TY - GEN
T1 - Messy states of wiring
T2 - 30th USENIX Security Symposium, USENIX Security 2021
AU - Lou, Jiadong
AU - Yuan, Xu
AU - Zhang, Ning
N1 - Publisher Copyright:
© 2021 by The USENIX Association. All rights reserved.
PY - 2021
Y1 - 2021
N2 - This paper presents our study on an emerging paradigm of payment service that allows individual merchants to leverage the personal transfer service in third-party platforms to support commercial transactions. This is made possible by leveraging an additional order management system, collectively named Personal Payment System (PPS). To gain a better understanding of these emerging systems, we conducted a systematic study on 35 PPSs covering over 11740 merchant clients supporting more than 20 million customers. By examining the documentation, available source codes, and demos, we extracted a common abstracted model for PPS and discovered seven categories of vulnerabilities in the existing personal payment protocol design and system implementation. It is alarming that all PPSs under study have at least one vulnerability. To further dissect these potential weaknesses, we present the corresponding attack methods to exploit the discovered vulnerabilities. To validate our proposed attacks, we conducted four successful real attacks to illustrate the severe consequences. We have responsibly disclosed the newly discovered vulnerabilities, with some patched after our reporting.
AB - This paper presents our study on an emerging paradigm of payment service that allows individual merchants to leverage the personal transfer service in third-party platforms to support commercial transactions. This is made possible by leveraging an additional order management system, collectively named Personal Payment System (PPS). To gain a better understanding of these emerging systems, we conducted a systematic study on 35 PPSs covering over 11740 merchant clients supporting more than 20 million customers. By examining the documentation, available source codes, and demos, we extracted a common abstracted model for PPS and discovered seven categories of vulnerabilities in the existing personal payment protocol design and system implementation. It is alarming that all PPSs under study have at least one vulnerability. To further dissect these potential weaknesses, we present the corresponding attack methods to exploit the discovered vulnerabilities. To validate our proposed attacks, we conducted four successful real attacks to illustrate the severe consequences. We have responsibly disclosed the newly discovered vulnerabilities, with some patched after our reporting.
UR - https://www.scopus.com/pages/publications/85114448557
M3 - Conference contribution
AN - SCOPUS:85114448557
T3 - Proceedings of the 30th USENIX Security Symposium
SP - 3273
EP - 3289
BT - Proceedings of the 30th USENIX Security Symposium
PB - USENIX Association
Y2 - 11 August 2021 through 13 August 2021
ER -