Security Horror stories in Payments

Transcript

1. Security Horror Stories in Payments '); DROP TABLE payments; --

   Nemo Razorpay

2. Nemo

3. Security ∩ Payments

4. Useless Security

5. Over Engineering Security

6. Over Engineering Security

7. Over Engineering Security

8. Over Engineering Security

9. Over Engineering Security

10. Confidentiality

11. Confidentiality

12. Confidentiality

13. Replay Attacks

14. Replay Attacks

15. Confidentiality

16. Confidentiality

17. Don’t do it!

18. Message Integrity

19. Request

20. Request

21. Request http://ndna-website.com/makeRequest

22. Sign all the things! LETTER NUMBER 568

23. Should have gotten it reviewed

24. HMAC? Hmac is a mandatory field which should be prepared

    following the steps below: 1. Concatenate App Id, Mobile number and Device Id with the separator “|”. 2. Create a hash of the concatenated string using SHA-256 algorithm. 3. Encrypt the hash with the token as key using AES-256 algorithm. 4. Populate HMAC with the encrypted string.

25. HMAC? Hmac is a mandatory field which should be prepared

    following the steps below: 1. Concatenate App Id, Mobile number and Device Id with the separator “|”. 2. Create a hash of the concatenated string using SHA-256 algorithm. 3. Encrypt the hash with the token as key using AES-256 algorithm. 4. Populate HMAC with the encrypted string.

26. HMAC? Hmac is a mandatory field which should be prepared

    following the steps below: 1. Concatenate App Id, Mobile number and Device Id with the separator “|”. 2. Create a hash of the concatenated string using SHA-256 algorithm. 3. Encrypt the hash with the token as key using AES-256 algorithm. 4. Populate HMAC with the encrypted string.

27. Set it to fire and try again

28. PCI-DSS 101 3.2 Do not store sensitive authentication data after

    authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process.

29. Any guesses what this does?

30. Any guesses what this does?

31. Any guesses what this does?

32. Any guesses what this does?

33. git commit -m “Adds feature to iOS”

34. Learnings 1. Don’t roll your own Crypto. 2. Don’t overengineer

    security a. Rely on TLS / PGP / Bcrypt / HMAC 3. Use standard authentication i. JWT (Json Web Tokens) ii. Token Auth iii. Use “standard” HMAC for signatures 4. Use NaCl for encryption

35. if you have to type the letters “A-E-S” into your

    source code, you’re doing it wrong. - Thomas Ptacek goo.gl/DEl4bC

36. Good vs Bad Security - Authentication - Authorization - Confidentiality

    - Integrity

37. Good vs Bad Security - Authentication - Authorization - Confidentiality

    - Integrity