I have discovered a loophole in Interswitch's online payment gateway.

I dont need a valid card information, pin code, expiration date, and I can still process a payment for it to get approved.

I have tried getting in touch with them to have a talk with Interswitch but they are not responding. And they just got certified last month as meeting international standards for online payment processor.

What can I do next? This is a huge risk for business and just waiting to be exploited.

There are agencies which have oversight function on companies such as interswitch but your claim must be valid.

Any of the processing banks can take this claim up.write to any Md of the banks or NDIC,CBN.

I can prove it.

It is replicable.

I will look up those bodies mentioned.

Thanks

I am first going to try to get their attention, mail those bodies given above, mail the certification agency. Before I will decide to make this public

I have a direct link to them. I personally am working with the company that developed the website so I can help do something about it. We can discuss things out please. Don't opensource as @Dual Core wants you to. My email is on my profile.

@cactus,
Don't post it o. Don't opensource it. A lot of businesses might suffer. If u need the contact of some of their technical persons, mail me. I'll give u their direct contact details and believe me, they will respond.

Don't even think of making it public. Nothing good can come out of that. 
But they should respond to you as soon as possible, because bad hackers may
be able to find the loophole easily now that they know for sure that one exists.

Seun. . . If I want to advertise on the home page can you give pricing and specifications? please send me a mail. djswaggz@yahoo.com Puhlease.

I think you should have quietly kept your findings to yourself and moved on with your life. If your findings are true, this thread actually does more harm than good since it will awaken the contentiousness of  Nigerian scammers to a potential "feast". But you appear to be taking it like a joke. I hope this does not land you in trouble as you have now made yourself a potential scapegoat for all past cases of fraudulent activity on their network.

Moderator, for the sake of innocent businesses that use this payment gateway, Please delete this thread.

I think you should have quietly kept your findings to yourself and moved on with your life. If your findings are true, this thread actually does more harm than good. I hope this does not land you in trouble as you have now made yourself a potential scapegoat for all past cases of fraudulent activity on their network.

This thread by itself is not a problem provided he doesn't release any information to potential fraudsters.
If Cactus acts professionally, I think this might even be a stepping stone to becoming a security consultant.

Cactus:

This is a huge risk for business and just waiting to be exploited.

Business risk to who? Merchant, Customer Or Bank

Primarily merchants, I imagine.
When such bogus payments are detected and reversed,
the merchants may have already shipped the products they 'paid' for.

Seun:

Primarily merchants, I imagine.
When such bogus payments are detected and reversed,
the merchants may have already shipped the products they 'paid' for.

Then the bank/payment gateway is liable because they misinformed the merchant . All the merchant needs is proof that his account was credited for such transaction at a point and that the good was shipped as advised by the bank/payment gateway.

Abidemi_A:

Then the bank/payment gateway is liable because they misinformed the merchant . All the merchant needs is proof that his account was credited for such transaction at a point and that the good was shipped as advised by the bank/payment gateway.

Most Nigerian banks (and big telcos) have funny contracts that absolve them of any liability in any situation.

@seun I do understand your concerns but soon and very soon, it will be discovered and potentially if it is discovered, then it can potentially be extremely disastrous they can go out of business if it gets into wrong hands, but this is Nigeria who knows.

Scapegoat, well that is none of my worries right now.

I have done for tokunbo.com, they were questioning that if i was the hacker. That was for sql injection.

Being talking with pips for advice and getting a couple of contacts together.

well finally they replied. about looking into the situation

hopefully lets see how it goes

never liked interswitch,guess thats why gtb bank decided to start their own platform.
customer service is poor and their internet payment gateway is way damn expensive

How far with this issue? I am interested in this.

why should a business be paying 150,000 just to integrate it on their platform,its pathetic
even from their shabby looking website,it shows they are not on point

@all,

I am pleased that Interswitch is taking positive steps into the issue. Assessing what is needed to be done. I am not at liberty to disclose any additional information in regards to this.

I can definitely tell y'all that Interswitch is actively working towards a resolution.

look at you, feeling cool 

Cactus:

I am pleased that Interswitch is taking positive steps into the issue. Assessing what is needed to be done. I am not at liberty to disclose any additional information in regards to this.

what you call a loop-hole is, if anything, a quasi-security measure by Interswitch bearing in mind their out dated processing equipment that would open up numerous REAL loop-holes if subjected to the algorithms required for verifying/authenticating user data in real-time, uhm, thinking,
i am probably wrong, but certainly security breaches are not initiated as clumsily as you imagine.
And that's why they did not reply your 1001 emails,

wetin ths bobo dey talk?

Dual Core:

wetin ths bobo dey talk? 

I was thinking the same thing too.

this is very interesting. . .

Cactus:

I have discovered a loophole in Interswitch's online payment gateway.

Nice one. Sounds lyk an 0-day xploit if TRUE. Nywaiz, u just increased Cyber attacks launched at Interswitch.

Lets C aw dis will go,

nigerian sites can be very irritating. a few months back, my regular pastime each morning was to browse the admin folder of a particular reputable stock broking firm and read their daily reports including notes of meetings. That doorway is still there unblocked. I read their for-subscription reports easy. Have been meaning to talk to them.

As for a respected financial securities agency on the other hand, I managed (unconsciously) to get to a page allowing me admin rights to activate some accounts (the button was there so am making assumptions). Even if no one uses that page for that purpose, my email and the emails of many other users are displayed so easily. anyone could write a bot to exploit that. thanks for reminding me with this post. I am calling them right now.

kodewrita:

nigerian sites can be very irritating. a few months back, my regular pastime each morning was to browse the admin folder of a particular reputable stock broking firm and read their daily reports including notes of meetings. That doorway is still there unblocked. I read their for-subscription reports easy. Have been meaning to talk to them.

As for a respected financial securities agency on the other hand, I managed (unconsciously) to get to a page allowing me admin rights to activate some accounts (the button was there so am making assumptions). Even if no one uses that page for that purpose, my email and the emails of many other users are displayed so easily. anyone could write a bot to exploit that. thanks for reminding me with this post. I am calling them right now.

lool, Cal them?? That sounds ridiculous!

I found an 0-day xPloit on one Nigerian Webhosting Company hosting over 100+ top profile sites that gave me r00t access to the server, sent a mail to them and TILL THIS PRESENT MOMENT DIDNT GET A REPLY TO ACKNOWLEDGE RECEIPT.

The amazing thing then was 'In less than a month, the bug was patched!'. Guess twas the approach anyway.

NB: Dont make the mistake of calling/mailing the 'Admin'. Get in contact with the COMPANY involved.

BoboYekini:

look at you, feeling cool 

what you call a loop-hole is, if anything, a quasi-security measure by Interswitch bearing in mind their out dated processing equipment that would open up numerous REAL loop-holes if subjected to the algorithms required for verifying/authenticating user data in real-time, uhm, thinking,
i am probably wrong, but certainly security breaches are not initiated as clumsily as you imagine.
And that's why they did not reply your 1001 emails,

Interswitch does not answer people quickly. That is a known fact, and it is a Nigerian company again.

abhosts:

I was thinking the same thing too.

Na too mush of book na him cuz am, him dey write all shakespare phrase for here, msheew!!

WVS can testify to the loophole, seems i need to wrk on that

@Dual Core , I just noticed you wrote jquery in your address.lol. geeks will be geeks.

UBA is also threading similar tracks as interswitch. Will give a feedback on that later. But I think UBA is also using interswitch's system. but Hopefully I will have a conclusive remark in regards to UBA's online payment implementation.

But what I have seen so far makes me worry a little bit.

Inter switch does not answer people quickly. That is a known fact, and it is a Nigerian company again.

are you trying to say all Nigerian companies have slow customer support