Mobile payment and financial platforms are selling your data including your email, location, and transaction details to the highest third-party bidder, a tech researcher and cybersecurity expert said.
One of these mobile payment platforms is Alipay, a China-based company that “sells its customer (transaction) data to third parties for monitoring and marketing purposes.”
According to Victor Gevers, a cybersecurity adviser from GDI. Foundation, companies like Alipay, are selling their customer data to third-party clients with the highest bid and in most cases, these third-party companies cannot handle sensitive information and store them in unsecured databases.
Gevers discovered one of these databases that came from Alipay. He said that he was able to find one of these databases in an unsecured MongoDB database and noted that anyone with basic training could find others within 30 minutes of trained searches.
“I train journalists, so they investigate data leaks like this themselves. Within 30 minutes, they can do exactly the same we do for investigating and reporting systems. This is too easy to find if you know how to spell company names in a search engine,” Gevers wrote in his Twitter account in response to a Tweet highlighting that anyone can get the said data.
THEY WILL SELL YOU OUT
Gevers raised concerns that financial applications and mobile intermediary like Alipay are selling their customers out.
“Payment providers will always SELL you out,” he exclaimed.
In a Tweet, he explained that Alipay sold data to a third party which uses them to calculate a credit score system to see to who they can sell their service more on another platform.
When asked how did he know that the data was from Alipay and not from some other rightful party to the transaction like the merchant or an e-commerce platform, he said that there is only one “entity who can/has access to all” and that’s Alipay. He added that if they exclude governments as the owners of the breached databases, it is easy to determine that it is the payment provider that use third parties “study/convert their own [money] transfer data into ‘research projects’ which gets sold.”
According to Gevers, one proof to his claim that Alipay owns the database that he uncovered was the rising rate of global financial institutions and payment service providers sharing their transaction data to third parties so they can “enrich” it. Gevers noted that these third parties have poor security implementations and that he and his team keep on finding open databases that have exposed the supposed trend.
The tech expert refers to the Fintech data breach that happened a month ago where 1.9 billion bank transactions from 2018 were discovered to be vulnerable after it was sold to a third-party payment provider.
In a separate tweet, he explained that all the transactions in the Fintech breach were categorized to “study” income and spending behavior of US citizens.
In a tweet he previously made last February, he revealed that 1,933,515,811 bank transactions comprising more than 2.1 TB of data are completely open for anyone to see, edit, and throw away “with a simple instruction.”
Since then, Gevers said that the leaking server had been taken down.
However, a Twitter user with the handle @MoeMoeil, refuted Gevers claims that the data leak was the fault of Alipay citing that there is no proof to that. He postulates that the information in the leak was voluntarily given out to the third party by users.
In China, the user said, many websites and companies are requiring users to submit their personal information like name, ID, phone, bankcard, and even mugshots holding their card. He claimed that he was able to locate the loan credit service provider where the leaked data came from and according the the firm’s documentation, the data was given to them by a “collaboration agency.”
“Now consider this scenario: A user wants to borrow money from a P2P-loan agency. The agency says “I need to check your Alipay transaction history first.” The user gives his Alipay account and password to the agency and the agency downloads the full history of the user… Later, this agency, being a “collaboration agency,” sells the downloaded transaction history to the financial credit investigating company,” wrote Moe Moeil as a response to Victor Gever’s tweets.
“In this case, I think Alipay shall be innocent, since the user himself surrendered the account access.”
The twitter user also noted that there is still a need to investigate how the “collaboration agency” got the data.
Meanwhile, other text experts raised the concern on Chinese cybersecurity problem. While Gevers agreed that indeed a problem is happening in China, he noted that other countries are also unsecured, thus making it a universal problem that needs to be addressed as soon as possible.
“I think the Chinese government is doing a lot to keep its citizens safe seen from their perspective. Also, outside China, many things are not safe. So it is not only a local issue but also a global issue,” he wrote.
As of yesterday, the said breached database was already partially locked down. According to Gevers, the owner of the database locked it down within an hour after he shared the screenshots of his discovery. It is not accessible to the public anymore. /apr