$30 off During Our Annual Pro Sale. View Details »

Security Horror stories in Payments

Nemo
January 25, 2017
Technology
0
370

Security Horror stories in Payments

My talk at 50p Conference by HasGeek.

Talk Proposal: https://50p.talkfunnel.com/2017/22-security-horror-stories-in-payments

Conference Details: https://50p.in/2017/

Nemo

January 25, 2017
Tweet

More Decks by Nemo

See All by Nemo
endoflife.date Recommendations
captn3m0
1
170
Sanskari Proxy
captn3m0
0
38
Laravel Upgrade Stories
captn3m0
0
59
Terraforming Tatooine
captn3m0
0
180
You don't need Blockchain
captn3m0
0
160
hillhacks quiz 2017
captn3m0
0
180
All Software Sucks
captn3m0
0
190
Hillhacks Quiz 2016
captn3m0
0
120
Billion Dollar Hacking
captn3m0
0
210

Other Decks in Technology

See All in Technology
Parsing case study in Go / Go Conference mini 2023 Winter IN KYOTO
k1low
2
180
uGUI の自動操作の考え方と操作方法
orgachem
PRO
0
700
ココナラでエンジニアマネージャーをやってみた!
coconala_engineer
1
130
VRの世界でLTしていく (LT) - NIFTY Tech Day 2023
niftycorp
0
110
re:Invent2023で登場した運用開発用の可視化ツールたちを実際に見てみよう
yoshimi0227
0
240
EventStormingとRDRA2.0で大規模レガシーシステムのフルリニューアルPJに挑む
leveragestech
0
1.3k
開発生産性向上へのコミットについて理解してもらうためのスライドテンプレートを作った話
ouchi2501
0
260
SIEMを用いて、セキュリティログ分析の可視化と分析を実現し、PDCAサイクルを回してみた
coconala_engineer
1
190
dbt Coreとdbt-athenaによるAWS上のdbt環境構築ナレッジ
nayuts
0
260
技術広報経験0のEMがエンジニアブランディングをはじめてみた
coconala_engineer
1
110
LINEでのコミュニケーションにマスコットキーホルダーを使ってみる / LINEを使ったLT大会 #5
you
PRO
0
110
ミチビク株式会社エンジニアカンパニーデック
knsg16
0
2.2k

Featured

See All Featured
Music & Morning Musume
bryan
38
5.2k
Designing Experiences People Love
moore
133
23k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
5
740
Designing for Performance
lara
601
66k
A Tale of Four Properties
chriscoyier
150
22k
The Cost Of JavaScript in 2023
addyosmani
10
3.1k
Building Effective Engineering Teams - LeadDev
addyosmani
22
1.2k
The Web Native Designer (August 2011)
paulrobertlloyd
78
2.7k
From Idea to $5000 a Month in 5 Months
shpigford
376
45k
WebSockets: Embracing the real-time Web
robhawkes
58
6.6k
In The Pink: A Labor of Love
frogandcode
135
21k
Designing for humans not robots
tammielis
246
24k

Transcript

  1. Security Horror
    Stories in
    Payments
    '); DROP TABLE payments; --
    Nemo
    Razorpay

    View Slide

  2. Nemo

    View Slide

  3. Security ∩ Payments

    View Slide

  4. Useless Security

    View Slide

  5. Over Engineering Security

    View Slide

  6. Over Engineering Security

    View Slide

  7. Over Engineering Security

    View Slide

  8. Over Engineering Security

    View Slide

  9. Over Engineering Security

    View Slide

  10. Confidentiality

    View Slide

  11. Confidentiality

    View Slide

  12. Confidentiality

    View Slide

  13. Replay Attacks

    View Slide

  14. Replay Attacks

    View Slide

  15. Confidentiality

    View Slide

  16. Confidentiality

    View Slide

  17. Don’t do it!

    View Slide

  18. Message Integrity

    View Slide

  19. Request

    View Slide

  20. Request

    View Slide

  21. Request
    http://ndna-website.com/makeRequest

    View Slide

  22. Sign all the things!
    LETTER
    NUMBER
    568

    View Slide

  23. Should have gotten it reviewed

    View Slide

  24. HMAC?
    Hmac is a mandatory field which should be prepared following the steps below:
    1. Concatenate App Id, Mobile number and Device Id with the separator “|”.
    2. Create a hash of the concatenated string using SHA-256 algorithm.
    3. Encrypt the hash with the token as key using AES-256 algorithm.
    4. Populate HMAC with the encrypted string.

    View Slide

  25. HMAC?
    Hmac is a mandatory field which should be prepared following the steps below:
    1. Concatenate App Id, Mobile number and Device Id with the separator “|”.
    2. Create a hash of the concatenated string using SHA-256 algorithm.
    3. Encrypt the hash with the token as key using AES-256 algorithm.
    4. Populate HMAC with the encrypted string.

    View Slide

  26. HMAC?
    Hmac is a mandatory field which should be prepared following the steps below:
    1. Concatenate App Id, Mobile number and Device Id with the separator “|”.
    2. Create a hash of the concatenated string using SHA-256 algorithm.
    3. Encrypt the hash with the token as key using AES-256 algorithm.
    4. Populate HMAC with the encrypted string.

    View Slide

  27. Set it to fire and try again

    View Slide

  28. PCI-DSS 101
    3.2 Do not store sensitive authentication data after authorization (even if
    encrypted). If sensitive authentication data is received, render all data
    unrecoverable upon completion of the authorization process.

    View Slide

  29. Any guesses what this does?

    View Slide

  30. Any guesses what this does?

    View Slide

  31. Any guesses what this does?

    View Slide

  32. Any guesses what this does?

    View Slide

  33. git commit -m “Adds feature to iOS”

    View Slide

  34. Learnings
    1. Don’t roll your own Crypto.
    2. Don’t overengineer security
    a. Rely on TLS / PGP / Bcrypt / HMAC
    3. Use standard authentication
    i. JWT (Json Web Tokens)
    ii. Token Auth
    iii. Use “standard” HMAC for signatures
    4. Use NaCl for encryption

    View Slide

  35. if you have to type the letters “A-E-S”
    into your source code, you’re doing it
    wrong.
    - Thomas Ptacek
    goo.gl/DEl4bC

    View Slide

  36. Good vs Bad Security
    - Authentication
    - Authorization
    - Confidentiality
    - Integrity

    View Slide

  37. Good vs Bad Security
    - Authentication
    - Authorization
    - Confidentiality
    - Integrity

    View Slide