Ruishu Information: Beware of misappropriation of payment interfaces, API security protection is imperative

Recently, the security operation and maintenance personnel of a large domestic insurance company discovered an abnormal phenomenon: a large number of payment order service requests appeared on the user phone bill recharge page in their own APP, but there was no corresponding phone bill recharge payment behavior. What's even more strange is that in the face of these batches of abnormal payment order requests, the internal risk control system did not respond at all.

In order to find out the reasons behind this, the insurance company sought help from Ruishu Information, a professional network security manufacturer. The result surprised the insurance company: it turned out that the payment interface of the APP was maliciously misappropriated by a gambling website to recharge gambling funds in disguise.

System analysis shows that the gambling website has embedded the front-end logic of the insurance app's phone bill recharge page into its own gambling recharge page. When a user clicks to place a bet on the gambling website, the recharge information is sent to the insurance app's payment processing and transfer service, thereby obtaining a valid WeChat payment jump link. However, the WeChat payment link does not return along the normal path, but returns to the front-end page of the gambling website, so that users can complete the gambling payment directly on the gambling page.

In fact, this is a typical case of payment interface misappropriation. The so-called payment interface misappropriation refers to the failure to use the payment settlement capabilities provided by the payment institution in accordance with the prior agreement. The most common use is to connect to some illegal transactions, such as connecting to pornography, gambling, drugs, cashing out, illegal futures, illegal commodities and other transactions.

In my country's relevant regulatory documents, it is clearly stated that the misappropriation of payment transaction interfaces is prohibited in order to curb illegal activities and crack down on industry chaos. However, it is undeniable that a large number of payment transaction interface misappropriation phenomena have emerged in an endless stream and are beyond the supervision.

Why does the misappropriation of payment interfaces continue despite repeated bans?

Payment interface misappropriation creates huge profits, and black industries tend to be automated and professional attacks

Nowadays, online payment is gradually replacing cash payment. With the increase of online payment, the misappropriation of online payment interfaces is also becoming more and more serious.

At present, the most common network payment interface misappropriations are as follows:

• Code-matching and reduced access fees: By applying interfaces with lower rates, access costs can be reduced and profit levels can be increased.
• Four-party resale interface: Institutions that conduct illegal four-party business access banks and payment institutions through shell companies, obtain online payment interfaces, and make profits by reselling these interfaces.
• Conducting illegal business: illegal businesses such as pornography, gambling, drugs, cashing out, crude oil, futures, and commodities are packaged into legal shell companies and connected to payment institutions.
• Interface interconnection between payment institutions: According to regulatory requirements, when banks and payment institutions are involved in inter-bank clearing business, they must go through the central bank or a clearing institution with legal qualifications. However, in order to circumvent supervision, some payment institutions use affiliated companies and other means to connect to other payment institutions in disguised channels.

It is not difficult to find that the illegal misappropriation of payment interfaces involves interests. According to online data, a large gaming company can make hundreds of millions of yuan in one night during the peak season, and the black industry that provides payment interfaces for it can earn a commission of 1.3-3% of the service fee. In other words, just by being responsible for the payment link, the black industry can make at least 1.3 million yuan in one night, and it is almost easy to make money.

Such lucrative profits naturally attracted a large number of black industries to join in. In order to cope with the strict audits of payment platforms such as WeChat, Alipay, and JD Wallet, the black industry has continuously improved its attack techniques, looking for system vulnerabilities and business logic that can be broken through, and trying every means to use various legal payment interfaces.

Huang Zhimin, an information technology expert at Ruishu, said: "Online payment interfaces in all industries may be exploited by the black industry, especially virtual recharge products such as phone recharge launched by e-commerce, insurance and finance institutions in cooperation with operators. It is easy for the black industry to maliciously use payment interfaces for illegal purposes."

However, from the perspective of enterprises, they are powerless in the face of such rampant black market attacks, and even fail to detect the existence of malicious black market activities for a long time. According to Huang Zhimin, an information technology expert at Ruishu, there are two main reasons for this:

First, the black industry's attack methods are constantly upgraded . Nowadays, the black industry has formed highly professional upstream and downstream independent and orderly collaborative crime gangs. In order to further improve the efficiency of attacks, most black industries use Bots automation tools to attack in the links that require a lot of repeated execution in the entire fraud process, and even write customized scripts for specific platforms and specific API business logic, constantly trying to use various means to bypass existing security detection measures.

Second, traditional security and risk control products are unable to cope with new API attacks. Faced with the secretive and efficient Bots automated attacks, the traditional WAF, IDS, API security gateway and other security devices commonly used by enterprises can no longer effectively identify abnormal behaviors based on fixed rules and signatures; traditional risk control products are relatively disconnected in terms of business and security data association, and lack the ability to identify automated attacks. Account behavior analysis alone cannot identify malicious behaviors that imitate normal user behaviors.

Ruishu Dynamics + API Security, Systematically Protect Payment Interface Security

The frequent occurrence of payment interface misappropriation cases has brought a series of adverse effects on society and the industry. On the one hand, the occurrence of illegal transactions such as money laundering, arbitrage, pornography, gambling and drugs caused by payment interface misappropriation has led to an increase in crime rates and even caused financial market turmoil, causing great harm to social prosperity and stability, public security and other issues. On the other hand, payment interface misappropriation has caused a large number of customer complaints and reports, which has had an adverse impact on corporate reputation and market stability.

Based on this grim situation, the entire industry urgently needs a system that can monitor and protect payment interfaces in real time, effectively identify the misappropriation of payment transaction interfaces in daily monitoring, and quickly identify illegal and criminal activities to improve the overall prevention and control level of payment risks.

In order to solve the risks faced by enterprises' legitimate payment interfaces, Ruishu Information, as an innovator of China's dynamic security technology and a professional manufacturer in the field of Bots automated attack protection, has innovatively launched the API Security Management Platform (API BotDefender), which systematically ensures the security of API interfaces from the dimensions of API interface asset management, sensitive data management, access behavior management, API risk identification and management, and makes up for the shortcomings of traditional security and risk control products.

In response to the problem of payment interface misappropriation, the Ruishu API security management platform will sort out the API assets of insurance apps, such as: What API interfaces are included? What is the business logic of the API interface? From which channels can the payment API interface be accessed, etc., to check abnormal behaviors starting from the API interface path.

Secondly, based on API protection technology, an API security baseline was established to monitor and analyze API interface abuse, abnormal API interface access, malicious scanning, injection attacks, etc. At the same time, based on technical modules such as dynamic security, business threat perception, and Bots automated attack identification, it is able to see through common business threats to API interfaces and perform human-machine identification efficiently and accurately, thereby discovering a large number of abnormal information requests and identifying their attack methods, including Cookie information tampering, automated tools, and URL information tampering, which is in line with the logic of business fraud.

Finally, after further in-depth analysis and confirmation of the abnormal behavior logs, the company's existing risk control products are linked to score the accounts behind the abnormal behavior, and the identified abnormal accounts are provided to the company in batches. The company is also coordinated to adjust the risk control system strategy to empower the enterprise with the security capabilities of API interface protection.

In fact, Ruishu Information can not only achieve efficient and accurate human-machine identification, but also implement refined access control on API interfaces, support multi-dimensional frequency limiting, interception, delay, etc., to achieve a balance between real-time security response and business development of the enterprise.

As Bots automated attacks target payment API interfaces, Ruishu Information has taken the lead in incorporating protection for all online business access channels, including Web, H5, APP, API, WeChat, mini-programs, etc. By integrating data from various business access channels through unique identifiers such as user accounts and full access records, it achieves security protection for all application channels.

It is precisely based on its outstanding performance in the field of business anti-fraud that Ruisu Information has recently been successfully selected as a representative manufacturer in IDC's "China Financial Industry Anti-Fraud Market Research Report" in 2022, and was listed as a representative manufacturer in Gartner's "Online Anti-Fraud Market Guide" report in 2021.

Conclusion

The misappropriation of payment API interfaces is a very serious problem, which brings huge risks to social and economic operations and enterprises themselves. With the stricter supervision of the industry, the threat environment of API attacks has become more complex, and the means of black market attacks have been further improved. Enterprises must also pay more attention to the problem of payment API abuse. It is imperative to protect API security with the help of professional security vendors. Based on its unique "dynamic security + AI" core technology, Ruishu Information can effectively protect the API security of enterprises and safeguard their business and data.