A normal online shopping process works as follows:
Merchant (Such as Taobao) → Third part of payment sites(Such as paypal, yeepay)→ Online banking(Such as ICBC)
Online shopping is a cross-platform process that involves transmitting information. The order number is uniquely identified across different platforms. However, the order contains only the product information and does not have any relevant information about creating a user account. This was a major design flaw that made phishing easy in the aforementioned online payment process.
The reason for this design defect is that each platform in the process of online shopping has its own account system; however, these account systems do not correspond to each other. Between these platforms, the order number is the only basic information that is shared.
For example, a bank account includes a bank card number and an account name, while a third-party payment platform and the merchant have their own account systems.
A user named Mr. Zhang registered an account abc in Jingdong Mall; his PayPal account is xyz and his bank card number is xxx. If Mr. Zhang buys an air conditioner in Jingdong Mall and pays for it via PayPal through online banking, his bank sees his bank number xxx without knowing that both abc in Jingdong Mall and xyz in PayPal is Mr. Zhang; the same with PayPal—it does not know Mr. Zhang is abc in Jingdong Mall.
Mr. Zhang’s bank only knows that he has made a payment but not whether the order has been paid or who the payee is.
How is this loophole manipulated? A cheat goes to a merchant site to create an order and then deceives the user into paying for it at a third-party payment platform or creates a fake third-party payment platform to make a user remit money to the cheat’s account as demonstrated earlier.
There are thousands of online businesses in China and dozens of third-party payment platforms such as Alipay, as well as dozens of banks with online payment service. These platforms have complex and different setups that make it hard for them to correspond to each other in terms synchronization of accounts.
To resolve this issue, we need to find a unified client information system that shares data across the platforms throughout the whole online payment process to ensure that the order is paid by the order creator himself. However, in some cases, according to users’ needs, a user other than the order creator must also be allowed to pay. Hence, an online shopping process design must include that provision. Currently, the use of the client IP address for this purpose is more economical and easy to promote.
Phishing site issues are not a problem of websites alone, but the entire Internet. There is a need to establish a united front to improve and purify the Internet environment.