Hackers, fraudulent customers steal Rs 7.38 crore from payment gateway firm Razorpay

Hackers and fraudulent customers have stolen Rs 7.38 crore by tampering and manipulating the authorisation process of Razorpay Software to authenticate 831 failed transactions, according to a police complaint lodged by the payment gateway company.

In his complaint to the South East Cyber Crime Cell lodged on May 16, Razorpay's Head of Legal Disputes and Law Enforcement Abhishek Abhinav Anand said the company was unable to reconcile receipt of Rs 7.38 crore against 831 transactions.

On contacting its ‘authorisation and authentication partner' Fiserv, a fintech and payments company, it was communicated to Razorpay that these transactions had failed and were not authorised or authenticated, the complainant said.

Following the communication from Fiserv, Razorpay conducted an internal investigation and found 831 transactions against 16 unique merchants of Razorpay, from March 6 to May 13 this year "to a tune of Rs 7,38,36,192", the complainant said.

"These 831 transactions were marked as failed or unsuccessful by Fiserv, owing to authentication and authorization failure. However, it is found out that certain unknown hackers and fraudulent customers have tampered, altered and manipulated the ‘authorization and authentication process'...," Anand said in his complaint.

Due to this, false altered communications as ‘approved' were sent to Razorpay system against the 831 transactions, resulting in losses to a tune of Rs 7,38,36,192 to Razorpay,” Anand further said.

On receiving the false altered communications, Razorpay further sent confirmation to their merchants for fulfillment of order and made settlements to its merchant, he stated.

In this connection, Anand furnished the details of the fraudulent transactions along with date time and IP address, along with other relevant details to the police for inquiry.

The police said they are investigating the matter.

"Razorpay's payment gateway is at par with the industry standards on data security," said a Razorpay spokesperson. "During a routine payment process, an unauthorized actor(s) with malicious intent used the browser to tamper with authorization data on a few merchant sites which were using an older version of Razorpay's integration, due to gaps in their payment verification process. The company has conducted an audit of the platform to ensure no other systems, no merchant data and funds and neither their end-consumers were affected by this incident."

Razorpay is ISO 27k, PCI-DSS and SOC 2 compliant, it applies end-to-end transaction data security features, combined with strong authentication and authorization protocols to protect businesses from potential threats, the spokesperson.

"Razorpay has proactively taken steps to mitigate the issue permanently and eliminate future occurrences. The company has already recovered part of the amount and is proactively working with the relevant authorities for the rest of the process," the spokesperson added.