Shop for free! Researchers cheat PayPal checkout

Rui Wang and XiaoFeng Wang worked to expose e-commerce security flaws.Indiana University doctoral student Rui Wang (left) and associate professor XiaoFeng Wang worked with a team of researchers to expose major security flaws in e-commerce payment systems. By Julianne Pepitone, staff reporter


NEW YORK (CNNMoney) -- A group of security researchers say software flaws in the ways major merchants have implemented payment systems from PayPal, Amazon Payments and Google Checkout allowed them to buy products online for free or at a deep discount.

The researchers, from Indiana University and Microsoft (MSFT, Fortune 500) Research, said "logic flaws" created inconsistencies between the merchant site and the payment service.

As a result, study co-author XiaoFeng Wang said his group was able to procure items like DVDs and electronics chargers by gaming the system in multiple ways. They could add a discount of their choosing, shop for free after paying for one item, or buy an expensive product for the price of the cheapest item.

In some cases, the researchers convinced merchant sites that they had paid for an item in full -- while actually making the payment into their own seller account at Amazon.

The researchers made clear that most of the security lapses were on the third-party merchants' side, not the payment processors'.

In response to the study, PayPal parent eBay (EBAY, Fortune 500) noted that the issue stems from "developers not following proper best practices when integrating payments."

Amazon did not respond to requests for comment. Google said it was looking into the study results, and emphasized that Google Checkout has multiple fraud detection systems.

Wang compared the logic flaws to a naughty child who wants a piece of candy: The child tells the mother that the father said it was OK, and then tells Dad that Mom said it was fine. If the two parents aren't communicating effectively, the kid gets the candy.

"It's convenient for merchants to use these third-party services because then they don't have to build payment platforms themselves," XiaoFeng Wang said. "But that makes the whole system more complicated -- which means more possible bugs."

Wang said the researchers worked with a lawyer to conduct their tests in an ethical and legal way, and the items were returned to the merchants.

The group also immediately reported their findings to the merchants and worked with them to fix the issues, Wang said. He and his colleagues are scheduled to present their paper next month at the Institute of Electrical and Electronics Engineers' annual Symposium on Security and Privacy in Oakland, Calif.

Just 15 days after the group released its research paper, Wang said, Amazon released a new set of software development kits to fix bugs -- and mandated that Web stores to upgrade to the new SDKs within 40 days.

But Securisea CEO Josh Daymont warns that these types of issues indicate "a systemic weakness" in these kinds of services.

"Merchants love to use software as a service so they don't have to build payment platforms themselves," said Daymont, whose company specializes in IT security. "So that architecture isn't going away."

However, Daymont notes, companies like Amazon (AMZN, Fortune 500) and Google (GOOG, Fortune 500) have a lot of other things going on -- and they may not always pay enough attention to their payment platforms' back end. Plus, the onus is on merchants to build secure systems on top of those platforms.

"What typically happens is that companies make the decision not to throw more manpower behind these products, and then something like this IU paper comes out," he said. "It's a classic case of security not being considered until after the product has shipped." To top of page

Frontline troops push for solar energy
The U.S. Marines are testing renewable energy technologies like solar to reduce costs and casualties associated with fossil fuels. Play
25 Best Places to find rich singles
Looking for Mr. or Ms. Moneybags? Hunt down the perfect mate in these wealthy cities, which are brimming with unattached professionals. More
Fun festivals: Twins to mustard to pirates!
You'll see double in Twinsburg, Ohio, and Ketchup lovers should beware in Middleton, WI. Here's some of the best and strangest town festivals. Play
Index Last Change % Change
Dow 16,408.54 -16.31 -0.10%
Nasdaq 4,095.52 9.29 0.23%
S&P 500 1,864.85 2.54 0.14%
Treasuries 2.72 0.08 3.19%
Data as of 11:30pm ET
Company Price Change % Change
Bank of America Corp... 16.15 0.00 0.00%
Facebook Inc 58.94 0.00 0.00%
General Electric Co 26.56 0.00 0.00%
Cisco Systems Inc 23.19 -0.02 -0.09%
Micron Technology In... 23.91 0.00 0.00%
Data as of Apr 17
Sponsors

Sections

Spencer has been a supporting member of the "Good Morning America" cast for the past three years. More

Obamacare sign ups hit 8 million, though final enrollment remains to be seen. More

Office for iPad move is a symbolic victory for Nadella's Microsoft, but the company is still weighed down by many of the same old issues. More

Schwinn, Trek and Cannondale are all iconic American bicycle brands. But none of them are made in the United States. More

As Detroit moves closer to reaching a bankruptcy deal, retired civilian workers are poised to be left worse off than firemen and police officers. More

Market indexes are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer LIBOR Warning: Neither BBA Enterprises Limited, nor the BBA LIBOR Contributor Banks, nor Reuters, can be held liable for any irregularity or inaccuracy of BBA LIBOR. Disclaimer. Morningstar: © 2014 Morningstar, Inc. All Rights Reserved. Disclaimer The Dow Jones IndexesSM are proprietary to and distributed by Dow Jones & Company, Inc. and have been licensed for use. All content of the Dow Jones IndexesSM © 2014 is proprietary to Dow Jones & Company, Inc. Chicago Mercantile Association. The market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. FactSet Research Systems Inc. 2014. All rights reserved. Most stock quote data provided by BATS.