SlideShare une entreprise Scribd logo

Security & fraud: How to (NOT!) shop online for free

X.commerce
X.commerce

Yes, it happened: Just this year, researchers found flaws in how merchants integrated with a variety of payment systems—including PayPal!—and they were able to purchase items for free or reduced-cost. How to integrate securely with PayPal and avoid expensive mistakes.

TechnologieBusiness
1  sur  78
http://www.openclipart.org/detail/106531/diamond-juliane-krug-01-by-anonymous
http://www.openclipart.org/detail/16513/squirt-bottle-2-by-srd
http://www.openclipart.org/detail/57937/red-ribbon-by-j_alves
http://www.openclipart.org/detail/103393/red-hand-icon-by-kuba
http://www.techdirt.com/articles/20080716/1236481702.shtml
http://www.openclipart.org/detail/112957/ftjail-pay-by-anonymous http://www.openclipart.org/detail/19309/handcuffs-by-radacina http://www.openclipart.org/detail/89239/french-policeman-by-cybergedeon
$ 39.95 $ FREE http://www.openclipart.org/detail/153163/book-orange-by-ypssun
Buyer clicks on “Buy Now”
Buyer Pays at clicks on PayPal “Buy Now”
Buyer Redirected Pays at clicks on to digital PayPal “Buy Now” download
Thank you for your purchase. You may download it now. http://www.commerce.tld/ebook.pdf
Buyer Attacker Redirected extracts Pays at clicks on to digital delivery PayPal “Buy Now” URL download
Buyer Attacker Redirected extracts Pays at clicks on Skips PayPal to digital delivery PayPal “Buy Now” URL download
<input type="hidden" value=http://www.commerce.tld/thankyou.html name="return" > </form>
Store gets an Buyer Attacker Redirected extracts Pays at encrypted clicks on Skips PayPal to digital button at delivery PayPal PayPal “Buy Now” URL download
<input type="hidden" value="-----BEGIN PKCS7-----MIIH+QYJKoZI […] QHPMWo=-----END PKCS7----- " name="encrypted">
<input type="hidden" value="-----BEGIN PKCS7-----MIIH+QYJKoZI […] QHPMWo=-----END PKCS7----- " name="encrypted">
http://www.openclipart.org/detail/104977/help-orb-button-by-decosigner
10000 € 5€
Store • Sends Buyer to PayPal
Store PayPal • Sends • Collects Buyer to Payment PayPal
Store PayPal PayPal • Sends • Collects • Returns Buyer to Payment Buyer to PayPal store
Store PayPal PayPal Store • Sends • Collects • Returns • Confirms Buyer to Payment Buyer to PAID PayPal store
Store PayPal PayPal Store • Sends • Collects • Returns • Confirms Buyer to Payment Buyer to PAID PayPal store Attacker changes price
Store PayPal PayPal Store Store • Sends • Collects • Returns • Confirms confirms Buyer to Payment Buyer to PAID amount PayPal store paid Attacker changes price
http://www.openclipart.org/detail/104977/help-orb-button-by-decosigner
Store • Sends Buyer to PayPal
Store PayPal • Sends • Collects Buyer to Payment PayPal • Sends IPN to Store
Store PayPal PayPal • Sends • Collects • Returns Buyer to Payment Buyer to PayPal • Sends IPN store to Store
Store PayPal PayPal Store • Sends • Collects • Returns • Confirms Buyer to Payment Buyer to PAID via PayPal • Sends IPN store IPN and to Store Order ID
Store PayPal PayPal Store • Sends • Collects • Returns • Confirms Buyer to Payment Buyer to PAID PayPal • Sends IPN store to Store IPN handler points to attacker, Order ID = NULL
Store PayPal PayPal Store • Sends • Collects • Returns • Confirms Buyer to Payment Buyer to PAID PayPal • Sends IPN store to Store IPN handler Attacker points to Pays, attacker, PayPal Order ID = sends IPN NULL to attacker
Store PayPal PayPal Store Load new cart with•same items • Sends Collects • Returns • Confirms Buyer Skip PayPal to Payment Buyer to PAID PayPal • Sends IPN store to Store
Store PayPal PayPal Store Attacker Load new cart with•same items • Sends Collects • Returns uses • Confirms Buyer Skip PayPal to Payment Buyer to captured PAID PayPal • Sends IPN store IPN to Store
Store PayPal PayPal Store Attacker Load new cart with•same items • Sends Collects • Returns uses • Confirms Buyer Skip PayPal to Payment Buyer to PAID Repeat captured PayPal • Sends IPN store IPN to Store
Store PayPal PayPal Store Store Attacker Load new cart with•same items • Sends Collects • Returns uses • verifies IPN Confirms Buyer Skip PayPal to Payment Buyer to PAID not Repeat captured PayPal • Sends IPN store IPN previously to Store processed
http://www.openclipart.org/detail/104977/help-orb-button-by-decosigner
PayPal • Collects Payment
PayPal Store • Collects • Session Payment = PAID
PayPal Store PayPal • Collects • Session • Returns Payment = PAID Buyer to store
PayPal Store PayPal Store • Collects • Session • Returns • Signs Payment = PAID Buyer to Order ID store
PayPal Store PayPal Store Store • Collects • Session • Returns • Signs • Validates Payment = PAID Buyer to Order ID session store and Order ID
PayPal Store PayPal Store Store • Collects • Session • Returns • Signs • Validates PaymentSkips = PAID PayPal Buyer to Order ID session store and Order ID
PayPal Store PayPal Store Store • Collects • Session • Returns • Signs Collects • Validates PaymentSkips = PAID PayPal Buyer to Order ID session signed store and Order ID Order ID
PayPal Store PayPal Store Store Attacker • Collects • Session • Returns • Signs • Validates buys low- Payment = PAID Buyer to Order ID session store and cost item Order ID
Attacker substitutes High-Cost Order ID PayPal Store PayPal Store Store Attacker • Collects • Session • Returns • Signs • Validates buys low- Payment = PAID Buyer to Order ID session store and cost item Order ID
Attacker substitutes High-Cost Order ID PayPal Store PayPal Store Store Attacker • Collects • Session • Returns • Signs • Validates buys low- Payment = PAID Buyer to Order ID session Repeat store and cost item Order ID
Attacker substitutes High-Cost Order ID PayPal Store PayPal Store Store Store Attacker • Collects • Session • Returns • Signs • Validates verifies the buys low- Payment = PAID Buyer to Order ID session Order ID Repeat store and cost item matches Order ID the session
http://www.openclipart.org/detail/104977/help-orb-button-by-decosigner
PayPal • Collects Payment
PayPal Store • Collects • Token = Payment PAID
PayPal Store PayPal • Collects • Token = • Returns Payment PAID Buyer to store
PayPal Store PayPal Store • Collects • Token = • Returns • Confirms Payment PAID Buyer to token store PAID
PayPal Store PayPal Store • Attacker Collects • Token = • Returns • Confirms buys low- Payment PAID Buyer to token cost item store PAID
Attacker copies token value PayPal Store PayPal Store • Attacker Collects • Token = • Returns • Confirms buys low- Payment PAID Buyer to token cost item store PAID
PayPal Store PayPal Store • Collects • Token = • Returns • Confirms Skips PayPal Payment PAID Buyer to token store PAID
PayPal Store PayPal Store • Collects • Token = • Returns Attacker uses • Confirms Skips PayPal Payment PAID Buyer to PAID token token store PAID
PayPal Store PayPal Store • Collects • Token = • Returns Attacker uses • Confirms Skips PayPal Repeat Payment PAID Buyer to PAID token token store PAID
PayPal Store PayPal Store Store verifies the • Collects • Token = • Returns Attacker uses • Confirms token Skips PayPal Repeat Payment PAID Buyer to PAID token token matches store PAID the session
http://www.openclipart.org/detail/104977/help-orb-button-by-decosigner
http://research.microsoft.com/apps/pubs/default.aspx?id=145858 https://www.x.com/developers/paypal/products/website-payments- standard https://www.x.com/developers/paypal/products/express-checkout
spoof@paypal.com cred@paypal.com sitesecurity@paypal.com
http://www.openclipart.org/detail/104977/help-orb-button-by-decosigner
http://www.openclipart.org/detail/36367/thought-cloud-by-anonymous-36367
Security & fraud: How to (NOT!) shop online for free

Recommandé

ininal kartınızı PayPal'a nasıl tanımlarsınız?
ininal kartınızı PayPal'a nasıl tanımlarsınız?ininal kartınızı PayPal'a nasıl tanımlarsınız?
ininal kartınızı PayPal'a nasıl tanımlarsınız?Bulent Tekmen
 
X.commerce Open Commerce Language (XOCL)
X.commerce Open Commerce Language (XOCL)X.commerce Open Commerce Language (XOCL)
X.commerce Open Commerce Language (XOCL)X.commerce
 
Charitable giving trends with mobile technologies
Charitable giving trends with mobile technologiesCharitable giving trends with mobile technologies
Charitable giving trends with mobile technologiesX.commerce
 
Mobile + cloud = heaven
Mobile + cloud = heavenMobile + cloud = heaven
Mobile + cloud = heavenX.commerce
 
PANEL: Mobile face-off: HTML 5 vs. native apps vs. mobile development platfor...
PANEL: Mobile face-off: HTML 5 vs. native apps vs. mobile development platfor...PANEL: Mobile face-off: HTML 5 vs. native apps vs. mobile development platfor...
PANEL: Mobile face-off: HTML 5 vs. native apps vs. mobile development platfor...X.commerce
 
PANEL: Mobile face-off: HTML 5 vs. native apps vs. mobile development platfor...
PANEL: Mobile face-off: HTML 5 vs. native apps vs. mobile development platfor...PANEL: Mobile face-off: HTML 5 vs. native apps vs. mobile development platfor...
PANEL: Mobile face-off: HTML 5 vs. native apps vs. mobile development platfor...X.commerce
 
Barcodes and QR codes in mobile apps
Barcodes and QR codes in mobile appsBarcodes and QR codes in mobile apps
Barcodes and QR codes in mobile appsX.commerce
 
Creating a fantastic mobile experience
Creating a fantastic mobile experienceCreating a fantastic mobile experience
Creating a fantastic mobile experienceX.commerce
 

Recommandé

ininal kartınızı PayPal'a nasıl tanımlarsınız?
ininal kartınızı PayPal'a nasıl tanımlarsınız?ininal kartınızı PayPal'a nasıl tanımlarsınız?
ininal kartınızı PayPal'a nasıl tanımlarsınız?Bulent Tekmen
 
X.commerce Open Commerce Language (XOCL)
X.commerce Open Commerce Language (XOCL)X.commerce Open Commerce Language (XOCL)
X.commerce Open Commerce Language (XOCL)X.commerce
 
Charitable giving trends with mobile technologies
Charitable giving trends with mobile technologiesCharitable giving trends with mobile technologies
Charitable giving trends with mobile technologiesX.commerce
 
Mobile + cloud = heaven
Mobile + cloud = heavenMobile + cloud = heaven
Mobile + cloud = heavenX.commerce
 
PANEL: Mobile face-off: HTML 5 vs. native apps vs. mobile development platfor...
PANEL: Mobile face-off: HTML 5 vs. native apps vs. mobile development platfor...PANEL: Mobile face-off: HTML 5 vs. native apps vs. mobile development platfor...
PANEL: Mobile face-off: HTML 5 vs. native apps vs. mobile development platfor...X.commerce
 
PANEL: Mobile face-off: HTML 5 vs. native apps vs. mobile development platfor...
PANEL: Mobile face-off: HTML 5 vs. native apps vs. mobile development platfor...PANEL: Mobile face-off: HTML 5 vs. native apps vs. mobile development platfor...
PANEL: Mobile face-off: HTML 5 vs. native apps vs. mobile development platfor...X.commerce
 
Barcodes and QR codes in mobile apps
Barcodes and QR codes in mobile appsBarcodes and QR codes in mobile apps
Barcodes and QR codes in mobile appsX.commerce
 
Creating a fantastic mobile experience
Creating a fantastic mobile experienceCreating a fantastic mobile experience
Creating a fantastic mobile experienceX.commerce
 
Creative complex commerce: Respecting the Customers’ brand while integrating ...
Creative complex commerce: Respecting the Customers’ brand while integrating ...Creative complex commerce: Respecting the Customers’ brand while integrating ...
Creative complex commerce: Respecting the Customers’ brand while integrating ...X.commerce
 
Trending now and in the future: Social commerce
Trending now and in the future: Social commerceTrending now and in the future: Social commerce
Trending now and in the future: Social commerceX.commerce
 
Handling the boom in international commerce
Handling the boom in international commerceHandling the boom in international commerce
Handling the boom in international commerceX.commerce
 
The near future of real web applications
The near future of real web applicationsThe near future of real web applications
The near future of real web applicationsX.commerce
 
Proudly Found Elsewhere: The Open Source Bonanza
Proudly Found Elsewhere: The Open Source BonanzaProudly Found Elsewhere: The Open Source Bonanza
Proudly Found Elsewhere: The Open Source BonanzaX.commerce
 
Building immersive experiences: Usability you can really use
Building immersive experiences: Usability you can really useBuilding immersive experiences: Usability you can really use
Building immersive experiences: Usability you can really useX.commerce
 
eBay From Ground Level to the Clouds
eBay From Ground Level to the CloudseBay From Ground Level to the Clouds
eBay From Ground Level to the CloudsX.commerce
 
OpenStack: Enabling the Open Cloud Era
OpenStack: Enabling the Open Cloud EraOpenStack: Enabling the Open Cloud Era
OpenStack: Enabling the Open Cloud EraX.commerce
 
Fun and commerce with shipping APIs
Fun and commerce with shipping APIsFun and commerce with shipping APIs
Fun and commerce with shipping APIsX.commerce
 
APIs for catalogs
APIs for catalogsAPIs for catalogs
APIs for catalogsX.commerce
 
Pop-up commerce
Pop-up commercePop-up commerce
Pop-up commerceX.commerce
 
Adaptive APIs meet the real world - FundRazr
Adaptive APIs meet the real world - FundRazrAdaptive APIs meet the real world - FundRazr
Adaptive APIs meet the real world - FundRazrX.commerce
 
Adaptive APIs meet the real world
Adaptive APIs meet the real worldAdaptive APIs meet the real world
Adaptive APIs meet the real worldX.commerce
 
PayPal under the hood
PayPal under the hoodPayPal under the hood
PayPal under the hoodX.commerce
 
Paypal checkout anytime anywhere paulam chang matt cole
Paypal checkout anytime anywhere paulam chang matt colePaypal checkout anytime anywhere paulam chang matt cole
Paypal checkout anytime anywhere paulam chang matt coleX.commerce
 
Magento Integration Tests
Magento Integration TestsMagento Integration Tests
Magento Integration TestsX.commerce
 
Developing loosely coupled modules with Magento
Developing loosely coupled modules with MagentoDeveloping loosely coupled modules with Magento
Developing loosely coupled modules with MagentoX.commerce
 
Going with style: Themes and apps for Magento Go
Going with style: Themes and apps for Magento GoGoing with style: Themes and apps for Magento Go
Going with style: Themes and apps for Magento GoX.commerce
 
Magento 101: A technical overview
Magento 101: A technical overviewMagento 101: A technical overview
Magento 101: A technical overviewX.commerce
 
Magento 2: A technical overview
Magento 2: A technical overviewMagento 2: A technical overview
Magento 2: A technical overviewX.commerce
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 

Contenu connexe

Plus de X.commerce

Creative complex commerce: Respecting the Customers’ brand while integrating ...
Creative complex commerce: Respecting the Customers’ brand while integrating ...Creative complex commerce: Respecting the Customers’ brand while integrating ...
Creative complex commerce: Respecting the Customers’ brand while integrating ...X.commerce
 
Trending now and in the future: Social commerce
Trending now and in the future: Social commerceTrending now and in the future: Social commerce
Trending now and in the future: Social commerceX.commerce
 
Handling the boom in international commerce
Handling the boom in international commerceHandling the boom in international commerce
Handling the boom in international commerceX.commerce
 
The near future of real web applications
The near future of real web applicationsThe near future of real web applications
The near future of real web applicationsX.commerce
 
Proudly Found Elsewhere: The Open Source Bonanza
Proudly Found Elsewhere: The Open Source BonanzaProudly Found Elsewhere: The Open Source Bonanza
Proudly Found Elsewhere: The Open Source BonanzaX.commerce
 
Building immersive experiences: Usability you can really use
Building immersive experiences: Usability you can really useBuilding immersive experiences: Usability you can really use
Building immersive experiences: Usability you can really useX.commerce
 
eBay From Ground Level to the Clouds
eBay From Ground Level to the CloudseBay From Ground Level to the Clouds
eBay From Ground Level to the CloudsX.commerce
 
OpenStack: Enabling the Open Cloud Era
OpenStack: Enabling the Open Cloud EraOpenStack: Enabling the Open Cloud Era
OpenStack: Enabling the Open Cloud EraX.commerce
 
Fun and commerce with shipping APIs
Fun and commerce with shipping APIsFun and commerce with shipping APIs
Fun and commerce with shipping APIsX.commerce
 
APIs for catalogs
APIs for catalogsAPIs for catalogs
APIs for catalogsX.commerce
 
Pop-up commerce
Pop-up commercePop-up commerce
Pop-up commerceX.commerce
 
Adaptive APIs meet the real world - FundRazr
Adaptive APIs meet the real world - FundRazrAdaptive APIs meet the real world - FundRazr
Adaptive APIs meet the real world - FundRazrX.commerce
 
Adaptive APIs meet the real world
Adaptive APIs meet the real worldAdaptive APIs meet the real world
Adaptive APIs meet the real worldX.commerce
 
PayPal under the hood
PayPal under the hoodPayPal under the hood
PayPal under the hoodX.commerce
 
Paypal checkout anytime anywhere paulam chang matt cole
Paypal checkout anytime anywhere paulam chang matt colePaypal checkout anytime anywhere paulam chang matt cole
Paypal checkout anytime anywhere paulam chang matt coleX.commerce
 
Magento Integration Tests
Magento Integration TestsMagento Integration Tests
Magento Integration TestsX.commerce
 
Developing loosely coupled modules with Magento
Developing loosely coupled modules with MagentoDeveloping loosely coupled modules with Magento
Developing loosely coupled modules with MagentoX.commerce
 
Going with style: Themes and apps for Magento Go
Going with style: Themes and apps for Magento GoGoing with style: Themes and apps for Magento Go
Going with style: Themes and apps for Magento GoX.commerce
 
Magento 101: A technical overview
Magento 101: A technical overviewMagento 101: A technical overview
Magento 101: A technical overviewX.commerce
 
Magento 2: A technical overview
Magento 2: A technical overviewMagento 2: A technical overview
Magento 2: A technical overviewX.commerce
 

Plus de X.commerce (20)

Creative complex commerce: Respecting the Customers’ brand while integrating ...
Creative complex commerce: Respecting the Customers’ brand while integrating ...Creative complex commerce: Respecting the Customers’ brand while integrating ...
Creative complex commerce: Respecting the Customers’ brand while integrating ...
 
Trending now and in the future: Social commerce
Trending now and in the future: Social commerceTrending now and in the future: Social commerce
Trending now and in the future: Social commerce
 
Handling the boom in international commerce
Handling the boom in international commerceHandling the boom in international commerce
Handling the boom in international commerce
 
The near future of real web applications
The near future of real web applicationsThe near future of real web applications
The near future of real web applications
 
Proudly Found Elsewhere: The Open Source Bonanza
Proudly Found Elsewhere: The Open Source BonanzaProudly Found Elsewhere: The Open Source Bonanza
Proudly Found Elsewhere: The Open Source Bonanza
 
Building immersive experiences: Usability you can really use
Building immersive experiences: Usability you can really useBuilding immersive experiences: Usability you can really use
Building immersive experiences: Usability you can really use
 
eBay From Ground Level to the Clouds
eBay From Ground Level to the CloudseBay From Ground Level to the Clouds
eBay From Ground Level to the Clouds
 
OpenStack: Enabling the Open Cloud Era
OpenStack: Enabling the Open Cloud EraOpenStack: Enabling the Open Cloud Era
OpenStack: Enabling the Open Cloud Era
 
Fun and commerce with shipping APIs
Fun and commerce with shipping APIsFun and commerce with shipping APIs
Fun and commerce with shipping APIs
 
APIs for catalogs
APIs for catalogsAPIs for catalogs
APIs for catalogs
 
Pop-up commerce
Pop-up commercePop-up commerce
Pop-up commerce
 
Adaptive APIs meet the real world - FundRazr
Adaptive APIs meet the real world - FundRazrAdaptive APIs meet the real world - FundRazr
Adaptive APIs meet the real world - FundRazr
 
Adaptive APIs meet the real world
Adaptive APIs meet the real worldAdaptive APIs meet the real world
Adaptive APIs meet the real world
 
PayPal under the hood
PayPal under the hoodPayPal under the hood
PayPal under the hood
 
Paypal checkout anytime anywhere paulam chang matt cole
Paypal checkout anytime anywhere paulam chang matt colePaypal checkout anytime anywhere paulam chang matt cole
Paypal checkout anytime anywhere paulam chang matt cole
 
Magento Integration Tests
Magento Integration TestsMagento Integration Tests
Magento Integration Tests
 
Developing loosely coupled modules with Magento
Developing loosely coupled modules with MagentoDeveloping loosely coupled modules with Magento
Developing loosely coupled modules with Magento
 
Going with style: Themes and apps for Magento Go
Going with style: Themes and apps for Magento GoGoing with style: Themes and apps for Magento Go
Going with style: Themes and apps for Magento Go
 
Magento 101: A technical overview
Magento 101: A technical overviewMagento 101: A technical overview
Magento 101: A technical overview
 
Magento 2: A technical overview
Magento 2: A technical overviewMagento 2: A technical overview
Magento 2: A technical overview
 

Dernier

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 

Dernier (20)

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 

Security & fraud: How to (NOT!) shop online for free

Notes de l'éditeur

  1. Let’s start off by talking about a modern-day diamond heist. I’m not talking about robbing an armored car or spending six months digging a tunnel under a bank. That’s too much work with too much risk. Instead, our clever thief works alone by shopping at an online diamond store. He fills his shopping cart up with thousands of dollars of diamonds, then on checkout…
  2. … he pays for a five dollar bottle of jewelry cleaner which the store accepts as payment in full for his diamonds. And the store will happily ship his diamonds directly to the dock where his getaway boat is waiting. Sounds like something out of the movies, right? As far-fetched as it seems, this type of checkout flaw exists in real online stores and has been demonstrated to actually work (although not with diamonds to my knowledge).How likely do you think it is the store will eventually detect and track down the problem? If the store believes every order was paid in full, is it even possible to discover the thief?
  3. Today we’ll be talking about integration flaws that allow attackers to shop online for free (or nearly free).I’m Bil Corry, a security engineer at PayPal and with me today is Harry Xue, an integration engineer also at PayPal. I’ve asked Harry to be here because I anticipate you’ll have integration questions after hearing this talk.Harry will be joining us later during the Q&amp;A.
  4. When you leave here today, I have one goal: awareness. I want each of you to become aware that these types of integration flaws exist, they exist in real world and may exist in even your own store.It is my hope that you will return to your office and look for these flaws, as they are often subtle and difficult to find. And as we will cover, there is risk of severe financial loss.
  5. A quick warning about testing. Please only test websites that you own or have explicit permission from. It’s illegal in many jurisdictions to test websites when you don’t have explicit permission. It’s not like a few years ago…
  6. … when law enforcement might have let you go while praising your mad hacking skills. If you test a website without permission or worse, if you defraud a website …
  7. … law enforcement will track you down. I do not want to get letters from you in prison. Only test website you own!
  8. We’ll be covering five flaws today. I’ll be talking about them from a high-level, and at the end I have a reference to a research paper that goes into more depth and covers other integration flaws. And of course, feel free to ask questions. I’ll be pausing at the end of each flaw to answer a few questions and have set aside a longer Q&amp;A session at the end of the talk. Finally, I’ll finish with a few concluding thoughts.Let’s begin…
  9. The first flaw we’re talking about today involves an attacker skipping past the PayPal checkout, and downloading the digital good for free. It’s due to using a non-encrypted button.
  10. Let’s first cover how it’s suppose to work. The buyer clicks on the “Buy Now” button.
  11. The buyer then pays at PayPal for the digital good.
  12. The buyer then is redirected back to the store to download their purchase and the store has received their money.
  13. The delivery page will look something like this, where the digital good is downloaded directly from the site.
  14. Now let’s talk about how an attacker is able to defraud the store and get the digital good for free.First, the attacker extracts the delivery URL from the “Buy Now” button – don’t worry about the details of how this is done, we’ll discuss it more in a minute.
  15. Next, the attacker uses the delivery URL to go directly to the digital good delivery page, skipping PayPal entirely.
  16. Now let’s go back to that first step, where the attacker is able to extract the delivery URL. How does he do it?If you look at the HTML source for the button, it doesn’t appear to leak any data.
  17. However, if you use a tool such as FireBug, you’ll see the button as it looks to the browser. You’ll notice the button is now human readable, including the delivery URL.Even without the tool, there’s a snippet of JavaScript that is available on underground forums that will extract the delivery page and go directly to it, skipping PayPal’s checkout.
  18. What should the store do? Go back to PayPal.com and get a new Buy Now button, either an encrypted button or a PayPal-hosted button. That will prevent this attack from working.
  19. And just to give you an idea of how the encrypted button works, here’s the HTML source for an encrypted button.
  20. And here’s the same encrypted button when using a tool like Firebug. It’s identical to the HTML Source, it does not leak the delivery URL.
  21. The lesson for this flaw, if you have an older “Buy Now” button, return to PayPal and generate a new button that is either encrypted or is hosted at PayPal. If you need help with this, please see me after the talk.
  22. That concludes the first flaw. What questions do you have about this issue?
  23. The next flaw we’re talking about allows an attacker to pay any price he wants for an item. It involves the store failing to validate the payment total.
  24. Let’s see how it’s suppose to work. The store sends the buyer to PayPal.
  25. PayPal collects the payment for the order.
  26. PayPal then returns the buyer back to the store.
  27. And the store confirms that the buyer has paid.
  28. Now let’s look at what happens when the attacker goes through the flow. The store sends the attacker to PayPal, however the attacker changes the price in that request to any price he wants to pay. PayPal then collects that price as payment, then sends the attacker back to the store. The store then confirms it was paid and ships the goods to the attacker at the low-price.What should the store have done?
  29. The store should have confirmed that the payment amount matched their invoice.
  30. Very important, if you’re expecting 10000 euro then you must check that you received 10000 euro.The lessons for this flaw, always validate the payment amount matches the invoice amount, and make sure the currency is correct.You don’t want 10000 dollars if you’re expecting 10000 euros.
  31. That’s the second flaw. What questions do you have about this issue?
  32. Our third flaw today involves paying for one order, then being able to purchase unlimited orders with the only constraint they must be at the same price point. In this attack, the attacker is replaying the payment notification.
  33. Let’s walk through how it’s suppose to work. The store sends the buyer to PayPal.
  34. PayPal collects the payment for the order and sends the Instant Payment Notification to the store.
  35. PayPal then returns the buyer back to the store.
  36. And the store confirms that the buyer has paid by checking the IPN and the Order ID
  37. Now let’s look at what the attacker does. The attacker will actually go through the flow twice.In the first flow, the store sends the attacker to PayPal, however the attacker changes the IPN handler to point to his own webserver and he sets the Order ID to null.
  38. The attacker then paysvia PayPal for the order and PayPal then sends the IPN to the attacker instead of the store.
  39. Now we’re on the second flow with the attacker.With the newly acquired IPN, the attacker goes back to the store and loads up his cart again with the same items, but this time he skips past PayPal.
  40. And he submits the captured IPN directly to the store, pretending to be PayPal.
  41. The store confirms the IPN is valid, and that the invoice amounts match, and ignores validating the Order ID since it’s null in the IPN. The store then marks the order paid and ships the order to the customer. The attacker can repeat this as much as he wants.What should the store have done?
  42. The store should have verified that the IPN wasn’t previously processed. That would have prevented this replay attack using the IPN.
  43. Lessons, be sure to verify all information that you have available, including the payment status, the transaction ID, the receiver email, the payment amount, and the currency.
  44. That’s flaw number 3.What questions do you have about this issue?
  45. This fourth flaw is the one I opened the talk with. The attacker has two shopping carts, by paying for the low-cost item, the buyer can switch carts mid-transaction and complete it using the high-cost shopping cart. This is known as cross-session tampering.
  46. Let’s look at how it’s suppose to work. PayPal collects the payment from the buyer.
  47. The store notes that the buyer has paid in the session.
  48. PayPal returns the buyer to the store.
  49. The store cryptographically signs the Order ID and redirects the buyer to the checkout page.
  50. On the checkout page, the store validates the order was paid via the session and validates the signed order ID. As you can see, the store has gone to some effort to prevent the buyer from tampering with the order details.
  51. Since the attacker can’t modify the transaction, the attacker instead uses two shopping carts. The first cart is filled with high-cost items, then the attacker skips PayPal and goes directly to the page where the store cryptographically signs the Order ID.
  52. The attacker collects the signed order ID and aborts the final checkout.
  53. Next the buyer uses the second shopping cart in another browser and purchases a low-cost item.
  54. This time, the attacker goes through the entire flow until the final step, where the attacker substitutes the signed order ID for the high-cost shopping cart. Since everything validates, the store is fooled into accepting a low-cost payment for a high-cost order.
  55. The attacker can then repeat as often as necessary.What should the store have done?
  56. The store should have added a check to make sure the Order ID is associated with the session to prevent cross-session tampering. That would have prevented the attacker from using multiple shopping carts to fool the checkout flow.
  57. Lessons, validate that the Order ID matches the session, maintain state on the server, and reduce as much as possible communication via server-client-server.
  58. That was flaw #4. What questions do you have about this issue?
  59. Our last flaw involves purchasing a low-cost item, then using the PayPal token from that transaction to make additional purchases for free. It’s known as a token replay attack.
  60. Let’s see how it suppose to work. PayPal collects the payment from the buyer.
  61. The store records that the token is paid.
  62. PayPal returns the buyer to the store.
  63. The store confirms the token was paid and completes the order.
  64. Now let’s look at what the attacker does. The attacker will go through two flows. The first is to purchase a low-cost item. The attacker chooses a low-cost item, then goes to PayPal and pays for it.
  65. When PayPal returns the buyer to the store, the attacker will capture the token value for later use. The attacker will then receive their goods like a normal purchaser.
  66. The attacker now returns to the store a second time. This time, the attacker fill his shopping cart up with whatever items he wants. He skips past PayPal and instead jumps to the final checkout.
  67. The attacker uses the valid PAID token from the low-cost purchase to trick the store into thinking he’s paid for the current order.
  68. The attacker then repeats for as many free items as he chooses.What should the store have done?
  69. The store should have verified the token was associated with the current session and made sure that it was used only once.
  70. Lessons, do not allow token reuse and validate that the token is associated with the session.
  71. That was our final flaw. What questions do you have about this issue?
  72. For all these flaws, even with strong due diligence, there is a chance you will not be able to find and fix them all. But that doesn’t mean you can’t catch it after the fact. Always reconcile your PayPal transactions with your invoices and make sure they match. If they don’t, then you may have one of these integration flaws. It’s a great early-warning system and will help you prevent massive losses.
  73. For those of you curious about the technical details, the first resource is an excellent paper on integration flaws, covering what we spoke about today and more.The last two are the PayPal developer guides for our APIs, which contain additional security information.
  74. And because I’m part of PayPal’s security team, should you come across a security issue, here’s how to report it to PayPal.Spoof@paypal.com is for fake PayPal emails, be sure to include the message headers.Cred@paypal.com is for leaked PayPal.com credentials. Do NOT try them out first to verify they’re real, we won’t know if you’re trying to break in or helping us. Just send it to us and we’ll take care of it.Sitesecurity@paypal.com is for anything else, such as a phishing site.We appreciate and welcome your security reports, and thank you for helping keep PayPal safe for our 100 million users.
  75. At this time, I’ll ask Harry to join me. What integration questions do you have? Or questions about anything we’ve talked about today?
  76. Some finals thoughts – these flaws are real and exist on real commerce sites. Jeremiah Grossman of WhiteHat Security has a great motto, “Hack Yourself First”. Go back and look for these issues. And build a reconciliation process that can catch these exploits, so even if you miss an integration flaw, you can still detect it after the fact and correct it quickly.Now go prevent your own diamond heist. Thank you.
  77. Thank you!