Incident: Security Flaws in E-commerce Payment Systems Allow Free Shopping

Published Date: 2011-04-13

Postmortem Analysis
Timeline 1. The software failure incident where researchers cheated PayPal checkout happened around April 2011. - The article was published on 2011-04-13 [Article 5252].
System The software failure incident reported in Article 5252 involved a failure in the implementation of e-commerce payment systems by major merchants like PayPal, Amazon Payments, and Google Checkout. The specific systems/components that failed in this incident were: 1. Implementation of payment systems by major merchants (PayPal, Amazon Payments, Google Checkout) - The logic flaws in the implementation of these payment systems led to inconsistencies between the merchant sites and the payment services, allowing researchers to exploit the system [5252].
Responsible Organization 1. Third-party merchants were responsible for causing the software failure incident by implementing payment systems with logic flaws that allowed researchers to exploit inconsistencies between the merchant site and the payment service [5252].
Impacted Organization 1. Third-party merchants using payment systems from PayPal, Amazon Payments, and Google Checkout were impacted by the software failure incident [5252].
Software Causes 1. Logic flaws in the ways major merchants implemented payment systems from PayPal, Amazon Payments, and Google Checkout allowed researchers to exploit inconsistencies between the merchant site and the payment service, enabling them to buy products online for free or at a discount [5252].
Non-software Causes 1. Lack of proper communication between third-party merchants and payment processors [5252] 2. Failure to follow best practices when integrating payments [5252]
Impacts 1. The software failure incident allowed researchers to buy products online for free or at a deep discount by exploiting logic flaws in major merchants' payment systems like PayPal, Amazon Payments, and Google Checkout [5252]. 2. The incident highlighted major security flaws in e-commerce payment systems, leading to inconsistencies between merchant sites and payment services, enabling actions like adding discounts of choice, shopping for free after paying for one item, or purchasing expensive products for the price of the cheapest item [5252]. 3. The researchers were able to convince merchant sites that they had paid for an item in full while redirecting the payment into their own seller account at Amazon, showcasing a significant vulnerability in the payment processing systems [5252]. 4. The incident raised concerns about the lack of proper best practices followed by developers when integrating payments, indicating a systemic weakness in third-party payment services used by merchants [5252]. 5. Following the research findings, Amazon released a new set of software development kits to address the bugs identified in the study and mandated web stores to upgrade to the new SDKs within 40 days, indicating a swift response to mitigate the impacts of the software failure incident [5252].
Preventions 1. Proper implementation of best practices when integrating payment systems by developers could have prevented the software failure incident [5252]. 2. Regular security audits and testing of the payment systems by the merchants could have helped identify and fix any logic flaws or vulnerabilities before they were exploited [5252]. 3. Improved communication and coordination between the merchant sites and the payment service providers to ensure consistency in the payment process and prevent exploitation of loopholes [5252]. 4. Increased focus and investment by companies like Amazon and Google on the security and integrity of their payment platforms' back end to prevent such systemic weaknesses [5252].
Fixes 1. Proper implementation of best practices by developers when integrating payment systems [5252]. 2. Regular security audits and testing of e-commerce payment systems to identify and address logic flaws and vulnerabilities [5252]. 3. Improved communication and coordination between merchant sites and payment processors to ensure consistency and prevent exploitation of loopholes [5252]. 4. Timely response and action by merchants to address reported security issues and implement necessary software updates or fixes [5252].
References 1. Indiana University doctoral student Rui Wang and associate professor XiaoFeng Wang [Article 5252] 2. Microsoft Research [Article 5252] 3. PayPal [Article 5252] 4. Amazon [Article 5252] 5. Google [Article 5252] 6. eBay [Article 5252] 7. Securisea CEO Josh Daymont [Article 5252]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident related to cheating the payment systems of major merchants like PayPal, Amazon Payments, and Google Checkout due to logic flaws was reported to have happened again at Amazon. Just 15 days after the research paper was released, Amazon released a new set of software development kits to fix bugs and mandated that Web stores upgrade to the new SDKs within 40 days [5252]. (b) The incident involving security flaws in e-commerce payment systems affecting major merchants like PayPal, Amazon Payments, and Google Checkout is indicative of a systemic weakness in such services. The incident highlights that merchants often prefer using third-party services for payment processing, leading to potential vulnerabilities. Companies like Amazon and Google may not always pay enough attention to the security of their payment platforms, and the responsibility lies on merchants to build secure systems on top of these platforms [5252].
Phase (Design/Operation) design (a) The software failure incident reported in the articles is related to the design phase of the system. The incident was caused by "logic flaws" in the ways major merchants had implemented payment systems from PayPal, Amazon Payments, and Google Checkout. These flaws allowed the researchers to exploit inconsistencies between the merchant site and the payment service, enabling them to buy products online for free or at a deep discount [5252]. The study co-author XiaoFeng Wang mentioned that most of the security lapses were on the third-party merchants' side, indicating that the issues were introduced during the design and implementation of the payment systems by the merchants, rather than being inherent to the payment processors themselves [5252]. Additionally, the incident highlighted the importance of following proper best practices when integrating payments, as noted by eBay in response to the study. Wang emphasized that using third-party services for payments can make the system more complicated, leading to more possible bugs due to the design complexity introduced by these integrations [5252]. (b) The software failure incident does not appear to be related to the operation phase or misuse of the system. The focus of the incident was on the logic flaws in the design and implementation of the payment systems by merchants, rather than on issues arising from the operation or misuse of the systems [5252].
Boundary (Internal/External) within_system, outside_system (a) The software failure incident reported in the articles is primarily within_system. The security flaws and logic flaws in the ways major merchants implemented payment systems from PayPal, Amazon Payments, and Google Checkout allowed researchers to exploit the system and make purchases for free or at a deep discount [5252]. The issues were related to inconsistencies between the merchant site and the payment service, indicating internal system vulnerabilities that were exploited by the researchers. The study co-author mentioned that most of the security lapses were on the third-party merchants' side, not the payment processors' [5252]. Additionally, the incident prompted Amazon to release a new set of software development kits to fix bugs within their system [5252]. (b) The software failure incident also involves outside_system factors. The incident highlighted the systemic weakness in using third-party services for payment platforms, indicating that the architecture of relying on external services contributes to the complexity and potential bugs in the system [5252]. The onus was on merchants to build secure systems on top of these platforms, suggesting that external factors such as merchant practices and decisions also played a role in the software failure incident.
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in the article was primarily due to non-human actions, specifically logic flaws in the ways major merchants implemented payment systems from PayPal, Amazon Payments, and Google Checkout. The researchers were able to exploit these logic flaws to buy products online for free or at a deep discount. The study co-author mentioned that most of the security lapses were on the third-party merchants' side, not the payment processors' [Article 5252]. (b) However, human actions also played a role in this software failure incident. The issue stemmed from developers not following proper best practices when integrating payments, as noted by PayPal parent eBay. The researchers worked with a lawyer to conduct their tests in an ethical and legal way, and they immediately reported their findings to the merchants to work with them to fix the issues [Article 5252].
Dimension (Hardware/Software) software (a) The software failure incident reported in the article is primarily related to software flaws rather than hardware issues. The incident involved security researchers exploiting logic flaws in the ways major merchants implemented payment systems from PayPal, Amazon Payments, and Google Checkout, allowing them to buy products online for free or at a deep discount. The flaws were described as creating inconsistencies between the merchant site and the payment service, enabling the researchers to manipulate the system in various ways [5252]. (b) The software failure incident in the article was caused by software flaws in the implementation of payment systems by major merchants, leading to security vulnerabilities that allowed the researchers to exploit logic flaws and manipulate the system to obtain products for free or at discounted prices. The issues were related to developers not following proper best practices when integrating payments, resulting in inconsistencies between the merchant sites and the payment processors [5252].
Objective (Malicious/Non-malicious) non-malicious (a) The software failure incident reported in the articles is non-malicious. The incident involved security researchers from Indiana University and Microsoft Research identifying major security flaws in e-commerce payment systems used by major merchants like PayPal, Amazon Payments, and Google Checkout. The researchers exploited "logic flaws" in the implementation of these payment systems, allowing them to buy products online for free or at a deep discount. The researchers worked ethically, returned the items, and immediately reported their findings to the merchants to help fix the issues [Article 5252].
Intent (Poor/Accidental Decisions) poor_decisions, accidental_decisions The intent of the software failure incident described in the articles can be attributed to both poor decisions and accidental decisions: (a) poor_decisions: The incident involved major security flaws in e-commerce payment systems from PayPal, Amazon Payments, and Google Checkout due to "logic flaws" in the implementation by major merchants, which allowed researchers to exploit inconsistencies between the merchant site and the payment service [5252]. (b) accidental_decisions: The security lapses that led to the software failure were primarily on the third-party merchants' side, indicating unintentional decisions or oversights in implementing the payment systems, rather than inherent flaws in the payment processors themselves [5252].
Capability (Incompetence/Accidental) development_incompetence (a) The software failure incident in the article was primarily due to development incompetence. Researchers from Indiana University and Microsoft Research identified major security flaws in e-commerce payment systems from PayPal, Amazon Payments, and Google Checkout. They found "logic flaws" in the implementation by major merchants, which allowed them to exploit inconsistencies between the merchant site and the payment service, enabling them to buy products online for free or at a deep discount [5252]. The issues were attributed to developers not following proper best practices when integrating payments, leading to vulnerabilities that could be exploited by the researchers [5252]. (b) The software failure incident was not accidental but rather a result of deliberate testing by the researchers to expose the security flaws in the payment systems. The researchers worked with a lawyer to conduct their tests in an ethical and legal way, and the items obtained through exploiting the flaws were returned to the merchants. The group also immediately reported their findings to the merchants and collaborated with them to fix the identified issues [5252].
Duration temporary (a) The software failure incident described in the article appears to be temporary. The incident was caused by specific logic flaws in the ways major merchants implemented payment systems from PayPal, Amazon Payments, and Google Checkout. The researchers were able to exploit these flaws to buy products online for free or at a deep discount. The issues were related to inconsistencies between the merchant site and the payment service, allowing the researchers to manipulate the system in various ways. The incident was not a permanent failure but rather a temporary one caused by specific vulnerabilities in the system [5252].
Behaviour value, byzantine (a) crash: The articles do not mention any instances of a system crash where the system loses state and does not perform any of its intended functions. (b) omission: The software failure incident in the articles does not involve the system omitting to perform its intended functions at an instance(s). (c) timing: The incident does not relate to the system performing its intended functions correctly but too late or too early. (d) value: The software failure incident in the articles involves the system performing its intended functions incorrectly. The researchers were able to exploit logic flaws in the payment systems to buy products online for free or at a deep discount, manipulate discounts, shop for free after paying for one item, or buy an expensive product for the price of the cheapest item [5252]. (e) byzantine: The behavior of the software failure incident in the articles aligns with the byzantine failure type. The logic flaws created inconsistencies between the merchant site and the payment service, allowing the researchers to deceive the system in multiple ways, such as adding discounts of their choosing, making payments into their own seller account at Amazon while convincing the merchant sites that they had paid for an item in full [5252]. (f) other: The software failure incident in the articles does not exhibit any other specific behavior beyond those mentioned in the options above.

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident described in the article resulted in researchers being able to exploit software flaws in major e-commerce payment systems such as PayPal, Amazon Payments, and Google Checkout. This exploitation allowed the researchers to buy products online for free or at a deep discount. They were able to manipulate the system to add discounts of their choosing, shop for free after paying for one item, or buy expensive products for the price of the cheapest item. Additionally, in some cases, the researchers were able to convince merchant sites that they had paid for an item in full while actually making the payment into their own seller account at Amazon. This indicates a significant impact on people's material goods and financial transactions [5252].
Domain information, sales, finance (a) The failed system was related to the information industry as it involved major merchants implementing payment systems for e-commerce platforms like PayPal, Amazon Payments, and Google Checkout [Article 5252]. (b) Not mentioned in the articles. (c) Not mentioned in the articles. (d) The software failure incident was directly related to the sales industry as it involved flaws in e-commerce payment systems that allowed researchers to buy products online for free or at a deep discount [Article 5252]. (e) Not mentioned in the articles. (f) Not mentioned in the articles. (g) Not mentioned in the articles. (h) The incident was related to the finance industry as it involved payment systems from major merchants like PayPal, Amazon Payments, and Google Checkout, which are used for financial transactions [Article 5252]. (i) Not mentioned in the articles. (j) Not mentioned in the articles. (k) Not mentioned in the articles. (l) Not mentioned in the articles. (m) Not mentioned in the articles.

Sources

Back to List