In June this year Vikram Singh, a 36-year-old Goods and Services Tax inspector in Mumbai, learnt that hackers had activated his Amazon Pay Later wallet without his permission and used his credit to clear three electricity bills worth nearly Rs 9,000 in Bharatpur, Rajasthan.
In Kolkata Saurabh Kumar, a 36-year-old IT professional, found his Amazon Pay Later wallet had been mysteriously activated and used to pay two electricity bills in Punjab totalling Rs 10,000. Achal Patel, a chartered accountant from Ahmedabad, said his Amazon account was breached and the intruder paid two electricity bills in Gujarat and Punjab of Rs 4,500 and Rs 5,000 using his Pay Later wallet.
Pay Later is Amazon’s latest fintech service in India where customers can buy products and clear utility bills on credit, and pay for all their purchases in one go at the end of the month at zero interest. The monthly base limit is Rs 10,000 and it goes up to Rs 60,000 depending on your payment record.
Since it was introduced this year, HuffPost India found Pay Later’s lax security and 60 second activation process, and Amazon’s relentless quest to make it easier and easier for users to buy more and more stuff, has spawned an innovative new form of cybercrime.
For users, the breach follows a familiar pattern: A mysterious activation of their Pay Later wallet, followed by notifications that their credit balances had been used to pay electricity and phone bills or buy digital coupons. In most cases, Amazon reversed the transactions and waived off the charges, but blocked the Pay Later service for their accounts.
But who are these hackers and why are they so keen on paying utility bills?
Singh, the GST inspector, was similarly intrigued: He used his contacts in the government to trace the mobile phone number attached to the electricity bills that were paid through his stolen Amazon Pay Later credit.
HuffPost India called the number. The person who picked up refused to share his name, but guided this reporter to a private Facebook group where hackers offered to clear anyone’s electricity bills using stolen Pay Later credits, in exchange for a cash commission wired to an e-wallet.
For instance, if someone has an Rs 2,000 electricity bill, they can post how much commission they are willing to pay — say Rs 1,000.
The hacker clears the bill through the stolen Pay Later account, while the bill owner wires the Rs 1,000 to the hacker as a commission, using an e-wallet service.
The hacker said his cohort used brute force techniques to break into accounts by guessing passwords through common expressions such as birthdates. While millions of Indians are online, cyber-literacy remains relatively low — particularly when it comes to account security. One affected user, for instance, told HuffPost India that he had set his phone number as his Amazon username and his password. None of the accounts had enabled two-factor authentication to sign in.
Once in, hackers are aided by a fairly straightforward flaw in Pay Later’s registration process: the data entered during the Pay Later sign-up process isn’t cross-verified with the Amazon account owner’s identity. All a hacker needs is stolen KYC documents and a burner phone to set up the system and start tapping the credit limit.
In some cases, the hacker told HuffPost India, those looking to have their electricity bills paid at a discount share their own Aadhaar documents and phone numbers.
Pay Later users can start to buy stuff instantly after registration, so hackers usually burn through the initial Rs 10,000 limit before account users even have a chance to react. A big selling point of the Pay Later service is that transactions are much faster than using credit card as they aren’t authenticated with a One Time Password or OTP.
“Since we don’t need to enter OTP for transactions, we can easily use the spending limit without alerting the owner before,” the hacker said.
As a consequence, users find out about the breach once the transactions are completed.
“Amazon offers Pay Later Service in partnership with Capital Float and KVB. This offering has in-built security features with multiple checks and balances to ensure a trusted, convenient, and secure transaction experience. We continue to monitor these continuously to ensure customer safety,” an Amazon spokesperson said in an emailed statement.
Amazon refused to comment on whether it plans to investigate these reports through the various identifying information available such as electricity board and phone numbers.
Amazon But Not Amazon
Victims of the Pay Later fraud are hamstrung by the fact that the payment service isn’t an Amazon-only venture. Pay Later stems from a partnership between an Amazon-backed company called Capital Float and Karur Vysya Bank.
As a consequence, Amazon isn’t technically responsible for any Pay Later issues and all the grievances are forwarded to Capital Float ― a revelation that many users, who were under the impression they are investing in an Amazon experience, learned the hard way.
While signing up for Pay Later, customers also agree that, even in an event of a fraud and “for any losses or damages suffered by the customers on account of use of Amazon Pay Later”, Amazon and its affiliates can’t be held liable.
The security loopholes that have plagued Amazon’s three-month-old service hints at a broader industry-wide trend that has emerged as several tech companies expand into India’s flourishing fintech space.
Ankit Ratan, Co-founder of Signzy, a fintech startup that uses artificial intelligence to eliminate digital identity and behaviour fraud, warns that if this new wave of lending apps don’t take these ecosystem risks seriously, there can be a loss of trust among customers. While trying to offer loans quickly, companies are skipping the critical due diligence process traditional companies follow and for that, they need to adopt a more gated, secure protocol, he said.
One of the reasons hackers were able to exploit Pay Later was because of how closely it was linked to Amazon’s rest of the offerings like the Amazon Pay prepaid wallet. Ratan believes that lending services should be integrated in a more isolated channel to avoid such frauds.
“Credit should not be seen as just another feature, credit should be seen as a full fledged business. And be done responsibly with enough infrastructure and the right partnerships,” Ratan said.