco 2014). There is another kind of Denial of Service Attack. In this case, one master host computer control a group of computers and spread the malicious activities across the system. These computers are generally termed as zombies, these zombies are instructed to attack the e-commerce website altogether, if PayTM server gets attacked by the zombies then the whole server of PatyTM will shut down. As all the zombies attacked together there can be a chance of massive bombardment and this bombardment generally occurs due to the transmission of bad data by those zombies. However, A Distributed Denial of Service Attack is programmed as-

Ping of Death

While individuals send any email, the communications between the server and the computer are carried out by the data packet. All the data gets transmitted by means of this data packets from one computer to another computer. There is a protocol which regulates all the data flow over the Internet. This protocol is known as TCP/IP. The TCP/IP protocol is responsible to transmit almost 1500 bytes. The protocol has the capability to transmit data packets up to a limit of 65, 535 bytes (Gerritsen et al. 2014). Because of the Ping of Death Attack, massive data packet exceeding the size of 65,536 bytes are transferred The TCP/IP protocol cannot handle such massive data packets and crushes. This can occur in case of PayTM as well and for this reason, their entire system can crash.

 

Fig 2: PayTM Threats

(Source: Gerritsen et al. 2014, pp- 169-235)

SYN Flooding involves the connectivity between the client and server computer in the PayTM premises. A connection is made via message acknowledgement. At first, the client computer sends messages, the server computer, in turn, sends acknowledgement regarding the same. This is known as ACK (synchronisation) message. In order to successfully complete the connectivity, the client computer sends ACK message to the server. At this point, the e-commerce server becomes vulnerable to attack (Hossain 2016). This remains a half-open connection and taking advantage of this half-open connection, phony messages can be sent to the PayTM server. These Phony Messages are responsible for overloading the server’s memory and also the process power thus leads to system crash.

The threats associated with the PayTM servers are-

Phishing Attacks

Phishing is generally carried out by intruders to hack individuals accounts. In this scenario, the effect can be devastating. As PayTm contains the bank details as well as money in the e-wallet. The intruders copy the HTML code of PayTM and can develop a look-alike PayTM website. The customers unknowingly can enter the credentials into that website and can fall into the trap.If the customers enter the credentials bank details then there will be a chance of losing hard earned money. This can cause havoc inside the PayTM. They will lose the customer base, can lose the reputation and ultimately this may lead to disaster. Also, the intruders carry out their phishing attacks via websites (Jotwani and Dutta 2016). The hackers first send a mail, if the customers see the email and open it and click the link then they will be sent to that phishing link, if they enter the personal details then there will be a chance of data hack.

Data Packet Sniffing

When the customers are using PayTM in their smartphone the hackers use a sniffer  to gain entry into their insecure network. This leads to network hijack, and in this way the data can be breached. The hackers take control of the network and the data flow, the sensitive information transmitting via air via an insecure network can be compromised, in this way the customers’ privacy can be threatened.

IP spoofing

The attackers via IP spoofing change the source from where the data packet is transmitting, from this it can be seen that the data packet is flowing from a source and that source does not belong to the attackers. PayTM can be attacked via IP spoofing and it is difficult to find out the real culprit (Khari and Singh 2014). The hackers can take advantage of the scenario and can attack PayTM multiple times.

Port Scanning

The hackers via this port scanning can detect what type of service is running currently in PayTM server and in this way the attackers will find out the flaws or weakness and try to exploit that weakness to enter into the system and damage the system.

Backdoors

While the web developers develop a website for e-commerce and electronic payment, they leave backdoors to keep an eye on the code developed, this helps the developers to access the code quickly and process it whenever applicable (Lebeau et al. 2013). The intruders take advantage of this loophole, the backdoors should be removed as soon as possible before the website goes live, otherwise, e-commerce site like PayTM can severely suffer from this backdoor.

1. The session identifiers which can be predictable:The Base 64 can be taken into consideration by the hackers. The hackers also reverse engineer the algorithm for their selfish needs.
2. Overly dependent on client-side validation:The attackers can alter or modify the browser settings and the browser history and disables JavaScript to skip the security and validity process and can enter the system.
3. SQL injection:The attackers can find out the SQL injection risks and the vulnerabilities. They can exploit the PayTM database at will and can acquire the sensitive information of the database (Niranjanamurthy and Chahar 2013).
4. Unauthorised execution of operations:The attackers acquiring sensitive information and session token can explore the system and the database making both the system and the database vulnerable to attack. In this way, the system can lose authorization.
5. Cross-site scripting:The attackers steal cookies along with that some vital information of the browser session and make the system exposed to illicit attack. The attackers who have sound knowledge of HTML and scripting language can expose the flaws of the system.
6. Issues related to uploading of files:The system applications used by PayTM may get exposed to malware attacks. The Trojans and the XSS exploits are possible threats to the database and the system.
7. Issues related to logging out:The customers or the users do not log out sometimes they are too lazy to log out, this laziness can cause the system exposed to intruders’ attack (Núñez et al. 2017). The attackers can gain entry to the system multiple times and can steal sensitive information according to convenience, in this case, they can access the e-wallet and can steal money from the bank account as well. This will also help the intruders to monitor the customer operations daily as well as the PayTM’s move.
8. Passwords:The customers or the users often set weak passwords for their system and thus the system becomes exposed to attack. This lethargic approach from the PayTM customers can cost them too much (Natarajan 2017). They can lose their hard earned money. The intruders will enter the system via brute force method and can expose the vulnerabilities of the system and the database.
9. Unencrypted passwords:The customers and the employees often store their password in the database in their unencrypted form, anyone can access the password very easily and the intruders are no exception. The virus created by the intruder’s are capable of accessing those hidden passwords in the system and can hand over that sensitive information. Thus storing unencrypted password is assign of vulnerability.
10. Phishing attack:The attackers often send spam emails to the customers in the name of PayTM, if those sites are accessed, then the customers or the users get to suspicious links (Nwoye 2014). The customers think the website as PayTm often get into the site entering credentials, these credentials are then gathered by intruders. Thus the accounts of the customers got compromised.
11. The absence of account lockout:The entire system and the database can be threatened and can be attacked by hackers due to the absence of account lockout.
12. No display of the previous sessions:The customers in their browsers cannot see the previous login details and that is why they try to enter the credentials, enter the password, enter the username (Olufemi, Kayode and Sunday 2014). Thus the privacy of the PayTM’s customers gets compromised. uN this way a whole lot of data can be breached.
13. No proper settings for cookie security:The attackers design a channel via which the server and the client get connected and the cookies got transacted via these channels (Rathi and Gupta 2014). The attackers expose the system and access those cookies for their selfish needs.
14. Weak cyphers:The attackers can expose the system and the database and can record what is being transacted and in this way, the SSL key is cracked the intruders get into the system.

1. Maintaining an accurate inventory of control system devices:No machines should be allowed on the network to communicate with other computers or nodes. The computer system if stays connected to some parts of the network, then through that part the intruders can spread their wings PayTM may not be aware that the computers are actually connected to the Internet as they are connected as a whole, although they are working partly over the Internet (Ray 2014). Thus PayTM must remove this pathway which may b vulnerable for their enterprise.
2. Creating network boundaries:The network boundaries can help to ensure protection and detective controls within their enterprise architecture model. These controls are capable to filter out the outbound and inbound traffic (Zamzuri et al. 2013). The firewall is one of the components. The security protocols which will assist to diminish the number of the pathway. The network boundaries set are responsible to detect any unscrupulous activities and help to govern the network.
3. Using Secure Remote Access methods:PayTM must always use Virtual Private Network (VPN) as VPN provides the secure channel for conducting business activities. VPN assists to transact data securely (Seetharaman et al.  2017). The customers can safe and secure and their money transactions will stay safe and can use files, printers and websites simply connecting to the Internet via a secure channel.
4. Establishment of role-based access controls:This kind of approach restrict the users or the customers to use certain resources to some extent and not to fullest that is the users must be given access to certain areas of the system and the database. In this way the intrudes can be restricted to a certain extent. This can help PayTM to conduct the business activities more effectively and in an agile manner. Also, the intruders’ suspicious activities can be traced as a result of limiting users’ access control applying the role-based access controls (Shaikh et al. 2017). PayTM also must introduce logging capabilities and this log will show lights how to bring in more security to the systems, will also highlight how to mitigate the issues occurring within.
5. Use of strong passwords:The customers must be proactive and they must set a password which is not detectable, not recognizable. Otherwise, the intruders will guess the password and will enter the system. The password must contain one small-case letter, one big-case letter, one digit and one symbol and the password must be eight digits long (Shi, Zhao and Liu 2015). This must not be familiar with anyone’s name and place. In this way by setting strong password one can ensure the safety of themselves, if the data gets compromised then it is a loss for both PayTM and the PayTM users so users must be careful while choosing passwords.
6. Installation of antivirus software:The installation of antivirus software can even prevent the spread of malicious activities of the intruders. That is why PayTM must use the latest hardware and the software in their premises (Singh 2016). They should also use the latest updated operating system and also the latest software applications as that will help them to carry out their business activities well. The latest updates and patches for the software will help them to conduct their business activities in the agile and effective way. This ensures safety and security, as well as the outdated software, are more vulnerable to malicious activities. The customer, on the other hand, must update their PayTM app frequently to get the same safety and security.
7. Enforcing policies for mobile devices:The mobile devices also contain the sensitive information and the PayTM users also conduct money transactions via their phone (Sudia 2013). The phone must be protected via strong password. If the phone gets lost then there will be huge mishaps, the customers data will breached for sure.
8. Cyber security team:The cyber security team must act responsibly to secure their company’s system and should provide solutions when they are attacked. Thus the PayTM users and the company itself can be benefitted by the cybersecurity team. The PayTM employees can gain knowledge from the initiative and this initiative will help them to know the potential threats they are under (Szolnoki, Thach and Kolb 2016). Cybersecurity is an important aspect to stay safe and fight against cybersecurity risks.
9. Involving executives:The involvement of executives will assist to detect any cybersecurity risks while interacting with stakeholders (Turcu 2014). PayTM executives being knowledgeable about the cybersecurity threats and risks and mitigation process helps to take effective decisions which can be helpful in the long run.
10. Implement a disaster plan beforehand:The PayTM executives must proactively implement a disaster plan as it assists in taking an effective decision at the rim of need and also huge company loss can be mitigated (Watuthu, Kimwele and Okeyo 2015). Thus for PayTM, a disaster plan is absolutely necessary.

Conclusion

It can be concluded from the above discourse PayTM has greatly influenced the Indian economy. The PayTM application has been decomposed and the business activities associated with the application has been showcased in the report. PayTM conducts two types of business activities that is e-commerce and second are the electronic bank. Both the types have been well illustrated in the report as well. The various kinds of threats and risks are associated while PayTM is conducting their business. The threats which can prove harmful for PayTM are virus and worms, Trojan horse, logic bombs, denial of service attacks have been discussed in the report. The vulnerabilities such as setting weak passwords for the account, session timeout has been elaborately discussed in the report as well. The control measures to mitigate those risks and threats have been detailed as well.

References

Akazue, M.I., 2015. A survey of ecommerce transaction fraud prevention models. In The Proceedings of the International Conference on Digital Information Processing, Data Mining, and Wireless Communications, Dubai, UAE.

Akazue, M.I., Aghaulor, A. and Ajenaghughrure, B.I., 2015, January. Customer’s protection in ecommerce transaction through identifying fake online stores. In Proceedings of the International Conference on e-Learning, e-Business, Enterprise Information Systems, and e-Government (EEE) (p. 52). The Steering Committee of The World Congress in Computer Science, Computer Engineering and Applied Computing (WorldComp).

Aljawarneh, S., 2015. Cloud Security Engineering Concept and Vision: Concept and Vision. In Advanced Research on Cloud Computing Design and Applications (pp. 139-146). IGI Global.

Awan, J. and Memon, S., 2016, January. Threats of cyber security and challenges for Pakistan. In International Conference on Cyber Warfare and Security (p. 425). Academic Conferences International Limited.

Becker, K., Alper, O. and Lee, J.W., 2014, September. Online Payment Security in E-Commerce: A New Approach to E-Payment through NFC Technology. In 7th Annual Conference of the EuroMed Academy of Business (Vol. 22, No. 3, pp. 218-233).

Deshmukh, S.P., Chhangani, A.Z. and Thampi, G.T., 2016. Public Policies to Facilitate Higher Penetration of E-Commerce and M-Commerce in India for Higher Productivity. Productivity, 56(4), p.332.

Europe, E., 2014. European B2C E-Commerce Report 2014. retrieved June 22nd.

Fetscher, F., 2016. The opportunities and threats for the German Future Mobility SMEs related to the “Digital Single Market” Initiative by the European Commission.

Flanagin, A.J., Metzger, M.J., Pure, R., Markov, A. and Hartsell, E., 2014. Mitigating risk in ecommerce transactions: perceptions of information credibility and the role of user-generated ratings in product quality and purchase intention. Electronic Commerce Research, 14(1), pp.1-23.

Franco, D.P., 2014. Factors and models analysis of consumer trust on ecommerce. Amazônia, Organizações e Sustentabilidade, 3(1).

Gerritsen, B.H., Soilen, K.S., de Visser, P.B., Hoogreef, P.J., Hulst, K., Janssen, M.L., Horselenberg, L., Van Dijk, R.R. and Consenheim, E., 2014. Social Media Coming to the Mall: A Cross-Channel Response. In Product Development in the Socio-sphere(pp. 169-235). Springer International Publishing.

Hossain, N.T., 2016. Business methodology to integrate social networking into ecommerce alternatives: Olive Tree Foods Ltd.

Jotwani, V. and Dutta, A., 2016. An analysis of E-Commerce Security Threats and Its Related Effective Measures. International Journal, 4(6).

Khari, M. and Singh, N., 2014. Web Services Vulnerability Testing Using Open source Security Scanners: An experimental Study. International Journal of Advanced Engineering and Global Technology (IJAEGT), pp.790-799.

Lebeau, F., Legeard, B., Peureux, F. and Vernotte, A., 2013, March. Model-based vulnerability testing for web applications. In Software Testing, Verification and Validation Workshops (ICSTW), 2013 IEEE Sixth International Conference on (pp. 445-452). IEEE

Natarajan, S., 2017. Method for rapid development of schedule controled networkable merchant ecommerce sites. U.S. Patent 9,626,713.

Niranjanamurthy, M. and Chahar, D.D., 2013. The study of e-commerce security issues and solutions. International Journal of Advanced Research in Computer and Communication Engineering, 2(7).

Núñez, J., Vergara, A., Leyton, C., Metzkes, C., Mancilla, G. and Bettancourt, D., 2017. Reconciling Drought Vulnerability Assessment Using a Convergent Approach: Application to Water Security in the Elqui River Basin, North-Central Chile. Water, 9(8), p.589.

Nwoye, C.J., 2014. Design and Development of an E-Commerce Security Using RSA Cryptosystem. International Journal of Innovative Research in Information Security (IJIRIS), ISSN, pp.2349-7017.

Olufemi, A.R., Kayode, A.B. and Sunday, A.O., 2014. Building a Secure Environment for Client-Side Ecommerce Payment System Using Encryption System. In Proceedings of the World Congress on Engineering (Vol. 1).

Rathi, M.N.A. and Gupta, P.S., 2014. Optimizing security in Commerce Transaction: An Overview.

Ray, P.G., 2014. Security in Internet Commerce.

Seetharaman, A., Niranjan, I., Saravanan, A.S. and Balaji, D., 2017. A Study of the Moderate Growth of Online Retailing (Ecommerce) In the UAE. The Journal of Developing Areas, 51(4), pp.397-412.

Shaikh, Z., Mohadikar, A., Nayak, R. and Padamadan, R., 2017. Security and Verification of Server Data Using Frequent Itemset Mining in Ecommerce. International Journal of Synthetic Emotions (IJSE), 8(1), pp.31-43.

Shi, Y., Zhao, Q. and Liu, Q., 2015. Secure mobile agents in eCommerce with forward-secure undetachable digital signatures. Etri Journal, 37(3), pp.573-583.

Singh, N.P., 2016. A Survey of Threats to E-Commerce Applications. Research Journal of Science and Technology, 8(3), p.145.

Sudia, F.W., 2013. False Banking, Credit Card, and Ecommerce System. U.S. Patent Application 13/747,368.

Szolnoki, G., Thach, L. and Kolb, D. eds., 2016. Successful social media and ecommerce strategies in the wine industry. Springer.

Turcu, R., 2014. Security in Electronic Payment Systems. Journal of Mobile, Embedded and Distributed Systems, 6(4), pp.177-182.

Watuthu, S.N., Kimwele, M. and Okeyo, G., 2015. The Key Issues Surrounding Electronic Commerce Information Security Management. International Journal of Soft Computing and Engineering (IJSCE), 5(1), pp.37-42.

Wright, R., Marett, K. and Thatcher, J., 2014. Extending Ecommerce Deception Theory to Phishing.

Zamzuri, Z.F., Manaf, M., Yunus, Y. and Ahmad, A., 2013. Student perception on security requirement of e-learning services. Procedia-Social and Behavioral Sciences, 90, pp.923-930.