Payment applications handle lots of money. No, really: lots of it.
No ratings
Presented at 44Con 2014 by
A medium-sized bank will funnel hundreds of billions through payment gateways every year. A larger one will easily be deep in 'trilions' territory. You work for a company with significant revenue? Changes are that your company shoves lots of money through one of these applications. Surprisingly, however, the security of these apps is often flaky: people who understand the business process rarely understand the technical risks. Vendors and consultants often recommend business-level defences but then make horrible technical mistakes, and very often the overall defence strategy boils down to "DBAs do not understand the business" comedy. When it comes to crypto, hilarity ensues: shared private keys and broken algorithms become the norm, with self-proclaimed "experts" proving to have problems with exotic concepts like "hash function" and "birthday paradox", leading CISOs to a false sense of security that only makes things worse. Our presentation is a mix of attack and defence, combining descriptions of business-level and tech-level threats with crypto-based countermeasures. It is the result of a project we have been working on for the past year, with the goal of using crypto to secure out payment application. The presentation will start describing how payment applications work, what is their workflow, what a payment file "really looks like", how it is created, handled and processed. We will then describe the attack surface of the whole process, how an employee in the right role can easily steal large amounts of money, and what checks and countermeasures he/she would need to bypass. In the second part of the presentation, we will then describe a real-world example of how to properly employ crypto (via an HSM-based infrastructure) to greatly reduce the risks, and how to integrate such a solution with existing applications. We will also include some examples of things that are easy to get wrong while designing the solution.