SlideShare a Scribd company logo

Anatomizing online payment systems: hack to shop

Abhinav Mishra, profile picture
Abhinav Mishra

The document discusses vulnerabilities in online payment systems that could allow hackers to conduct fraudulent purchases. It describes how hackers could exploit weaknesses like weak encryption, improper input validation, or modified transaction strings to "hack to shop" and buy items without paying. The document advises payment systems to follow security best practices like implementing strong encryption, conducting penetration tests, and remediating any issues found to prevent hackers from stealing goods through these means.

Technology
Related topics:
payment-gateway Web Application Security Information Security Penetration-TestingEthical Hacking Courses
1 of 25
Downloaded 25 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Anatomizing Online Payment Systems Hack To Shop Abhinav Mishra Senior Security Consultant To The New Digital
• The system - data flow and integrity • What you do not see at first sight… • The Bulls eye: Hack to shop • Legal deterrents • Hacking in #diehard style • How not to suck at security … What all this is about ??
Now the question is …..
• Senior Security Consultant @To The New Digital • Penetration tester, Bug Hunter • Music Lover, Movie buff • Linkedin: https://in.linkedin.com/in/enggabhinav Abhinav Mishra To The New Digital • Technology focused digital services company • Web & Mobile application security service provider • www.tothenew.com • info@tothenew.com, @TOTHENEW
The Money Game…. Seller Buyer Ecommerce Spot Yourself !!!
How does the money flow?
If transaction is the bull, where is the bull’s eye. Merchant Website Payment Gateway Eye 1 Payment Gateway Eye 2 OR Bank
Common Issues • Login over HTTP • Weak encryption • Improper Input validation Blah Blah Blah….. Not so cool right ???? So let’s cut the crap & hit the Bull’s eye….
What you do not see at first sight ?? Integrity??
Here comes the savior !!! MAC algorithms Custom Hashes AND..
The culprit – Now look again Interesting String
Let’s Play with it !!!
Let’s Play with it – Part 2 !!! And now you know where we are going ;-)
And Here you are – Hack to Shop Bought at 1.13 INR ….
And Here you are – Hack to Shop Part 2
Legal Deterrents • Payment Settlement • Audits • Dual verification • Multiple Forged payments from bank account
This Image is just to get your attention back… let’s move ahead…
Hacking in #diehard style • Find all similar implementations • Browser Addon or Python script as proxy • Modification of same parameter • Use of multiple bank accounts • Instant confirmations: movie tickets, railway tickets, online books, subscriptions, grocery shopping, recharge, bill payment and the list goes on….
Hacking in #diehard style – Part 2 Step 1: Browser Addon as a proxy, like Tamper Data
Hacking in #diehard style – Part 2 Step 2: Capture string  Mod String  Forward String
Hacking in #diehard style – Part 2 Step 3: Buy every damn thing
Hacking in #diehard style – Part 2 Step 4: Leave country ….
I Know it feels bad to know all this…. But…
How not to suck at security The solution is simple mate: • Strong means strong • If you don’t see it, it doesn’t means no one can • Stop behaving like a kid – admit your security sucks, go for Pentest • Follow all security best practices • HTTPS • Respect Hackers 
Have Question??? Meet me in Person…. Or Abhinav.mishra@tothenew.com Or https://in.linkedin.com/in/enggabhinav

More Related Content

ODP
Android training day 4
Vivek Bhusal
 
PPTX
Tips dan Third Party Library untuk Android - Part 1
Ibnu Sina Wardy
 
PDF
Web Services and Android - OSSPAC 2009
sullis
 
ODP
Android(1)
Nikola Milosevic
 
PPTX
Security threats in Android OS + App Permissions
Hariharan Ganesan
 
PPT
Sandbox Introduction
msimkin
 
ODP
Android permission system
Shivang Goel
 
ODP
Android permission system
Shivang Goel
 
Android training day 4
Vivek Bhusal
 
Tips dan Third Party Library untuk Android - Part 1
Ibnu Sina Wardy
 
Web Services and Android - OSSPAC 2009
sullis
 
Android(1)
Nikola Milosevic
 
Security threats in Android OS + App Permissions
Hariharan Ganesan
 
Sandbox Introduction
msimkin
 
Android permission system
Shivang Goel
 
Android permission system
Shivang Goel
 

Viewers also liked (20)

PPTX
Android secuirty permission - upload
Bin Yang
 
ODP
Json Tutorial
Napendra Singh
 
PDF
Android 6.0 permission change
彥彬 洪
 
PPTX
Android AsyncTask Tutorial
Perfect APK
 
PDF
Android new permission model
Takuji Nishibayashi
 
PDF
Basic Android Push Notification
Chaiyasit Tayabovorn
 
PPTX
JSON overview and demo
Flatiron School
 
PDF
App Permissions
Shinobu Okano
 
PDF
Simple JSON parser
Dongjun Lee
 
PDF
Android webservices
Krazy Koder
 
ODP
Android porting for dummies @droidconin 2011
pundiramit
 
PPTX
Android json parser tutorial – example
Rajat Ghai
 
PDF
Android security
Krazy Koder
 
PPTX
Android - Bluetooth
Arthur Emanuel
 
PDF
Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...
Cheng-Yi Yu
 
PDF
Securing android applications
Jose Manuel Ortega Candel
 
PPTX
Webservice for android ppt
santosh lamba
 
PDF
Connecting to Web Services on Android
sullis
 
PPTX
Permission in Android Security: Threats and solution
Tandhy Simanjuntak
 
PDF
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthinkspa
 
Android secuirty permission - upload
Bin Yang
 
Json Tutorial
Napendra Singh
 
Android 6.0 permission change
彥彬 洪
 
Android AsyncTask Tutorial
Perfect APK
 
Android new permission model
Takuji Nishibayashi
 
Basic Android Push Notification
Chaiyasit Tayabovorn
 
JSON overview and demo
Flatiron School
 
App Permissions
Shinobu Okano
 
Simple JSON parser
Dongjun Lee
 
Android webservices
Krazy Koder
 
Android porting for dummies @droidconin 2011
pundiramit
 
Android json parser tutorial – example
Rajat Ghai
 
Android security
Krazy Koder
 
Android - Bluetooth
Arthur Emanuel
 
Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...
Cheng-Yi Yu
 
Securing android applications
Jose Manuel Ortega Candel
 
Webservice for android ppt
santosh lamba
 
Connecting to Web Services on Android
sullis
 
Permission in Android Security: Threats and solution
Tandhy Simanjuntak
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthinkspa
 

Similar to Anatomizing online payment systems: hack to shop (20)

PDF
Iaetsd vulnerabilities in credit card security
Iaetsd Iaetsd
 
PDF
Payment Week - Andrew Barnes, Managing Director___Gemalto
Andrew Barnes
 
PPS
Amazon & E Bay
Sabyasachi Dasgupta
 
PPTX
Why won’t my bank let me play?
Aden Davies
 
PPTX
Cyber Security UNIT-3.pptx computer science
2k24mca2412994
 
PPSX
Credit Card Frauds
Rastislav Turek
 
PPTX
Internet Banking
Aman Singh (असर)
 
PPTX
Ic presentation
Gaurav Rawat
 
PPSX
Payment systems for electronic commerce
Nishant Pahad
 
PPTX
3.1 Online Services (Part 1)
Momina Mateen
 
PPTX
security threats.pptx
Surajsingh809614
 
PPTX
Online banking and e commerce
uddhav mortale
 
PDF
Marat Vyshegorodtsev — how-[not]_to_shoot_yourself_in_the_foot_with_credit_cards
Yandex
 
PPTX
The future of online payment solutions
webwinkelvakdag
 
PPT
E commerce
Ashish Pandey
 
PPTX
Tisc99keynote
Onkar Sule
 
PPTX
What Makes Web Applications Desirable For Hackers
Jaime Manteiga
 
PPTX
E commerce law and ethics
Xophia Montawal
 
DOCX
Credit card hackers are here
Abhay pal
 
PPTX
Tim Holman, Director, 2-Sec - Cyber security, putting liberated technology ba...
Cobweb
 
Iaetsd vulnerabilities in credit card security
Iaetsd Iaetsd
 
Payment Week - Andrew Barnes, Managing Director___Gemalto
Andrew Barnes
 
Amazon & E Bay
Sabyasachi Dasgupta
 
Why won’t my bank let me play?
Aden Davies
 
Cyber Security UNIT-3.pptx computer science
2k24mca2412994
 
Credit Card Frauds
Rastislav Turek
 
Internet Banking
Aman Singh (असर)
 
Ic presentation
Gaurav Rawat
 
Payment systems for electronic commerce
Nishant Pahad
 
3.1 Online Services (Part 1)
Momina Mateen
 
security threats.pptx
Surajsingh809614
 
Online banking and e commerce
uddhav mortale
 
Marat Vyshegorodtsev — how-[not]_to_shoot_yourself_in_the_foot_with_credit_cards
Yandex
 
The future of online payment solutions
webwinkelvakdag
 
E commerce
Ashish Pandey
 
Tisc99keynote
Onkar Sule
 
What Makes Web Applications Desirable For Hackers
Jaime Manteiga
 
E commerce law and ethics
Xophia Montawal
 
Credit card hackers are here
Abhay pal
 
Tim Holman, Director, 2-Sec - Cyber security, putting liberated technology ba...
Cobweb
 

More from Abhinav Mishra (7)

PDF
Insecure direct object reference (null delhi meet)
Abhinav Mishra
 
PPTX
Peerlyst Delhi NCR Chapter Meet
Abhinav Mishra
 
PDF
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
Abhinav Mishra
 
PDF
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Abhinav Mishra
 
PDF
The art of android hacking
Abhinav Mishra
 
PDF
Android Security Basics
Abhinav Mishra
 
PDF
How not to make a hacker friendly application
Abhinav Mishra
 
Insecure direct object reference (null delhi meet)
Abhinav Mishra
 
Peerlyst Delhi NCR Chapter Meet
Abhinav Mishra
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
Abhinav Mishra
 
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Abhinav Mishra
 
The art of android hacking
Abhinav Mishra
 
Android Security Basics
Abhinav Mishra
 
How not to make a hacker friendly application
Abhinav Mishra
 

Recently uploaded (20)

PDF
BLW VOCATIONAL TRAINING SUMMER INTERNSHIP REPORT
codernjn73
 
PDF
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
PDF
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
PDF
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
PDF
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
PDF
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
PPTX
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
PDF
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
PPTX
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
PDF
AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdf
Artjoker Software Development Company
 
PDF
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
PDF
A Day in the Life of Location Data - Turning Where into How.pdf
Precisely
 
PDF
The Evolution of KM Roles (Presented at Knowledge Summit Dublin 2025)
Enterprise Knowledge
 
PDF
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
PDF
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
PDF
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PDF
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
PPTX
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
BLW VOCATIONAL TRAINING SUMMER INTERNSHIP REPORT
codernjn73
 
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdf
Artjoker Software Development Company
 
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
A Day in the Life of Location Data - Turning Where into How.pdf
Precisely
 
The Evolution of KM Roles (Presented at Knowledge Summit Dublin 2025)
Enterprise Knowledge
 
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
cloud computing vai.pptx for the project
vaibhavdobariyal79
 

Anatomizing online payment systems: hack to shop

  • 1. Anatomizing Online Payment Systems Hack To Shop Abhinav Mishra Senior Security Consultant To The New Digital
  • 2. • The system - data flow and integrity • What you do not see at first sight… • The Bulls eye: Hack to shop • Legal deterrents • Hacking in #diehard style • How not to suck at security … What all this is about ??
  • 3. Now the question is …..
  • 4. • Senior Security Consultant @To The New Digital • Penetration tester, Bug Hunter • Music Lover, Movie buff • Linkedin: https://in.linkedin.com/in/enggabhinav Abhinav Mishra To The New Digital • Technology focused digital services company • Web & Mobile application security service provider • www.tothenew.com • [email protected], @TOTHENEW
  • 6. How does the money flow?
  • 7. If transaction is the bull, where is the bull’s eye. Merchant Website Payment Gateway Eye 1 Payment Gateway Eye 2 OR Bank
  • 8. Common Issues • Login over HTTP • Weak encryption • Improper Input validation Blah Blah Blah….. Not so cool right ???? So let’s cut the crap & hit the Bull’s eye….
  • 9. What you do not see at first sight ?? Integrity??
  • 10. Here comes the savior !!! MAC algorithms Custom Hashes AND..
  • 11. The culprit – Now look again Interesting String
  • 13. Let’s Play with it – Part 2 !!! And now you know where we are going ;-)
  • 14. And Here you are – Hack to Shop Bought at 1.13 INR ….
  • 15. And Here you are – Hack to Shop Part 2
  • 16. Legal Deterrents • Payment Settlement • Audits • Dual verification • Multiple Forged payments from bank account
  • 17. This Image is just to get your attention back… let’s move ahead…
  • 18. Hacking in #diehard style • Find all similar implementations • Browser Addon or Python script as proxy • Modification of same parameter • Use of multiple bank accounts • Instant confirmations: movie tickets, railway tickets, online books, subscriptions, grocery shopping, recharge, bill payment and the list goes on….
  • 19. Hacking in #diehard style – Part 2 Step 1: Browser Addon as a proxy, like Tamper Data
  • 20. Hacking in #diehard style – Part 2 Step 2: Capture string  Mod String  Forward String
  • 21. Hacking in #diehard style – Part 2 Step 3: Buy every damn thing
  • 22. Hacking in #diehard style – Part 2 Step 4: Leave country ….
  • 23. I Know it feels bad to know all this…. But…
  • 24. How not to suck at security The solution is simple mate: • Strong means strong • If you don’t see it, it doesn’t means no one can • Stop behaving like a kid – admit your security sucks, go for Pentest • Follow all security best practices • HTTPS • Respect Hackers 
  • 25. Have Question??? Meet me in Person…. Or [email protected] Or https://in.linkedin.com/in/enggabhinav