P0di · 2014/02/18 10:40:

0 x00 background

The development of Internet finance in 2013 was astonishing. Online banking, mobile payment, third-party payment, personal loans are rising rapidly. Work needs, last December preliminary detection (can not say research) under wechat payment, other partners do alipay, now will detect some results after comparison to share.

Conceptual things, such as wechat payment do not do too much explanation, do not understand to see the encyclopedia. I am not quite sure that Alipay is studied by my friends, but I can compare the results of its test with wechat Payment to better explain the problem.

0x01 wechat Pay and Alipay Wallet brief introduction

Wechat version number: 5.1

Alipay Wallet Version number: 7.6

The overall consumption process of wechat Pay looks like this:

Wechat account --> Bind --> Verify --> Set payment password --> consumptionCopy the code

In order to better test, I bound my bank card and spent money. The specific process encyclopedia has been very detailed to post a diagram to illustrate, binding results. What is the binding verification process for Big Penguin? Through our own tests, we can easily find that the verification process looks like this:

1. First binding card:

It is relatively easy to bind other cards again, only need to reserve the mobile phone, mobile phone verification code. (At this time you will find that the wechat can only be bound to the first account holder’s other cards, want to bind other cards and the wechat sorry guest officer, can not). When the above information is met at the same time, the bank card will be bound by wechat, and the payment is only required

--> Payment password (6 digits)Copy the code

Different bank cards have different maximum limits.

Alipay wallet consumption:

Alipay account --> Consumption Alipay, consumption credit card, consumption savings card, consumption Yu 'ebaoCopy the code

There are three ways of consumption:

1. Complex payment password 2. Digital payment password (6 digits) 3.Copy the code

The dependency of the three payment methods is illustrated by a graph:

0x02 Detection results and comparison

After the above consumption process, it is not difficult to find that our bank card password is not used in all these processes. Ok, I think these can be called quick payments? So will our bank card be maliciously bound and consumed by others? According to wechat, yes. Alipay wallet says: No. Why is that? Let’s analyze:

The binding process of wechat has been known above: re-register a new wechat and follow the above steps to unbind and consume. We found that they were identical. And different wechat accounts, set different payment passwords to consume the same bank card at the same time. Binding process: card number + ID card + mobile phone number reserved for the card + mobile verification code. Make the shameless assumption that social workers collect (can target their own colleagues, ha ha) and once you get your cell phone out of the way, your money will be gone. Careful colleague borrows your mobile phone to make a phone call the money on your bank card is indescribable little ………… Congratulations, he can use your bank card at will.

Card number + id + the reserved phone + captcha - | -- - | -- - > have less moneyCopy the code

The following figure shows the relationship between bank card and wechat direct many-to-many (one wechat can bind multiple other cards under the first card holder) :

So why not Alipay wallet? As we all know, there will be real name verification when you register alipay, and once you register, you cannot register again. And the password setting in the later consumption process is added layer by layer. For example, if you want to make a small payment without password, you must have the above two password Settings. Alipay security from the first, fundamentally inhibit the above problems in wechat. Of course, it is impossible to restrain the bottom base of Tencent registration, so should we think better than Alibaba from the perspective of security? In order to show the authenticity of this detection, some pictures in the detection process are posted to prove:

The same card is bound by different wechat:

Proof of the success of two mobile phones’ final consumption:

According to the chart above, we can clearly distinguish the feasibility of the fact.

0 x03 other

This diaosi, in Java blank plus its own programming ability is not strong, so did not decompile the relevant APK. In addition, we did a simple detection for wechat bank, and found that most of them were related operations performed by jumping to the WAP page of their own banks. In order to do a step study, it is necessary to forge certificates, which is a troublesome process with a large amount of data, so there are no tests. Data transmission and data storage part of the technology is not pass, did not find anything, interested partners can study. This paper only plays a role in the introduction of mobile security, Internet finance is popular, we rushed ah!