Jiadong Lou and Xu Yuan, University of Louisiana at Lafayette; Ning Zhang, Washington University in St. Louis
This paper presents our study on an emerging paradigm of payment service that allows individual merchants to leverage the personal transfer service in third-party platforms to support commercial transactions. This is made possible by leveraging an additional order management system, collectively named Personal Payment System (PPS). To gain a better understanding of these emerging systems, we conducted a systematic study on 35 PPSs covering over 11740 merchant clients supporting more than 20 million customers. By examining the documentation, available source codes, and demos, we extracted a common abstracted model for PPS and discovered seven categories of vulnerabilities in the existing personal payment protocol design and system implementation. It is alarming that all PPSs under study have at least one vulnerability. To further dissect these potential weaknesses, we present the corresponding attack methods to exploit the discovered vulnerabilities. To validate our proposed attacks, we conducted four successful real attacks to illustrate the severe consequences. We have responsibly disclosed the newly discovered vulnerabilities, with some patched after our reporting.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Jiadong Lou and Xu Yuan and Ning Zhang},
title = {Messy States of Wiring: Vulnerabilities in Emerging Personal Payment Systems},
booktitle = {30th USENIX Security Symposium (USENIX Security 21)},
year = {2021},
isbn = {978-1-939133-24-3},
pages = {3273--3289},
url = {https://www.usenix.org/conference/usenixsecurity21/presentation/lou},
publisher = {USENIX Association},
month = aug
}