Automatic Bank Payment Authorization Form: Fill & Download for Free

Tricked HDFC to get a serious work done and attempted to book a ticket with IRCTC for 1 rupee.Incident #1: Tricking HDFC to change my mobile no.I have an account with HDFC Bank and I frequently use their net banking site (Welcome to HDFC Bank NetBanking) for transferring funds. My mobile no. is linked with the account so HDFC will send the one time password (OTP) to this mobile no. to authorize the payment request I initiate through their net banking site. The OTP is part of the two-factor authentication to make the net banking transactions secure, as mandated by RBI.Once I lost my mobile, so I couldn't make any transactions since I don't have access to my mobile to receive the OTP. I came to know that I have to give a written request to the HDFC along with ID proof, visiting their branch in-person to change the mobile no. Providing an option to change the mobile no. in the website will render the two-factor authentication meaningless. The branch is one hour bike ride from my location. Since 2 hours Internet bandwidth is cheaper than petrol for 2 hours bike riding [to and fro], I decided to give the former, a try.I logged-in into the net banking site and navigated to the profile page. There, mobile no. was shown but it can only be viewed. I can modify few fields in the form, but not the mobile no.​​​​​I started analyzing the HTTP requests through network panel of the browser's console. I observed mobile no. also got submitted as part of the form. Why a readonly value from form should get submitted to server? I could smell something wrong in the implementation.I enabled the interceptor of Tamper data plugin in Firefox, changed nothing in the profile, clicked the continue button to trigger form submission. Tamper data intercepted the form submission and showed me all the form values that are ready to be submitted to the server. I modified the mobile no. with the new one and forwarded the request to server. The server responded with the profile page with the new mobile no. I changed. I couldn't believe that I had succeeded with the exploitation of Mass Assignment Vulnerability at HDFC site and able to receive the OTP to the newly changed mobile no.A note for those who think changing mobile no. is not a big deal. An attacker who gains access to my HDFC username and password will bypass OTP authorization by changing the mobile to theirs and can start transferring funds.Succeeded with the first trick at HDFC, I tried transferring negative funds to my friend, thinking that they'll deduct fund in my friend's account and will add it to mine (What a greedy thought!), but it didn't happen. They are sane enough to have validation on negative amount.What's wrong with the implementation?When you develop apps with web frameworks, they'll give you an easy way to collect all the values of form fields by mapping the instance of the ORM model class that is intended to handle the form values and the form that actually renders to web page. The values will be mass-assigned by mapping the property of the ORM instance to the name of the form field automatically, not one by one upon form submission.In such cases, there should have been proper validation for the forms based on the scenario. Something like, if HDFC net banking user, check the presence of these fields and validate them against these business rules and assign only the expected fields and ignore the rest. They blindly assumed mobile no. can only be changed by HDFC personnel, not by net banking user. Just because the field is not present or disabled doesn't mean the user won't be able to submit values for those fields. Even if mobile no. haven't been submitted when I analyzed, I would still have tried guessing the field name by observing the naming pattern of other fields in the form and added this field when the form got submitted to server.They should have implemented some sort of RBAC based scenarios when validating forms [If HDFC net banking user, expect, validate and assign only these values when doing mass-assignment]. I reported the issue to Oracle whose net banking product (flexcube) is used by HDFC.Incident #2: Fun with IRCTCUsing the same 'Tamper data' technique, I tried booking a ticket for Re.1 at IRCTC. Though, I thought IRCTC would not take me to the payment gateway, it did with Re.1. I paid Rs.13 (Re.1 for ticket and Rs.12 for service charge) for the ticket through my SBI net banking, but transaction failed when it redirected back to IRCTC.​​​​I was happy with the failed transaction, at least the system denied to deliver a ticket for manipulated amount. When I checked the ticket booking history, it appeared in cancelled tickets history with the total amount of ticket being Rs.13, but the refund was Rs.262.​Later on, I have been notified through email that my attempt to book a ticket from Chennai - Tirunelveli has been failed and I will get my refund of Rs.262 in my account soon and reinforced the refund amount. Before cyber crime police knock my door, I wrote to IRCTC of the issue, they said they will look into it. Fortunately, I haven't got the refund of Rs.262. I didn't get my Rs.13, either which I had actually paid.What's wrong with implementation?In the case of IRCTC, it is blunder. Cost of ticket for the routes are standard ones and not given by user, why should they take it from web form? Even if they had to submit the values to third-party website, they should have generated some sort of digest / checksum with the key known to them and their partner or any standard cryptographic technique to detect tampering of data in the transit.In a nutshell, the app developers should be aware of the web security, common attacking techniques and basics of cryptography to develop a website that is hard to compromise. This is especially true when the site functionality involves money. If the website loses its stability upon simple browser plugin, how they would stand against from the attacker having sophisticated hacking tools?Note: If you are looking for some tips on getting tatkal ticket booking through IRCTC, you may find the following article in my blog helpful. The content is years old, but few techniques still apply.IRCTC - Ticket booking tricks

A chargeback is a transaction reversal meant to serve as a form of consumer protection from fraudulent activity committed by both merchants and individuals. The protection is intended to protect consumers from merchants selling snake oil and witch salt as well as thieves using their info to purchase goods and services without their permission or knowledge.Cardholders file a dispute with their issuing bank, at which point the merchant’s bank is debited the amount of the transaction that was previously credited.The merchant must provide compelling evidence to disprove any fraudulent activity associated with the transaction. If the customer’s bank (issuing bank) deems the evidence enough to overturn the cardholder’s dispute, the funds are returned to the merchant. If the cardholder still believes they are the victim of fraud, they can chargeback the item/service again. If the merchant continues to provide compelling evidence and the acquiring bank supports the merchant’s efforts and the issuing bank does not then the Network will be called upon to arbitrate the matter. At this point the merchant is incurring heavy fees they may not get back.For a more detailed and much lengthier definition seeTo fight a chargeback this is everything you need to knowEverything You Need to Know about ChargebacksHow they work, how they’re relevant, how they’re processed, and how we can assist you in obtaining yours.You did not authorize the transaction, orThe transaction was made for goods or services that were not delivered as contractedIf you didn’t authorize a particular purchase, then you’re in luck according to your bank. If your credit card was stolen or the signature on a receipt was forged, its use constitutes fraud. In such a case, you are automatically exempted from payment under the terms of the agreement you signed with the credit card company. Your request for a chargeback[1] will very likely be approved and your credit card account will be credited the full amount of the transaction.What about Goods and Services?If you purchased merchandise that was defective when it arrived, or if it wasn’t delivered at all, that’s relatively easy for your bank to understand and process correctly.But obtaining a chargeback for services that were not delivered as contracted is a challenge. In fact, it’s daunting to prove, because you really did authorize the payment and received something – just the wrong something.Especially if you fall victim to a scamEspecially an online scam whose perpetrators are here today and gone tomorrowEspecially when the scam involves binary options, forex or other contracts for difference (CFDs)Especially in online scam investments involving fake real estate deals and offeringsFraudulent binary options and fraudulent CFD trading victimize you because these scams employ platforms that do not adhere to any obligatory trading rules and procedures.Footnotes[1] Recover lost money from Binary and Cryptocurrency Scam

Hello! – As you can see from my bio line, I am the Product Manager for UniPay Gateway at United Thinkers.When you first enter the world of payment processing there is a large amount of technical jargon and terminology that gets tossed around, making even the most innocent of terms, such as “merchant account” and “payment gateway” seem complicated or confusingly similar.A merchant account is essentially an online bank account or “holding tank” that holds your money until it goes into your real bank account. When a sale is successfully completed, the customer’s money is transferred into your merchant account where it remains for a few days before it is automatically transferred into your bank account.Typically, independent sales organizations (ISOs) provide merchant accounts. They may also be provided by member service providers (MSPs) who have agreements in place with processors to provide merchant services and provide merchant accounts.Ultimately, a payment gateway provider offers your company their service in processing credit cards. Your terminals and e-Commerce site(s) send credit card information to a payment gateway for authorization and for the actual processing of the payment. If the charge is approved, the payment gateway transfers the funds for the charge into your company’s merchant account.Another key term you should familiarize yourself with is a payment processor.A payment processor – also called an acquirer – is a financial institution that provides background payment processing to a merchant. In most cases, a payment processor or acquirer is a bank. These institutions form partnerships with the ISOs and MSPs that work directly with merchants and consumers. The acquirer provides the authorization for the transaction.Summary:Here’s the bottom line: A merchant account is a bank account that accepts your company’s online payments and holds the money. A payment gateway is a provider of the technology that allows you to access payment networks. A payment processor is a financial institution that provides background payment processing to a merchant.You can learn more from this article:What’s the Difference Between A Merchant Account and A Payment Gateway?Or review our video we recently released, to learn more about fundamentals of payment processing :