 Здравствуйте, я Ретиньян Каркадзи и я лид-пенетрация теста в российской компании, которая имеет название ЗОН. Также я организатор, один из организаторов РФ ЗОН в Москве, и один из организаторов CTF ЗОН, компетиций CTF, а также веквальсов DevCon CTF. Сегодня мы поговорим об онлайн-банкинг-секурии. Во-первых, я на проектах, на моем работе, у меня есть много секретарных аудиторов, различные онлайн-банкинг-капликации, и в этом проекте я встретил, и мы встретили много различных vulnerability и других интересных вещей. Так что в этой презентации я хочу поделиться с вами какие-то эксперименты, какие-то интересные вещи. Так что этот talk будет интересным для афенсивных и афенсивных специалистов, которые работают с онлайн-банкинг-капликациями. И также будет интересным для разработчиков, которые работают с онлайн-банкинг-капликациями, и кто пытается сделать это safer. Но я пытаюсь сделать эту презентацию с большим трудом, и я надеюсь, что все могут получить что-то новое из этой презентации, и получить что-то интересное из этой презентации. Так что давайте поговорим о структуре этой презентации, о том, что мы будем говорить. Итак, сначала мы поговорим о различных, о ремонт-банкинг-анлайн-банкинг, о ремонт-банкинг-анлайн-банкинг. Мы поговорим о веб-банкинг-мобиль-банкинг, о различных между ними, и после этого мы поговорим о тестировании, о веб-банкинг-мобиль-банкинг, и о различных, как мы можем использовать эти веб-банкинг-мобиль-банкинг. Итак, и большая часть этой презентации будет, например, деталейной информации, как это работает, как это работает, и, может быть, какие-то плохие практики для выживания. И так далее. Также мы поговорим о первых практиках, как выживать эту веб-банкинг-мобиль-банкинг. Итак, давайте начнем с различных. Какие ремонт-банкинг-анлайн-банкинг-анлайн-банкинг. Это когда лайн не нужно идти в офис, чтобы делать какие-то акции в банке. Например, для выживания денег, для, я не знаю, проверения баланса в банке, и некоторые другие вещи. Итак, это может быть что-то, это может быть ATM, это может быть Call Center, это может быть SMS-банкинг, и также это может быть веб-банкинг-мобиль-банкинг. И, например, мы хотим уехать от аккаунта, так что мы пришли к ATM, и это один из примеров ремонт-банкинг-сервисов. Мнф, есть другой тип банкинг-сервисов. Это лайн-банкинг-анлайн-банкинг. Она не другой, это ремонт-банкинг-сервисов, но это идея, которую мы будем сказать сегодня. Эти санлайн-банкинг-анлайн-банкинг-это веб-банкинг-мобиль-банкинг-анлайн-банкинг-это веб-банкинг-это когда вы injected веб-сайт в банке на браузер, и на Nummer 2-3, лагин в вашу аккаунту и делай какие-то действия, может, трансформирование, чейк-балансы и так далее. В мобиле это абсолютно то же самое, но вы должны доноточить аккульт на вашу мобилу. После этого, опять же, вы лагинете в аккаунт и делаете какие-то действия. Сегодня мы поговорим о онлайн-банкинге, о веб-мобиле-банкинге. Итак, мы говорим о том, как это работает. Это очень-очень простая мобилья, да, но это хорошая мобилья, чтобы показать, что мы говорим об этом. Мы не говорим об инфраструкции, о банке инфраструкции, об процессе и других очень-очень комплексных вещей. Это магия для нас сегодня, и это совершенно невозможно. Мы говорим о том, что это очень-очень простая мобилья, это магия для нас сегодня, и это совершенно невозможно. Это как локбокс-фос. Итак, мы говорим об серверной сайте, об апие, да, мы говорим об фронт-тенте мобилья. В фронт-тенте это что-то, что стоит в браузере клиента. Так что это может быть ангуляр, это может быть реакт-апликация, это может быть HTML без аяк-реквеста, но это не так, как сейчас. Уже, может быть, есть банки с аяк-реквестами, но я не знаю, они не видели это. Так что мобилья, это совершенно то же самое, но мобилья-апликация, это как кастом-мейд-браузер, и фронт-тент и мобилья работают с апием, да, с серверной сайте. И они sent реквесты к апие, и они получают реквесты от апи, и они дают реквесты, они показывают твои глаза к клиентам, и клиентам могут работать с апием, и для каких-то экшенов, может быть, клиент на ботонах, и другие вещи, может быть, что-то. Так что обычно в банках с апием, это струнт-апликация для фронт-тента и... the same, sorry, same API for the front-tent and for the mobile. Sometimes maybe there are differences, maybe it is a split-ed API, so different API for front-tent and different API for mobile, but usually it is the same. And API, it is like something between... It is an application that helps us to work with bank infrastructure. It has API methods, it has some functionality that can be used by front-tent and that can be used by mobile. And after that it sends to bank infrastructure and there is some magic in bank infrastructure. The bank infrastructure is very, very complex, it can be anything, it can be monolith, it can be microservices, yeah. And so, but today it will be bank infrastructure and API, it will be server-side for us. So, and I think it is all that I wanted to say about how does it work. Again, it is very, very simple and we can't talk more detail because it needs a lot of time. It is huge topic. So, testing approaches of server-side and bank infrastructure, usually it is... API, it is usual web application, yeah. Bank infrastructure, it is a very complex thing, it is like a zone with different services, it can be anything and so it is very hard to hack it without understanding how does it work. And so, you can only try to maybe use fuzzing and other things and try to understand how does it work and it is only one way to understand how to hack the bank infrastructure. So, API, it is usual web application, so it can has any web vulnerabilities. So, if I'm talking about the possible vulnerabilities, like I said, it is usual web vulnerabilities, yeah, it is everything from the awasp, yeah. You just can take the checklist of awasp and any vulnerability in the most related to the server-side. So, also it is misconfigurations, it can be anything like a jinx misconfigurations, maybe other things. And also, it is logical vulnerabilities because the bank and the mobile banking, online banking, it is very, very complex thing, yeah. It has very, very complex architecture, yeah. And so, when architecture is complex, developers can do a lot of mistakes in this. And so, it can be any logical vulnerabilities, like idors, like, I don't know, leakage of sensitive data of clients, maybe, if it's correct to say, race condition, but it is not logical vulnerability, but sometimes it can be based on logical problems. So, and other vulnerabilities, it is only examples, so it can be anything. Next one, it is front-end, so it is user interface, yeah, based on the data received from API. And so, and because it allows a browser, yeah, browser take a lot of security job on itself. And so, it is very big difference between the mobile application, yeah, and front-end, because browser do a lot of security job by itself. But in mobile applications, developers have to do the things by itself. So, and possible vulnerabilities, that is XSS, that is, I don't know, DOM-based XSS, that is CSRF, yeah, maybe forgotten, or maybe unfinished pages, yeah. Sometimes, for example, developers make and publish in production react application, but this application has pages that doesn't work and they invisible for clients, but anyway, they exist in production. And so, after understanding, and maybe like reversing of react application, yeah, you can find this and you can recover the methods, API methods that application sends to API and gets, and it allow you to try more requests and maybe find another vulnerabilities. And also, it can be unsafe communication with API server, sorry, and it is everything about the society, it is everything about communication, maybe other algorithms and so on, so on. And again, it is only examples, maybe there are another ones, there are another ones, of course, there are. So, if I'm talking about mobile testing approaches, yeah, like I said, mobile, it is application, it is like custom made browser. So, and in this case, you have a lot of, I don't know, security and customization features, yeah, and so you have a lot of possibilities to do something wrong. And in this case, possible vulnerabilities, it is storing of sensitive data, yeah. And we will talk about this in one example a little bit later. So, also it is unsafe handling of external data and because there is one good example of vulnerability, when mobile application got data, external data and save it to SQL database. So, and there was a SQL injection in this. And if you can sniff and if you can edit traffic that application gets from the network, yeah, you can do the SQL injection on the client side, it is very interesting thing. So, also it is unsafe work with mobile platform, it is, for example, IPC mechanism and other things, maybe, and also there are a lot of different things. And let's talk about testing guides, testing approaches for every type of online banking, yeah. For web banking, you know, in this slide I wanted to set, I wanted to make the big table with comparing of different guides and with choosing the best one. But no, I just didn't find any other good guides except Avasp web and Avasp strategy. So, maybe you know and if you use something else you can maybe share it in comments. So, it is really good because, but for web banking we also usually use Avasp web, yeah. It has very good checklist and it has a lot of different vulnerabilities so it is really great and good job of someone who made this, yeah, of people who made this. And so, mobile banking, it is Avasp strategy and Avasp web guides. And Avasp strategy, it is about everything that relates it to mobile platform, all vulnerabilities related to this one. And why Avasp web here? Because we have a server site, yeah. And when we watching the mobile application, we have to check the platform, yeah, the application. And also we have to check the server site and how it communicates between the, how it communicates with the mobile application. So, for the platform, for the application we use Avasp strategy and for the server site we use Avasp web and it has maybe some intersections, yeah. And so, if in the best way this intersection should be fixed, yeah, and you have the best way is to have one big checklist and one big guide. And so, using of these checklists is very, very conveniently and it really helps us to don't forget something when we test it. So, after that we begin to talk about vulnerabilities and now it is the biggest part and we will talk about this until the finish of the presentation. And firstly, I want to say why I choose this vulnerability. There are free options and there are free reasons why I choose this. Firstly, it is, for example, some vulnerabilities are very common, yeah. You can meet it in a lot of different applications and it is very common and this is a problem. So, the second one reason it is because these some vulnerabilities are really interesting and they are not common, yeah, maybe it is very rare vulnerability, but anyway it is really, really interesting and it is like really hacking and, for example, like I said before, it is like making money from nothing, yeah, and so on. And so, it is really, really interesting and I love it because. And so, the third one reason it is because sometimes some vulnerabilities are really hard to fix, yeah. And developers trying to fix it and make another vulnerability. And so, we will talk about I don't remember one example of this vulnerability and so it, okay, a little bit later we will talk about that. So, let's begin from the first one vulnerability. And first vulnerability it is around an attack, it is currently around an attack and you know it is one of my favorite vulnerability because it is really, really like hacking like I said before and I talk about this vulnerability it is like making money from nothing, yeah. And so, first information that I found about this vulnerability it was 2011, maybe 2012, maybe there are early information but I didn't find. So, this vulnerability based on the incorrect incorrect unsafe using of round functions, yeah. And later we will talk about example but now very, very simple example of using of round functions and it is very simple but for us interesting last example when we can in round function we can set what what is we can set the decimal places that will be after rounding and as you can see on this example here it is two decimal places after rounding so after rounding we will get 1.52, yeah. And so you can say that it is not real vulnerability and it is not possible to admit it in real life but and for example all banks already fix it and all companies that work with money already fix it too and you can can't admit it in real life so but no there are examples and you can find it on Hacker one and you know I met I met this vulnerability two years ago and you know one very huge bank and so no examples exist so let's watch the example yeah for example we have one account yeah and this account has two wallets usd and rubble wallets yeah and you can transfer money between these wallets and when you transfer money the different currencies converting between yeah and for example in this case we have unreal unreal rates but anyway it is very comfortable for us it is for calculations so current rates it is 64 for one 64 rubles for one dollar in case of bank and the same 64 one usd in case of selling and so we have bank that use rounds into decimal places yeah and our goal is to become rich so what we can do let's watch the attack yeah we have one second we have one rubble one rubble sorry on the rubble wallet and we send it to the usd wallet and after rounding yeah firstly we converted to the usd and после of that calls function rounding and as a result we will get 0.02 usd from one rubble yeah after that we convert we send this to cents back to the rubble wallet yeah and it will be already one rubble and 20 yeah and now we have profit 120 persons why it happened this is happened because of this this is main reason so we had the one number and after wallet it became more yeah and this difference is very critical so we can get a big profit and you can say that now we have two additional rubble cents yeah and it is not it is not rich yeah but if you can repeat it 1000 or maybe one million times you will get real money i think banks not allowed to make this a lot of time because anti-fraud and some other things but anyway if this vulnerability exists sometime can someone can try to exploit it and it is i think the best way to fix it anyway so and i have very simple plot yeah firstly on the x we have transfer amount rubbles yeah and the y we have on the y we have profit and the persons yeah and so as you can see the biggest profit when we send about i don't know 0.3 0.4 rubles yeah to the dollars to the usd in this case the profit the highest yeah if and as you can see if we send more yeah the profit less less less and after some specific moment it is less than 100 so it is non profitable for us and from this you can see that it is first way to how to avoid this vulnerability it is set the limit of transaction for example if we'll set the limit of transaction in six six rubles yeah it will be unprofitable for anyone who tried to exploit this vulnerability so also there are two and other ways and second one it is that we shouldn't allow to clients to convert money from rubles to usd instead of this we should allow to to buy usd yeah for example client will buy 0.01 usd and it and after that client will get price and after that it they can finish the transaction so in this case anyway there is rounding yeah and it will be but in this case numbers are higher the numbers are bigger sorry and and it will be unprofitable for anyone who is trying to exploit this vulnerability so and there is another way it is at adding commission after 30 number of transaction it is not looks like good way but anyway it works and so but it looks like not not like good fix so but this vulnerability that I found this rounding attack took two years ago the bank fixed this by adding commission after specific count of transactions so on another example it is sensitive data disclosure it is very common vulnerability that is you can meet in every and a lot of application not every but a lot of but maybe maybe in every I don't know so let's watch an example very good example very interesting example and this example shows that is what is convenient is not always safe so we should look for balance between convenient and for between security and it is very important and case the bank added functionality that allowed to send money between cards and between cards yeah without login procedure yeah you so it looked like this so user enters firstly information about source card yeah about their card and after that user enters the information about this nature card yeah it is only pun code and the first step we enter the pun cvv and expiry date so on the second only pun code so on the third step user enters the amount of money for transfer yeah and on the next step system checks the balance and calculates the commission and if everything is okay money is enough and so on user gets sms yeah the user that has the source card get sms and after the entering the code the transaction is done if code is okay so let's watch into the htp request that was used for checking the balance yeah and it is that was a problem that main problem was that this server didn't check the expiry one second the expiry date and didn't check the security code yes so but it checked the money amount and card number so as a result everyone could get any could could could get balance for any card in bank so just by enumerating the card number it just and just by enumerating the money amount so so it worked like if you set to money too much money yeah server will return the error that money is not enough yeah in other case it will be everything is okay enter please code yeah please enter the code so and you can set any card number so so you can get information about every card in bank and it is not so good now it fix it next vulnerability it is unsafe otp firstly what is otp otp it is one-time password and it is usually one of the most popular realization of second factor yeah for example you enter to the mobile banking yeah you enter your login and password and after that you get the sms code or maybe push notification or maybe something like this yeah and you have to enter it to to pass the second factor or foundation and usually usually it deliver it via sms yeah and it is the most popular way for delivering so let's watch example yeah we are hawker yeah and we got access to user account and so we want to get money of this client so we have to send this money from our account to the from not no no no from user account to our account yeah so and for completing this transaction we have to enter the correct otp this otp sends to the mobile of this of the client or and the owner of this account and so we don't know this otp but we have to enter it and so after free and correct and every time when we create a transaction we have only three tries yeah after free incorrect entries transaction will be cancelled and otp has four random digits yeah tickets and it is for example one two three four yeah so как как сделать эту транзакцию как закончить эту транзакцию это как немного странно но что за институт бродфорсии otp да мы попробуем бродфорсию транзакции да что если это будет не бродфорсию но это будет выяснить звучит странно я объясню ок очень важная вещь если мы не ограничены в номер нового транзакции если мы можем создать и создать и создать и так далее да мы можем попробовать на следующей эксплуатации мы выбираем три разных otp да это должно быть потенциальный корректор otp 1 2 3 4 я не знаю 5 5 5 5 6 6 6 6 да и после этого мы создали новую транзакцию и попробуем выбрать otp да если это не верно обратно к степени и создать новую транзакцию но на этот момент это но каждую транзакцию это регенерирует то otp так что мы можем просто бродфорсию мы можем просто взять одну большую дикционеру да и использовать эту дикционеру чтобы нанимировать для бродфорса все existing otp нет это не работает так но это очень-очень символно да так и мы должны повторить эту алгоритму эту эксплуатацию до мы обмечили хотя бы 1 otp если мы обмечили хотя бы 1 otp транзакция будет закончена да и так это одна большая деференция выглядит как бродфорс но это не бродфорс это гейсинг так что в случае с бродфорсом мы знаем о когда будет закончена например дикционер у него к 10 000 линей так что будет закончена после Emmanuel 10 000 да Chain так что в случае с this бродфорс да но это гейсинг мы не уверены когда это будет закончена это может быть закончено после на следующей транзакции у нее может быть это это может быть закончена после 20 000 транзакций да мы гейсинг мы trying янамиры транзакции да до мы Until the generated OTP didn't match our OTP. So, I'll explain everything. No, I'm joking. I am not going, it is boring, so no, no, no. But it is very interesting results. Let's watch the results. So, probability of the successful transaction depends on the number of attempts. So, in our guessing exploitation, after 3,000 attempts, it will be about 60% probability. But if we can try 16,000 attempts, it will be 99%. So, it is a really good result, I think. And let's watch a little bit more complex example with new limitations. The same example, totally the same OTP, totally the same situation and so on. But after 5 cancelled transactions, we can't create a new one. We will be blocked for several times, for example for 24 hours. And so, what we can do in this case? There are two possible approaches. The first approach is totally the same exploitation, totally the same steps. But we try not free OTP for each transaction, but to OTP. So, in this case, we avoid the cancellation of transactions. And in this case, creation of transactions will not be blocked. So, it is one approach. Another one, we can, in the beginning, create several thousands of transactions. For example, we can create 20,000 of transactions. And only after that, we will try the OTP. So, in this case, we will block the creation of new transactions after trying the OTP. But it is not affected. It doesn't affect us, because we already created the 20,000. And, as you can see from the calculations, in case of 20,000, it will be more than 99% probability of success. So, we will get profit. So, and also, very good question. Is SMS a secure way of OTP delivery? Yeah, it is. Good question, because there are a lot of attacks against the SMS. It can be fake BTS. It can be Riyusha of Simcard. It can be SS7 attacks. Yeah, for example, there are these two very, very cheap things. It can be used for creating the fake BTS, for creating the fake station. Yeah, and using this, you can try to attack the client. So, let's talk about the recommendations. Firstly, the second factor should be enabled for all critical actions. Yeah, if you, for example, login to account. If client, for example, logins to account. For example, if changes the profile information, maybe other critical actions. It should be, client should enter the second factor. Also, it is very important to limit the account of requested OTP. On the previous examples, we tried to limit the creating of transactions, but sometimes it is a little bit hard. Maybe you can make another vulnerability and so on. So, the best way is to try, is to control the OTP. So, how many OTP, how many generation OTP client asked. Yeah, and after a specific account, just stop this process. And also, maybe it is a good way to think about alternative for SMS, because SMS not looks like the best way for delivering OTP. For example, we can watch on the push notification, we can watch on the TOTP and HOTP. TOTP and HOTP, it is, for example, Google authentication, it is Microsoft authentication, it is application that you have on your mobile phone and they use cryptography for OTP process. So, but every alternative has another problems. For example, TOTP and HOTP has very big problem. It is totally silent, because it is not like, it doesn't have delivering. So, client doesn't know about that someone trying to brute force its second factor. And so, sometimes it is very critical. Because in case of SMS or maybe push notifications, client will get a lot of messages about that and understood that something wrong and maybe called to support and support will call to security information specialist. And so, maybe attack will be stopped. But in case of TOTP and HOTP, it doesn't work like this. Next vulnerability, it is unsafe randomization. And it is, you can meet it in application, where logic is based on the generation of random values. It can be sessions, it can be OTP, maybe UNIQ indeedifiers. And it is, for example, most common problems. It is using of unsafe predictable random numbers generators. In other case, it can be, for example, using the predictable functions for creating, for example, sessions, maybe UNIQ identifiers and so on. So, in a case when attacker can recover the sequence of random values. And it can be, in case of, for example, incorrect initialization of the random number generator and so on. And it is one very known example when, it isn't online banking, of course, but anyway, Russian engineer, they, but it wasn't one engineer, it was team. Okay, never mind. Team of Russian engineers, or maybe one engineer, reverse the slot machine, yeah, and they recovered the sequence, they recovered it of algorithm, how it used for, used randomization, yeah. And they developed the program, I don't know what they did, but they, for example, they developed the program that helped to recover this sequence. For example, they came to the slot machine, they played for several minutes. And in these several minutes, they got the sequence, what slot machine showed to them, yeah. And using this information, they recovered them all sequence of random. And they can, and they know what will be in the future. And so using this cheat, they can, they did a lot of money. And so it is one of the good examples. And so another one, good example, I heard from Timurinov. And he met, he met, it is on his project. So it, for OTP generation was used LCG generator, yeah, for randomization. So, but using of LCG is not okay, because it is not cryptography safe. And, for example, when you have sequence of several generated codes, you can recover all sequence. So you can predict next OTP codes. And for OTP, it is very critical. So something like this. Another vulnerability, it is mobile banking authentication. Yeah, it is not vulnerability, but it is like evolution, yeah, for mobile banking authentication. I'll explain, okay. For example, we have case client installed, installed our mobile banking application on the mobile phone, yeah. And client, very good client. Yeah, you know, they know a lot about security. And so client has very strong password. Yeah. And on the mobile phone and very strong password is not convenient. Yeah. And it's not so comfortable. And so our task is to develop the simple authentication process. And that works after the first login. For example, first time a user enters the login and password. After that, something happens and user can enter the most simply. Yeah, for example, using pin code or something like this. And so let's try to make this solution. Yeah. Firstly, what is the most simple way? After entering the login and password, yeah, application just save the user password to file. And every time when the user opens the application, application sends the password to the server and get the session, the live session. It is awful. It is totally unsafe. Because of the saving of passwords, it is awful practice by design. Do not do this. It is awful. The second problem that unlocked device provides access to mobile banking. So anyone who can take the, who can get access to unlock device, device doesn't have pin code, because it didn't set. Yeah. So in this case, anyone can just use the mobile banking. It isn't okay. And so finding the second factor doesn't help in this case, because this phone has the SIM card and the SMS will be on this phone. So, and this third one, the hacker can get access to the file with password. Yeah. And in case, for example, if application has vulnerabilities, yeah, or just because of hacker has hacked the phone and now has root access. And in this case, hacker can just open any file on the file system almost. So, another case, after successful login, yeah, user sets the pin code. Yeah, and pin code saves, or maybe not, not saves, but it's used by checking the access by application. Yeah. And, for example, the refreshed, now we use refresh token. Yeah. And I forgot to say that the best practice using not password for, save not password, but save the refresh token. Yeah. And using the refresh token for creating a live session. So, after first login, yeah, user set pin code. This pin code used for decrypting the encrypted refresh token. Yeah. So, and also it, this pin code used for checking the access. So you open the mobile application, you enter the pin code. Pin code, for example, comparing with something. Yeah. And, for example, decrypting the refresh token. The refresh token sends to server and server backs session, a live session. Yeah. Again, it is awful, awful realization because of, firstly, anyway, we store the refresh token in the file. So, Hacker, again, if there are vulnerabilities, or if Hacker get half root access on the mobile, Hacker can just get access to file with password. In another case, encryption of token with short pin code is useless, because pin code is very short and brute force of this will be very fast. And also any local checks like pin code check, and other things can be easily bypassed by Frida if you have enough access on the device. So, it doesn't work like this. So, next realization, we save refresh token to the kStore key chain. Yeah. And you know, kStore key chain is the very good option. But, it is unsafe only in one case. When we enable the checking of biometric open code, when someone opens this record. In this case, Hacker can't get access to these records in the key chain. In another case, if no access checking, and application just extract the data from kChain kStore without any interactions with the user. In this case, it is totally unsafe. Not totally, but unsafe, because of Hacker with root access can just extract it without any problems. So, also it can be problematic if user has all device. And in this case, maybe problems with kStore kChain, maybe just device don't have enough security functions and so on. And also, but it is very similar to the second one. And the third one is that you completely dependency on the kStore kChain security. So, if you, if there are some problems with this, you have problems with the application. So, like this. And the first, last one realization, application asks user to set pin code, and this will be sent to API. So, API controls the identification process. And in this case, you can control the anything, like brute force, like enumeration and other things. So, you can control anything. And in this case, it is totally the same. And, for example, in case of using kStore kChain, you can set, user can't use any pin code, because of, it will be pin code of device only. Yeah. In case of the last realization, user can use any pin code, because it is no limitation. And we can set, for example, we can ask for the big pin code, like six symbols, maybe eight symbols, any pin code. Yeah. And other things. And, but it is very important to that now we have to protect our server side, because everything depends on our server side. That's all that I wanted to show you. And so now about conclusions. Firstly, there are good testing guides, there are good testing approaches, and you can use it not only for testing the applications, but you can use it for developing the application, for making applications. So, and it is really useful. It has a lot of examples and so on. Also, next conclusion is sometimes convenience of the enemy of security, and as you can So, from the example, yeah, third example with Bank, that added the functionality of sending money between cards without login. It is sometimes too critical, yeah. And so it is very important to find the compromise between convenience and between security. Next one, that is be careful with cryptography, randomizations and other things, because cryptography is really complex, and it is very important to understand what do you do. And just don't use cryptography without understanding. It is bad practice. And the last one conclusion is use best practices and use experience of other companies. Watch on other products, watch on other applications, because a lot of problems, yeah, and some companies already solve these problems. And if you find the correct solution, it will be very good. So, it is everything that I wanted to say. So, thank you for attention. I hope you got something new from this presentation. Thank you.