Mobile payment is becoming increasingly popular in China, with Alipay and WeChat Payment among the most used apps on Chinese phones.
From paying bills to ordering food or booking a taxi, many common consumer transactions are being settled entirely in the digital domain. But although convenient, Alipay and WeChat have not been immune to theft.
In January, an 18-year-old in the Guangxi Zhuang Autonomous Region was charged with the theft of numerous users’ identities and nearly 1.5 billion yuan.
Last year, police in Yangzhou, Jiangsu province announced that one user had more than 60,000 yuan stolen from his account in spite of never being notified of any transaction. Police investigation revealed that the money was used for online purchases.
For most users, online payments are completed using a username, password, payment password, phone number and digital certificate.
But that information can be hard to keep secure.
A network security agency in Beijing recently studied a number of the thefts exposed in popular media and realized a common problem: most users gave away their account information by carelessly publishing personal information or completing their payments using insecure networks.
Many of the most common Chinese computer viruses are a class of programs trojans, which can allow the hacker to control a user’s terminal or snoop on the data they send to websites.
Payment processes often involve a verification code, but phone apps with trojan programs can intercept these messages and forward them to hackers.
Most smartphones on the market are based on the iOS or Android operating systems, but both feature loopholes that can put users’ safety at risk.
“Hackers often set up fake Wi-Fi points with the hope that users will connect to them and begin sending information online. Any page they fetch through the Wi-Fi point can have malicious program data injected into it,” said Zhuge Jianwei, a mobile security expert at Tsinghua University.
“By taking advantage of bugs in the browsers, it’s possible to inject a new Trojan program into the phone that will give the hacker root level control,” he said.
When the user enters his Alipay account and password on an infected phone, this information will be sent to the hacker’s computer. The verification code ends up losing its purpose.
Allowing the payment platforms to bind with a bank account for fast payment knocks down the bank’s final line of defense. A hacker with access to such an account can steal money from the user’s platform account and bank account.
Last September, a man surnamed Song called the police when all the money in his bank and Alipay accounts vanished overnight.
An investigation led to the arrests of three people surnamed Qian, Chen and Yue.
In July 2014, Qian joined a chat group called “Xi Liao” and met other hackers who were skilled at intercepting Alipay Accounts, passwords, phone numbers and ID information. That September, Qian spent 2,300 yuan to buy five blocks of intercepted information from Yue, including some data that Yue acquired from Song.
Chen was in charge of making fake ID cards. Armed with an ID card, Qian went to a local China Mobile Hall to reissue Song’s phone number without any trouble. Then Qian transferred all of Song’s money to his own account.
Law for Compensation
Even though the payment platforms like Alipay promised to compensate in full within 72 hours, it’s hard for every victim to enforce his or her rights.
One user who lost 50,000 yuan through Alipay was refused compensation by the platform. He filed a police report, but after two months there was no progress.
“The police told me it was a high-tech crime and would be hard to investigate,” the user said. “I went to the telecom department to get a certificate that would prove the verification message came from Chengdu, but the department said I could only get it after the case was closed.”
“Even if we end up arresting anyone, we will still have to lodge a complaint at the procuratorate and court. Then the lost money can be compensated, but it will take a long time,” said a police officer in Jihang, Yangzhou.
Security problems are hardly unique to China. Last September, Apple’s system was attacked by hackers who released hundreds of Hollywood stars’ private pictures. Previously, the Guangzhou Daily reported that iOS had a security hole that made it possible to retrieve the messages, address books and photos of iPhone users.
In this case, the payment platform Apple Pay was at fault. A survey by CreditCards.com reported that more than 60 percent of Americans never or hardly ever use their mobile phones to pay bills, even though Apple promised to protect users’ data.
Security problems with mobile payments are increasingly serious in the Internet era. To minimize the threats and losses, users are advised to carefully guard their personal information.
“Never use payment platforms or scan strange QR codes in free Wi-Fi environments. Otherwise you might end up on a phishing website. It’s also a bad idea to put too much money in any bank account that you bind to an online platform,” experts said on CCTV’s Weekly Quality Report.
They also advised users to suspend their payment account if their phone is lost or has no signal for a prolonged period.