Fake QR Code? Payment Fraud? Apps Hacking?
Case Background
In Beijing China, there is a similar Octopus app called RuuByPay (億通行) which provides QR code payment, promotions with banks, etc. RuuByPay launched a new QR code payment promotion "亿通行1分钱坐地铁优惠领取" in China, which is generated by specific keys on the app. The key is hardcoded because of the unstable subway's network, so It has to provide an offline payment option. The security risk of hardcoded QR code is the hackers who can create a malicious QR code for payment once the key is hacked. RuuByPay implemented AISecurius App Defender to provide app hardening to secure its app.
As in Hong Kong, there is a new promotion “FPS x PromptPay QR payment” in Octopus App with 0 transaction fee when travelling in Thailand. However, is the QR code hardcoded? If yes, there is a high risk of its app when hackers crack the app with reverse engineering, the key or generation function will be exposed, the fake QR code or fraudulent payments will happen!
Solutions
In order to prevent the above security risk, AISecurius contains Mobile App Vulnerability Scan service which more than a hundred companies adopt every year. A Real-time Decision Engine is also necessary, it can help to prevent and detect fraudulent transactions at the 'ms’ level with configurable antifraud rules or models. AISecurius has proven it and there are some testimonials from the FSI customers
AISecurius | Fraud Detection