Alipay'S Security Vulnerabilities Were Exposed

< p > < strong > 1. has a potential safety hazard for mobile phones too "/strong" > /p >

< p > < a href= "http://sjfzxm.com/news/index_cj.as > > Alipay < /a > has loopholes such as small password free payment, fast payment of binding bank cards, etc. these functions are indeed problematic, but users of related functions can also be shut down. We will talk about this later.

Here we first talk about a problem that many users can't change, but it is a serious problem. It is Alipay's "dependence" on mobile phones.

< /p >

< p > for general users, there are several key words related to Alipay security: user name, login password, payment password, and digital certificate.

As long as the above conditions are satisfied, the user can complete the payment.

For lawless elements, if they want to steal Alipay accounts, they must solve these problems. Do not think these problems are very difficult. As long as the user's cell phone is implanted in Trojan horse or the cell phone card is duplicated, it is very likely that criminals will steal Alipay accounts.

< /p >

< p > user name is relatively easy to access, and login password and payment password can also be modified according to the verification of SMS, and the same is true for the cancellation and installation of digital certificates.

In one case, the user's cell phone was implanted in a Trojan horse. During the operation, the hackers intercepted the user's short message through Trojan horse to get the verification code, while the user completely did not know. Another situation was to directly copy the user's cell phone card, as shown in the following figure.

< /p >

< p style= "text-align: center" > < img border= "0" align= "center" alt= "" src= "" /uploadimages/201401/10/20140110103414_sj.JPG "/" < > > "

< p > in other words, as long as < a href= "http://sjfzxm.com/news/index_cj.as" > mobile phone < /a > is controlled, or mobile card is duplicated, it is possible for criminals to make certain settings, such as modifying passwords, opening wireless payment, opening balance payment, and so on, and stealing users' money through these means.

Of course, the general criminals will also grasp the user's identity information, because in some services of Alipay, it is necessary to input ID card verification, but others do not need it.

In short, too much reliance on mobile phones is bound to pose a great security risk.

< /p >

< p > < strong > > 2. mobile phone number binding problem < /strong > < /p >

< p > the problem mentioned above is that the risk of user binding to Alipay's mobile phone number may not be changed. There is another case where the binding of mobile phone number is modified, that is to say, the original cell phone number is unbound, and the lawless elements bind up their phone number.

The author has done some research on this aspect and found that it is still more troublesome for the criminals to modify the phone number binding.

< /p >

< p > because I used the mail to register Alipay account, when I tried to modify the binding of mobile phone number, the system suggested that we must complete the modification according to the manual audit. There are the following steps: first, Alipay sends a confirmation link to the mailbox, then the user will click into a "self-service" page. Next, there are several steps, as shown below.

It should be said that the whole confirmation process is relatively perfect. If the user's information is not leaked, it is quite difficult for the lawless elements to modify the binding phone number.

However, there are still loopholes in the system. The author can still visit the confirmation link sent by Alipay without landing Alipay, and it seems that there is no validity period. Even if the link is still valid after three days and five days, it is very puzzling.

< /p >

< p style= "text-align: center" > img border= "0" alt= "align=" center "src=" /uploadimages/201401/10/20140110103345_sj.JPG "/" < < > >

< p > for mobile phone registered users, the problem is simpler. Because no mailbox is included, the system will prompt to enter the mailbox. Next, the system will send the application form to the mailbox, the whole process is the same as the third steps above.

It can be seen that the security of mobile phone registration users should be less than that of the mailbox users. However, the registered users can still add the mailbox account to improve them.

< /p >

< p style= "text-align: center" > img border= "0" alt= "align=" center "src=" /uploadimages/201401/10/20140110103301_sj.JPG "/" < < > >

< p > < /p >.

< p >. Therefore, we do not recommend users to register Alipay with the mobile phone number. If we use the mailbox to register Alipay, we do not recommend opening the function of mobile phone login.

{page_break} < /p >

< p > < strong > 3. < a href= > http://sjfzxm.com/news/index_cj.as > > Mobile Wallet > /a > safety hazard < /strong > /p >

< p > again, the security risks of Alipay mobile wallet. When I first used Alipay mobile wallet, I found that sometimes I could pfer money without entering the payment password. This is the function of the small password free payment, though convenient, but it is very unsafe.

In particular, there are already users testing on the IOS system, first close the network and then log on to Alipay mobile, the 5 time the wrong password gesture is taken, the Alipay software is turned off in the background, and the new gesture can be set up again after opening it, and even after accessing the Internet, it can enter the software.

If the account is set up for a small amount of secret payment, there may be a risk of stolen brush! < /p >

< p style= "text-align: center" > img border= "0" alt= "align=" center "src=" /uploadimages/201401/10/20140110102917_sj.JPG "/" < < > >

"P", of course, the problem of mobile wallet is not more than that, I opened a monthly 6 hair short message check service, after the opening of the function, each pfer must be verified by SMS, no matter the size of each pfer, the function is no problem on the use of the PC, but it is not used on the phone.

In other words, Alipay did not synchronize the function of mobile wallet.

< /p >

< p > this is also a big problem. As we all know, Alipay charges PC terminal pfers, its purpose is to promote mobile terminals, but in contrast, Alipay mobile wallet is still in its initial stage in terms of function and security. Alipay must speed up its pace and improve the mobile terminal in the future.

Of course, for users using payment shields, we propose to shut down wireless payment, otherwise security risks may still exist.

< /p >

Apart from these problems, users still need to pay special attention to killing viruses Trojan horses on mobile phones when they use Alipay mobile wallet. They can not just visit unknown websites or scan two-dimensional code randomly, because this can lead to viruses in P mobile phones.

< /p >

< p > < strong > 4.PC the Trojan horse resulted in the theft of Alipay money < /strong > /p >

< p > there is also a case where Trojan horses in PC cause Alipay money to be stolen, hackers use Trojan horses to control remote users' computers, and at the same time, they may have already grasped the login password and payment passwords of users. At this point, they can operate directly on the user's computer.

Of course, if the user has set up SMS verification and other functions, only those steps will not be able to complete the theft of funds without the virus or cell phone numbers leaked in the cell phone, but this situation still has to be prevented.

< /p >

< p > of course, we are familiar with the function of small password free payment, fast payment function, we will not repeat it, the Internet has talked a lot, I hope you close these functions, to ensure their own account security.

< /p >