Save 37% off PRO during our Black Friday Sale! »

Security Horror stories in Payments

929e39cbad5d2599dfe72fe89e06de2a?s=47 Nemo
January 25, 2017

Security Horror stories in Payments

My talk at 50p Conference by HasGeek.

Talk Proposal: https://50p.talkfunnel.com/2017/22-security-horror-stories-in-payments

Conference Details: https://50p.in/2017/

929e39cbad5d2599dfe72fe89e06de2a?s=128

Nemo

January 25, 2017
Tweet

Transcript

  1. Security Horror Stories in Payments '); DROP TABLE payments; --

    Nemo Razorpay
  2. Nemo

  3. Security ∩ Payments

  4. Useless Security

  5. Over Engineering Security

  6. Over Engineering Security

  7. Over Engineering Security

  8. Over Engineering Security

  9. Over Engineering Security

  10. Confidentiality

  11. Confidentiality

  12. Confidentiality

  13. Replay Attacks

  14. Replay Attacks

  15. Confidentiality

  16. Confidentiality

  17. Don’t do it!

  18. Message Integrity

  19. Request

  20. Request

  21. Request http://ndna-website.com/makeRequest

  22. Sign all the things! LETTER NUMBER 568

  23. Should have gotten it reviewed

  24. HMAC? Hmac is a mandatory field which should be prepared

    following the steps below: 1. Concatenate App Id, Mobile number and Device Id with the separator “|”. 2. Create a hash of the concatenated string using SHA-256 algorithm. 3. Encrypt the hash with the token as key using AES-256 algorithm. 4. Populate HMAC with the encrypted string.
  25. HMAC? Hmac is a mandatory field which should be prepared

    following the steps below: 1. Concatenate App Id, Mobile number and Device Id with the separator “|”. 2. Create a hash of the concatenated string using SHA-256 algorithm. 3. Encrypt the hash with the token as key using AES-256 algorithm. 4. Populate HMAC with the encrypted string.
  26. HMAC? Hmac is a mandatory field which should be prepared

    following the steps below: 1. Concatenate App Id, Mobile number and Device Id with the separator “|”. 2. Create a hash of the concatenated string using SHA-256 algorithm. 3. Encrypt the hash with the token as key using AES-256 algorithm. 4. Populate HMAC with the encrypted string.
  27. Set it to fire and try again

  28. PCI-DSS 101 3.2 Do not store sensitive authentication data after

    authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process.
  29. Any guesses what this does?

  30. Any guesses what this does?

  31. Any guesses what this does?

  32. Any guesses what this does?

  33. git commit -m “Adds feature to iOS”

  34. Learnings 1. Don’t roll your own Crypto. 2. Don’t overengineer

    security a. Rely on TLS / PGP / Bcrypt / HMAC 3. Use standard authentication i. JWT (Json Web Tokens) ii. Token Auth iii. Use “standard” HMAC for signatures 4. Use NaCl for encryption
  35. if you have to type the letters “A-E-S” into your

    source code, you’re doing it wrong. - Thomas Ptacek goo.gl/DEl4bC
  36. Good vs Bad Security - Authentication - Authorization - Confidentiality

    - Integrity
  37. Good vs Bad Security - Authentication - Authorization - Confidentiality

    - Integrity