Update: Countering what Patel claims in the interview below, Akash Mahajan points out a web server update log (screenshot), that indicates that the upgrade to Apache 2.2.17 for CCAvenue took place today. Patel had told us that the upgrade took place 5 months ago. As a counterpoint, OneMindsl says that netcraft updates that data only when requested, so this may not be indicative of upgrades, rather updates of upgrades (confusing, eh?). More updates in our earlier report, here.
Earlier today: An initial rebuttal from Vishwas Patel, CEO of CCAvenue, responding to reports that their database was hacked. CCAvenue is among India’s largest payment gateway service providers. Excerpts from our conversation with Patel:
Patel: “First thing is that this is a mischevious slander against our name.
(Secondly) We confirm that the screenshot that he has put up of the database is not of our current database, which is on the live server. We are investigating the one which he has put up, and where he has got that one, but the data is not of the live databse.
The third thing is that the server type (in the hacking report) has put is Apache/2.2.14, and it says that the hack was done on 4th May 2011, at 15:15pm . Now we have the logs and the confirmation that we had changed the server around five months back to 2.2.17, and not this version. We have logs and third party qualified assessors who will confirm to it, and I will share report with you by next week, when we get the final report. The assessment was done a few days ago.
He also says that all the merchant login credentials are in text format. All this, I can confirm to you that merchant login credentials are in an encrypted format in our database, and it will be confirmed in the report from the external third party auditor, mandated by the card companies. All the merchant username and passwords are in an encrypted format in our database.
MediaNama: But are the usernames and passwords published correct?
Patel: No, these are not correct. There is obviously some mischief somewhere, which we are investigating. Whatever is stored in our database is in an encrypted format, not in text format. This is not of the real live database schema, and we are investigating and give you much more (information). We don’t have the same database schema.
Fourth thing he says is that there is a hidden SQL injection that you can do. I can confirm to you, and you can with anybody, who can do a blind SQL injection anywhere in our application. We have done tests for the last two months when this entire PC was going on.
The credit card numbers are not stored anywhere in our database, as per PCI norms. Only the first six and last 4 card numbers of the last 15 days are stored. And those are also BSI encrypted, for which there is a key, and to open that there is a master key, and those keys are not stored online anywhere. It is there with our head of security, who is the only person with access to it. The encryption has been in place on our servers for the last four years.
MediaNama: So you’re saying that the merchant data has not been accessed?
Patel: It hasn’t. If you see, apache 2.2.14 – we’ve been live with apache 2.2.17 for last five months. (Ed: Please see update above)
MediaNama: You’re also saying that merchant account passwords have not been stored as plain text?
Patel: They are encrypted, and not stored as plain text.
MediaNama: Have you ever been told that there is a security hole of some sort?
Patel: We are looking into this, and this is the intial report. From time to time what we get, I am sharing with you. As more information comes out as we investigate, we will share it.