Mobile payments based on SIM card information + the IP address of the user have been used in Finland a few years, but some of the implementations don’t look so good.
Today I was hanging around in a certain office and I wanted to buy a cold Coca-Cola and there was a vending machine nearby with few payment methods, like coins, SMS and also this method for mobile payment integrating company MePay, which I tried.
Basically you scan a QR code of the vending machine with your phone when you use MePay, and you’re redirected right to the mobile payment website. I was connected to the guest WIFI network at the time with my phone so it didn’t work at the first time. It said:
So I changed my phone to use the mobile data connection. To my surprise the order was then processed succesfully! I just had to push a button to select a drink, and I was charged succesfully.
But there was something that looked bad, things like this:
- No verification or consent to accept the charges
- HTTPS not enabled on the payment website (http://consumer.mepay.fi/shop/randomstring)
- mepay.fi mentions domain riskpointer.fi which is ungregistered at the moment “© 2017 mePay by Riskpointer“
First thing is of course the worst thing. I tried sending out the payment link to my friend on the other side of Helsinki. When he had clicked the link, I was immediately able to select the drink, so this confirms that there is also not any kind of location checking of the user based on GSM stations the user is connected to.
This means that whenever someone is thirsty, someone can just spam links to the payment portal and wait for the first victim to pay their drinks.
Not really much of a threat? Why would someone click an address that says something about paying? Well, turns out that you can embed the website to an IFRAME tag:
This means that someone could just make a HTML containing comment on any popular website that has Finnish mobile internet users, and that someone could just wait for their drink.
The only good thing is, at least that the service can’t be fooled with X-Forwarded-For header, which I tried with my own IP address.
The other, not so threatening vulnerability is that when someone is sharing their Finnish mobile internet connection without a password, someone can just connect to that access point, open up the payment URL from the vending machine’s QR code and the payment gets processed automatically without the internet sharing user ever knowing anything, unless the user checks their phone bills.
At least the Telia ISP warns about this vulnerability on their website with words “–If you’re sharing your connection via WIFI, consider blocking access to paid services and secure your hotspot with a password to prevent unauthorized use”.
I wonder how other mobile payment service providers have thought about their security issues, but clearly MePay hasn’t done their job well.