（Original Video in Japanese was published on the FINOLAB CHANNEL on Nov. 6, 2024）

Credit Card Information Leaks: The Threat of Payment Application Tampering and Countermeasures

In recent years, personal information leaks have been occurring frequently, and their scale is expanding. Credit card information, which has high economic value, is particularly targeted by criminals and is illegally obtained through various methods. This article explains the recent focus on information leaks due to payment application tampering.

Increasing Fraudulent Use of Credit Card Information

The fraudulent use of credit card information is increasing year by year, with 2024 seeing incidents at a pace equal to or greater than the same period last year. While counterfeit card creation was previously common, with the widespread adoption of IC chip cards, over 90% of cases now involve fraudulent use of stolen numbers for online shopping.

Recent Information Leak Cases

Several companies have recently disclosed credit card information leaks. Common features of these cases include:

1. Information extraction through unauthorized access to online shopping sites, all of them originally selling goods through a real channel and added online capability recently.
2. Leakage of credit card numbers, cardholder names, expiration dates, and security codes.
3. Long-term information leakage spanning over 3 years, starting in 2020 or 2021, have affected between 10,000 and 90,000 victims each.

Methods of Payment Application Tampering

Attackers exploit vulnerabilities in e-commerce sites to tamper with payment applications. They mainly alter credit card information input forms to illegally transfer or conceal entered information. This method, called “payment application tampering,” has been warned about for some time.

Importance of Countermeasures

E-commerce sites and fintech companies, regardless of size, need to implement the following measures:

1. Vulnerability Countermeasures:
   • Applying security patches to systems.
2. Unauthorized Access Prevention:
   • Deployment of antivirus software.
   • Installation of Web Application Firewalls (WAF).
   • Implementation of Intrusion Prevention Systems (IPS).
3. Preventing the Spread of Damage from Application Tampering:
   • Regular program checks.
   • Log monitoring.
   • Utilization of multi-layered defense provided by Cloud Service Providers (CSP).

Summary

Payment application tampering is particularly prevalent in small-scale e-commerce sites and often goes unnoticed for extended periods. All businesses implementing payment functions, including fintech companies, must take appropriate measures at each stage of vulnerability prevention, unauthorized access prevention, and tampering detection.Neglecting these measures can lead to enormous resource requirements for investigation and customer response in the event of an information leak, potentially exposing the business to significant reputational risk. Implementing appropriate security measures and protecting customer trust is essential for the continued success of their entire businesses.