Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security Horror stories in Payments

Nemo
January 25, 2017

Security Horror stories in Payments

My talk at 50p Conference by HasGeek.

Talk Proposal: https://50p.talkfunnel.com/2017/22-security-horror-stories-in-payments

Conference Details: https://50p.in/2017/

Nemo

January 25, 2017
Tweet

More Decks by Nemo

Other Decks in Technology

Transcript

  1. HMAC? Hmac is a mandatory field which should be prepared

    following the steps below: 1. Concatenate App Id, Mobile number and Device Id with the separator “|”. 2. Create a hash of the concatenated string using SHA-256 algorithm. 3. Encrypt the hash with the token as key using AES-256 algorithm. 4. Populate HMAC with the encrypted string.
  2. HMAC? Hmac is a mandatory field which should be prepared

    following the steps below: 1. Concatenate App Id, Mobile number and Device Id with the separator “|”. 2. Create a hash of the concatenated string using SHA-256 algorithm. 3. Encrypt the hash with the token as key using AES-256 algorithm. 4. Populate HMAC with the encrypted string.
  3. HMAC? Hmac is a mandatory field which should be prepared

    following the steps below: 1. Concatenate App Id, Mobile number and Device Id with the separator “|”. 2. Create a hash of the concatenated string using SHA-256 algorithm. 3. Encrypt the hash with the token as key using AES-256 algorithm. 4. Populate HMAC with the encrypted string.
  4. PCI-DSS 101 3.2 Do not store sensitive authentication data after

    authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process.
  5. Learnings 1. Don’t roll your own Crypto. 2. Don’t overengineer

    security a. Rely on TLS / PGP / Bcrypt / HMAC 3. Use standard authentication i. JWT (Json Web Tokens) ii. Token Auth iii. Use “standard” HMAC for signatures 4. Use NaCl for encryption
  6. if you have to type the letters “A-E-S” into your

    source code, you’re doing it wrong. - Thomas Ptacek goo.gl/DEl4bC