25
Anatomizing Online Payment Systems Hack To Shop Abhinav Mishra Senior Security Consultant To The New Digital

Anatomizing online payment systems: hack to shop

Embed Size (px)

Citation preview

Page 1: Anatomizing online payment systems: hack to shop

Anatomizing Online Payment Systems Hack To Shop

Abhinav MishraSenior Security Consultant

To The New Digital

Page 2: Anatomizing online payment systems: hack to shop

• The system - data flow and integrity

• What you do not see at first sight…

• The Bulls eye: Hack to shop

• Legal deterrents

• Hacking in #diehard style

• How not to suck at security …

What all this is about ??

Page 3: Anatomizing online payment systems: hack to shop

Now the question is …..

Page 4: Anatomizing online payment systems: hack to shop

• Senior Security Consultant @To The New Digital

• Penetration tester, Bug Hunter

• Music Lover, Movie buff

• Linkedin: https://in.linkedin.com/in/enggabhinav

Abhinav Mishra

To The New Digital

• Technology focused digital services company

• Web & Mobile application security service provider

• www.tothenew.com

[email protected], @TOTHENEW

Page 5: Anatomizing online payment systems: hack to shop

The Money Game….

SellerBuyer

Ecommerce

Spot Yourself !!!

Page 6: Anatomizing online payment systems: hack to shop

How does the money flow?

Page 7: Anatomizing online payment systems: hack to shop

If transaction is the bull, where is the bull’s eye.

Merchant Website Payment Gateway

Eye 1

Payment Gateway

Eye 2

OR

Bank

Page 8: Anatomizing online payment systems: hack to shop

Common Issues

• Login over HTTP

• Weak encryption

• Improper Input validation

Blah Blah Blah….. Not so cool right ????

So let’s cut the crap & hit the Bull’s eye….

Page 9: Anatomizing online payment systems: hack to shop

What you do not see at first sight ??

Integrity??

Page 10: Anatomizing online payment systems: hack to shop

Here comes the savior !!!

MAC algorithms

Custom Hashes

AND..

Page 11: Anatomizing online payment systems: hack to shop

The culprit – Now look again

Interesting String

Page 12: Anatomizing online payment systems: hack to shop

Let’s Play with it !!!

Page 13: Anatomizing online payment systems: hack to shop

Let’s Play with it – Part 2 !!!

And now you know where we are going ;-)

Page 14: Anatomizing online payment systems: hack to shop

And Here you are – Hack to Shop

Bought at 1.13 INR ….

Page 15: Anatomizing online payment systems: hack to shop

And Here you are – Hack to Shop Part 2

Page 16: Anatomizing online payment systems: hack to shop

Legal Deterrents

• Payment Settlement

• Audits

• Dual verification

• Multiple Forged payments from bank account

Page 17: Anatomizing online payment systems: hack to shop

This Image is just to get your attention back… let’s move ahead…

Page 18: Anatomizing online payment systems: hack to shop

Hacking in #diehard style

• Find all similar implementations

• Browser Addon or Python script as proxy

• Modification of same parameter

• Use of multiple bank accounts

• Instant confirmations: movie tickets, railway tickets, online books, subscriptions, grocery shopping, recharge, bill payment and the list goes on….

Page 19: Anatomizing online payment systems: hack to shop

Hacking in #diehard style – Part 2

Step 1: Browser Addon as a proxy, like Tamper Data

Page 20: Anatomizing online payment systems: hack to shop

Hacking in #diehard style – Part 2

Step 2: Capture string Mod String Forward String

Page 21: Anatomizing online payment systems: hack to shop

Hacking in #diehard style – Part 2

Step 3: Buy every damn thing

Page 22: Anatomizing online payment systems: hack to shop

Hacking in #diehard style – Part 2

Step 4: Leave country ….

Page 23: Anatomizing online payment systems: hack to shop

I Know it feels bad to know all this…. But…

Page 24: Anatomizing online payment systems: hack to shop

How not to suck at security

The solution is simple mate:

• Strong means strong

• If you don’t see it, it doesn’t means no one can

• Stop behaving like a kid – admit your security sucks, go for Pentest

• Follow all security best practices

• HTTPS

• Respect Hackers

Page 25: Anatomizing online payment systems: hack to shop

Have Question??? Meet me in Person….

Or

[email protected]

Or

https://in.linkedin.com/in/enggabhinav


Anatomizing the Institutional Arrangements of Urban Village Redevelopment: Case ... · sustainability Article Anatomizing the Institutional Arrangements of Urban Village Redevelopment:

Anatomizing the Institutional Arrangements of Urban Village Redevelopment: Case ... · sustainability Article Anatomizing the Institutional Arrangements of Urban Village Redevelopment:

Documents
Wordpess Hack

Wordpess Hack

Education
Hack the hack

Hack the hack

Software
How to Hack a twitter account - Twitter Hack

How to Hack a twitter account - Twitter Hack

Internet
AnalogFolk Hack Festival - Opening Talk, Why we hack

AnalogFolk Hack Festival - Opening Talk, Why we hack

Technology
keyboard hack

keyboard hack

Documents
Opening Talk, Why We Hack \ AnalogFolk Hack Festival

Opening Talk, Why We Hack \ AnalogFolk Hack Festival

Technology
Hack presentation

Hack presentation

Documents
Google Hack

Google Hack

Technology
Hack Humanity - Hack The Workplace - Heroification & Gamification

Hack Humanity - Hack The Workplace - Heroification & Gamification

Education
Hacking Borhan Kazimi pour. Agenda How to hack How to hack using How to prevent hack using

Hacking Borhan Kazimi pour. Agenda How to hack How to hack using How to prevent hack using

Documents
Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

Documents
Hack Apulco

Hack Apulco

Documents
Library hack

Library hack

Education
Anatomizing Public Health Education Leadership for the

Anatomizing Public Health Education Leadership for the

Documents
Media Hack Day 2014 — News Sightseeing Hack

Media Hack Day 2014 — News Sightseeing Hack

Technology
Hack facebook

Hack facebook

Documents
Hack Slides

Hack Slides

Documents
Anatomizing the Mechanics of Structural Change Jaime ...diposit.ub.edu/.../2445/112109/1/E17-360_AlonsoCarrera.pdfCol.lecció d’Economia E17/360 Anatomizing the Mechanics of Structural

Anatomizing the Mechanics of Structural Change Jaime ...diposit.ub.edu/.../2445/112109/1/E17-360_AlonsoCarrera.pdfCol.lecció d’Economia E17/360 Anatomizing the Mechanics of Structural

Documents
Hack wro4v2

Hack wro4v2

Documents
Got Citrix? Hack IT!Got Citrix? Hack IT! · Got Citrix? Hack IT!Got Citrix? Hack IT! Shanit Gupta August 7th, 2008

Got Citrix? Hack IT!Got Citrix? Hack IT! · Got Citrix? Hack IT!Got Citrix? Hack IT! Shanit Gupta August 7th, 2008

Documents
Ethical Hack

Ethical Hack

Documents
Hack Biometric

Hack Biometric

Education
Anatomizing Non-State Threats to Pakistan's Nuclear Infrastructure

Anatomizing Non-State Threats to Pakistan's Nuclear Infrastructure

Documents
Winning Hack - Rewind, relive your festival \ AnalogFolk Hack Festival

Winning Hack - Rewind, relive your festival \ AnalogFolk Hack Festival

Technology
Hack Hardware

Hack Hardware

Documents
Fictive Hack of Old School Hack

Fictive Hack of Old School Hack

Documents
Got Citrix? Hack IT!Got Citrix? Hack IT!

Got Citrix? Hack IT!Got Citrix? Hack IT!

Documents
HL GENERAL 2018 · 2019-12-13 · Hack 1: Be Present and Engaged Hack 2: Create C.U.L.T.U.R.E. Hack 3: Build Relationships Hack 4: Flatten the Walls of Your School Hack 5: Broadcast

HL GENERAL 2018 · 2019-12-13 · Hack 1: Be Present and Engaged Hack 2: Create C.U.L.T.U.R.E. Hack 3: Build Relationships Hack 4: Flatten the Walls of Your School Hack 5: Broadcast

Documents
Hack the hack vivatech

Hack the hack vivatech

Technology