Shop for free! Researchers cheat PayPal checkout

Rui Wang and XiaoFeng Wang worked to expose e-commerce security flaws.Indiana University doctoral student Rui Wang (left) and associate professor XiaoFeng Wang worked with a team of researchers to expose major security flaws in e-commerce payment systems. By Julianne Pepitone, staff reporter


NEW YORK (CNNMoney) -- A group of security researchers say software flaws in the ways major merchants have implemented payment systems from PayPal, Amazon Payments and Google Checkout allowed them to buy products online for free or at a deep discount.

The researchers, from Indiana University and Microsoft (MSFT, Fortune 500) Research, said "logic flaws" created inconsistencies between the merchant site and the payment service.

As a result, study co-author XiaoFeng Wang said his group was able to procure items like DVDs and electronics chargers by gaming the system in multiple ways. They could add a discount of their choosing, shop for free after paying for one item, or buy an expensive product for the price of the cheapest item.

In some cases, the researchers convinced merchant sites that they had paid for an item in full -- while actually making the payment into their own seller account at Amazon.

The researchers made clear that most of the security lapses were on the third-party merchants' side, not the payment processors'.

In response to the study, PayPal parent eBay (EBAY, Fortune 500) noted that the issue stems from "developers not following proper best practices when integrating payments."

Amazon did not respond to requests for comment. Google said it was looking into the study results, and emphasized that Google Checkout has multiple fraud detection systems.

Wang compared the logic flaws to a naughty child who wants a piece of candy: The child tells the mother that the father said it was OK, and then tells Dad that Mom said it was fine. If the two parents aren't communicating effectively, the kid gets the candy.

"It's convenient for merchants to use these third-party services because then they don't have to build payment platforms themselves," XiaoFeng Wang said. "But that makes the whole system more complicated -- which means more possible bugs."

Wang said the researchers worked with a lawyer to conduct their tests in an ethical and legal way, and the items were returned to the merchants.

The group also immediately reported their findings to the merchants and worked with them to fix the issues, Wang said. He and his colleagues are scheduled to present their paper next month at the Institute of Electrical and Electronics Engineers' annual Symposium on Security and Privacy in Oakland, Calif.

Just 15 days after the group released its research paper, Wang said, Amazon released a new set of software development kits to fix bugs -- and mandated that Web stores to upgrade to the new SDKs within 40 days.

But Securisea CEO Josh Daymont warns that these types of issues indicate "a systemic weakness" in these kinds of services.

"Merchants love to use software as a service so they don't have to build payment platforms themselves," said Daymont, whose company specializes in IT security. "So that architecture isn't going away."

However, Daymont notes, companies like Amazon (AMZN, Fortune 500) and Google (GOOG, Fortune 500) have a lot of other things going on -- and they may not always pay enough attention to their payment platforms' back end. Plus, the onus is on merchants to build secure systems on top of those platforms.

"What typically happens is that companies make the decision not to throw more manpower behind these products, and then something like this IU paper comes out," he said. "It's a classic case of security not being considered until after the product has shipped." To top of page

Frontline troops push for solar energy
The U.S. Marines are testing renewable energy technologies like solar to reduce costs and casualties associated with fossil fuels. Play
25 Best Places to find rich singles
Looking for Mr. or Ms. Moneybags? Hunt down the perfect mate in these wealthy cities, which are brimming with unattached professionals. More
Fun festivals: Twins to mustard to pirates!
You'll see double in Twinsburg, Ohio, and Ketchup lovers should beware in Middleton, WI. Here's some of the best and strangest town festivals. Play
Index Last Change % Change
Dow 16,624.89 10.08 0.06%
Nasdaq 4,429.79 10.31 0.23%
S&P 500 1,945.47 4.19 0.22%
Treasuries 2.24 0.04 1.68%
Data as of 10:02am ET
Company Price Change % Change
Yahoo! Inc 42.01 1.83 4.55%
Apple Inc 103.13 0.66 0.64%
Bank of America Corp... 16.63 0.03 0.20%
Boston Scientific Co... 12.42 0.39 3.24%
The Coca-Cola Co 40.21 -0.47 -1.16%
Data as of 9:47am ET

Sections

The midterm elections are around the corner, and the economy remains a top concern. With unemployment down and inflation low, why do people still feel the economy stinks? More

Yahoo was in the spotlight Tuesday as it released its third-quarter results, its first earnings release since the Alibaba IPO. More

Startups focusing on "ag tech," or agricultural technology, are gaining the attention of farmers and investors More

Consistently checking whether you're savings is projected to last you through retirement is one of the best ways to create a smart and responsible retirement income plan and manage it along the way. More

Market indexes are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer Morningstar: © 2014 Morningstar, Inc. All Rights Reserved. Disclaimer The Dow Jones IndexesSM are proprietary to and distributed by Dow Jones & Company, Inc. and have been licensed for use. All content of the Dow Jones IndexesSM © 2014 is proprietary to Dow Jones & Company, Inc. Chicago Mercantile Association. The market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. FactSet Research Systems Inc. 2014. All rights reserved. Most stock quote data provided by BATS.