How a restaurant owner figured out he was scammed by Paytm
The article was jointly authored by Gautam Ghai and Manan Khurana.
- Total Shares
As the world becomes a more connected place and the use of the internet penetrates further across the globe, we are seeing a substantial increase in the use of digital transactions and an influx of digital payment systems.
In India, demonetisation resulted in a surge in digital transactions since it became a need more than convenience or privilege. The increased focus of the government on increasing digital transactions has seen multiple incentives and discount schemes across platforms. It has become increasingly clear that to remain a competitive business, we have to enable an online payment system to remain profitable.
However, from a technical point of view, India is at such a nascent stage when it comes to cyber security that unless there is awareness and better security protocols relating to digital transactions are put in place, we are headed for disaster. A recent experience has brought this very troubling reality to light.
As the owner of a pan-Asian restaurant chain functioning out of the Delhi-NCR area, Happy Hakka, we aim to offer our customers a good experience and convenience, to ensure that all aspects of ordering food are intuitive, easy and require minimal manual interference, we launched a online ordering system, with apps on both iOS and Android and online payment integration with what is now the largest comprehensive system — Paytm.
On July 17, 2017, a user/customer placed a large order of over Rs 3,000 from Gurgaon on Happy Hakka's website, which captured the following code from the Paytm API:
The response above has recorded a successful payment from the customer’s Paytm wallet. However, much to our surprise, at the time of the end-of-the day reconciliation, we found out that the transaction had failed and the amount hadn’t been credited to Happy Hakka.
What we did next:
We immediately contacted Paytm support, who informed us that the transaction had failed and upon further prodding sent us the following request data:
Let's break down the key observations of the transaction:
The transaction IDs are identical but the response code is “14111” which, according to the Paytm support team, qualifies as a failed transaction against our “01” that signifies a successfully completed transaction.
Also, it is important to note that the number used to place the order was not made available and the customer had requested delivery in a public place - this led us to believe that this an organised exploit by someone who knew this obvious and very apparent security loophole!
Upon further investigation, Paytm told us that they had sent us some emails — the first one on April 17, 2017, requesting vendors to "implement another verification call to their servers" and that the verification call had not implemented at our end.
However, there had been no attempt by Paytm to ensure compliance by removing the old API or ensuring that a transaction should fail if this apparently mandatory check is not made. Even now the failed transaction is not reflecting on Paytm's servers.
This concerns all businesses moving towards cashless models and pushing online payments to their customers — the lack of action and seriousness just underlines the lackadaisical attitude towards the security of online transactions and could have catastrophic effects if left unaddressed.
If your customers send you payments online, mostly through Paytm, here are three reasons why you should be worried:
1. No demonstrable strategy or measures for fraud prevention.
2. Very poor online merchant grievance redressal system and next to zero protection for online businesses.
Are digital wallets safe?
3. Lack of awareness among online merchants about the security loopholes and therefore missing checks and balances to counter them.
While the second verification notice exists, this is incredibly hard to understand, navigate and implement, if at all possible.
The lack of adequate customer support magnifies this problem and will continue to do so until it’s too late.
Compounding the problem is the ineffective documentation for troubleshooting. It was inaccurate and incomplete and especially troublesome because they eventually asked us to test it on their live servers, which, in itself, should not have been allowed and is a major red flag!
While most other online wallet payment systems have made the second verification mandatory, and Paytm itself has a dual verification system in place, as a service provider, the fact of the matter here is that the onus of keeping the merchant secure while using their system is on Paytm, but they don’t seem to take it seriously or reinforce it in anyway. Unless online merchants are aware or know how to use this verification system, they run the risk of getting duped.
While my tech background allows me to find such loopholes, the experience had me wondering how a business that accepts online payments through Paytm can guard against such fraud. How can they continue to allow transactions to happen without crucial security measures in place?
What you can do
As service providers (restaurant owners), we fully understand that it is key to provide our patrons convenience for a great user experience. Isn't that also the responsibility of online wallet service providers? Shouldn’t that experience be made safe as well?
The obvious lack of importance necessary to creating a robust environment for people who use Paytm's services is alarming. Since we cannot function without digital transactions in today’s world, I recommend that online merchants reconcile these transactions everyday to ensure such fraud is minimised, and protect themselves in the absence of clear legislation to manage such situations.
(Gautam Ghai is an all-round gentleman, a serial entrepreneur, traveller, whiskey connoisseur and foodie. Gautam is the founder and CEO of Sourcefuse Technologies and a Pan-Asian restaurant chain, Happy Hakka. You can get in touch with him at firstname.lastname@example.org.
Manan Khurana is a content editor and digital marketer, she works on building quality content and is a health food enthusiast with a charmeeeeeeng isssmaile. She can be reached at: email@example.com)