Upload
abhinav-mishra
View
1.283
Download
4
Embed Size (px)
Citation preview
Anatomizing Online Payment Systems Hack To Shop
Abhinav MishraSenior Security Consultant
To The New Digital
• The system - data flow and integrity
• What you do not see at first sight…
• The Bulls eye: Hack to shop
• Legal deterrents
• Hacking in #diehard style
• How not to suck at security …
What all this is about ??
Now the question is …..
• Senior Security Consultant @To The New Digital
• Penetration tester, Bug Hunter
• Music Lover, Movie buff
• Linkedin: https://in.linkedin.com/in/enggabhinav
Abhinav Mishra
To The New Digital
• Technology focused digital services company
• Web & Mobile application security service provider
• www.tothenew.com
• [email protected], @TOTHENEW
The Money Game….
SellerBuyer
Ecommerce
Spot Yourself !!!
How does the money flow?
If transaction is the bull, where is the bull’s eye.
Merchant Website Payment Gateway
Eye 1
Payment Gateway
Eye 2
OR
Bank
Common Issues
• Login over HTTP
• Weak encryption
• Improper Input validation
Blah Blah Blah….. Not so cool right ????
So let’s cut the crap & hit the Bull’s eye….
What you do not see at first sight ??
Integrity??
Here comes the savior !!!
MAC algorithms
Custom Hashes
AND..
The culprit – Now look again
Interesting String
Let’s Play with it !!!
Let’s Play with it – Part 2 !!!
And now you know where we are going ;-)
And Here you are – Hack to Shop
Bought at 1.13 INR ….
And Here you are – Hack to Shop Part 2
Legal Deterrents
• Payment Settlement
• Audits
• Dual verification
• Multiple Forged payments from bank account
This Image is just to get your attention back… let’s move ahead…
Hacking in #diehard style
• Find all similar implementations
• Browser Addon or Python script as proxy
• Modification of same parameter
• Use of multiple bank accounts
• Instant confirmations: movie tickets, railway tickets, online books, subscriptions, grocery shopping, recharge, bill payment and the list goes on….
Hacking in #diehard style – Part 2
Step 1: Browser Addon as a proxy, like Tamper Data
Hacking in #diehard style – Part 2
Step 2: Capture string Mod String Forward String
Hacking in #diehard style – Part 2
Step 3: Buy every damn thing
Hacking in #diehard style – Part 2
Step 4: Leave country ….
I Know it feels bad to know all this…. But…
How not to suck at security
The solution is simple mate:
• Strong means strong
• If you don’t see it, it doesn’t means no one can
• Stop behaving like a kid – admit your security sucks, go for Pentest
• Follow all security best practices
• HTTPS
• Respect Hackers