Does your APP use Alipay payment? Have you ever encountered payment links being used by criminals? This article mainly shares the experience of an Alipay APP payment link being used by criminals.
1. Background
One day, according to customer service feedback, some users purchased goods on a certain APP, and finally found that they were cheated, and the receiving account was the Alipay account of our APP.
After investigation, it was found that the orders reported by users were basically for the purchase of large-value shopping cards (100 yuan, 200 yuan), and some orders were even purchased together.
After analysis, it is found that such orders have a common feature, that is, the time between order placement and payment is relatively long. Normal user payment behavior should be completed within 30 seconds, and the payment time of these orders ranges from 3 minutes to 30 minutes. , reverse check the users of these orders, and found that these user orders have the following characteristics:
1. Both are large-value shopping cards
2. The payment time is relatively long (more than 30 seconds)
3. All Alipay orders, no WeChat orders
It can be analyzed that these users are problematic.
Supplementary business: the user places an order for a shopping card in our APP. After the payment is successful, the system will directly send the shopping card code to the user account, and the user can exchange the shopping card after getting the code.
2. Problem recurrence
1. Use user A to place an order with Alipay (not paid)
2. Obtain the payment link
3. Give to APP front-end colleagues to use any APP to pay
4. Sure enough, the payment can be made, and after the payment is completed, the system is triggered to issue the card encryption to user A
3. Fraud process
Flow Description:
1. Scammers list products on
a well-known APP
2. The user wants to purchase the product in
a well-known APP and places an order
3. Liars need to add V for intentional speeches, and privately send links to purchase
4. The user visits the phishing website and completes the payment (
anti-fraud guide: do not trust the private chain of strangers
)
5. The card code is issued to the cheater's account, and the cheater can get the card code for exchange
The payment link is returned from the back end to the front end, and is used to invoke Alipay for payment. Sample payment link:
alipay_sdk=alipay-sdk-java-3.4.49.ALL&app_id=2022001116633522&biz_content=%7B%22body%22%3A%22testorder%22%2C%22out_trade_no%22%3A%22205546307409489920%22%2C%22subject%22%3A%22testorder-subject%22%2C%22total_amount%22%3A%220.01%22%7D&charset=UTF-8&format=json&method=alipay.trade.app.pay¬ify_url=https%3A%2F%2Fapi.domain.com%2Fapi%2Fcallback%2Falipay%2F&sign=hdZMVVmslawvRMDKwIX%2Bcj%2BeSKHrIn7Zna5ngQt0rYgtPladQmAmdOILsNeIMCFv7ZFRVLIvjWNwsYiOxKxYdbo%2FRnR6JMbK7PSJg%2BCAjTZQYR5abcU%2Fq1eL0cjuwbtHwAC9qLBF7B95XYHeJkwwxZgK903Eb9vRyJCw6fTl7egnL3ceRphqC315gajxSzf0UkefxrWjIu55ov8zYd1wdZQ64jsJjS9y0Bh1iW5qWBXNq0lOU8VXLdg2vXUycOJs9wLP7Uv2ob%2FKmcy5DxfrPh4A9DNllwwKKwhVqPbGqQgwqArQh2hjy0FyYDQ9%2B%2FwbylG97Au6lqHlbP4GtMQVEw%3D%3D&sign_type=RSA2×tamp=2020-12-30+09%3A26%3A51&version=1.04. Solutions
Alipay APP Payment Official Document:
App Payment Interface 2.0 | Webpage & Mobile Application
1. Option 1
Alipay uses the parameter ext_user_info.need_check_info to forcibly verify the buyer's information when placing an order, but this method needs to rely on the system to obtain the buyer's name.
2. Option 2
(We adopted this method to deal with it, because we cannot verify the buyer's information)
Alipay uses the parameter time_expire (recommended to configure 30 seconds, which can be adjusted according to the actual situation) to shorten the valid time of the payment link. Alipay supports multiple orders with the same order number. Each time you use the new time_expire to place an order interface, it can continue to be valid time. The refresh of the payment link is realized through the function.
After follow-up observation and analysis, the scammer's orders were basically restricted, because the scammer's entire operation process could not be completed within 30 seconds, and the payment link given to the user would prompt "the payment link has expired" when the user paid.
5. Doubt
1. What scenarios does this deception apply to?
Buy virtual items without logistics, such as shopping cards, top-ups, etc.
2. Why is WeChat payment not being used? (
Want to know friends to leave a message
)
The initial
guess
is that WeChat Pay first places an order and then responds to the payment parameters. When actually paying, it will check whether the appid of the current APP is consistent with the order. However, Alipay's payment link is assembled, and there is no real order.