 So lovely day, we are starting with security. Why? All about payments and talk about security. Well the aim of this presentation is to give you an idea about why are we talking about security and what are the things that we should be doing and we should not be doing while running a payment company. So we don't go through some of the bad phases that some of the companies have gone through. I am Shadam, I will be taking couple of next few minutes to give you guys an insight about security and payments and the common pitfalls. So the first question is why security? Something is like what's the general idea about security in payments? If I would say it would be like if we have all of these things in place, we are sort of secure. This is what I will say most of the payment companies aim for. We get these things on our website and we are good to go. So the best example I could give you of was Equifax. I guess you guys know about it. Well everything was good, it was running for more than a decade and someone exported some vulnerability and then it figured out the way they were storing passwords were MB5. Now security by obscurity never. Having compliance is good, which means this, but that doesn't make you secure. I will just play a small video to speak off and then we will see. So it's not clear but you will see a few things. In this video is like we see like few of you would be amused, few of you would find it funny, few would be like it's a bit awkward. And if I would have played along for a long time, the security folks would be like, are you serious? This is not how things work. That's the same questions security folks have when we see payment app. You have all those things, all those signs that I showed you with 256 bit encryption, military grid security, all those things in place. What, when we actually take in deep, what we find is you do not have authorizations on your APIs, like as simple as that. Anyone can bypass your login system as well. So be sure of how you do things. So why are you talking about security? Security is something that everyone has a point of view. Let me give you an anecdote where if I tell Xenob on how to run a has-been conference where, okay, you know what? I found one problem and I think you should fix this better. Now as a human psychology we tend to come up with patterns. So we have a point of view with one problem that we have figured out. So the problem with security is everyone has faced some kind of a thing and everyone has an idea about security. But are they actually the experts to make a comment on that? Like those value feedback could be valuable, but is it actually that much important or the main point of all of the things? Okay, so couple of facts where this is from IBM report 2007 where it says the cost of a breach is $3.62 million. Okay, and 88% of the attacks that happened are actually something that was figured out in 2014. Okay, there are a couple of facts and figures that will help you understand why are we starting the session with security? Okay, what do you say percent of cyber attacks are actually a small business? Which will be a bit of a shocker because we assume, hey, we are small. Like most of the payment companies we are small. We don't have that much big of a customer base. Why would someone be attacking us? Here is something that you have to look out for. On an average it takes 197 days to detect a breach. Actually it's actually more than that. But do you think you have things in place to figure that out? Talking about cost, it's $6 trillion by 2021. I have the sources for all of these in the end of the slides you guys can go through it. Human attack surface area is increasing like anything. Now, just on this point, you have spent $28 billion in cyber security in 2016. Which would be like combining couple of unicorn companies of India. They are more than their valuation. They spent in 2016 alone. Okay, and where we have tons of payment companies here, how much have we spent or invested, I'll say. Couple of other facts where like 1 in 31 email contains malware. All of these. Now, the point is, if the attack surface is this big, how much have you taken care of? Okay, are you sure you can, like if you are like 2323,000, you know, malware is getting developed every day. Are you sure that your system is secure enough? You have everything in place to figure that out? So, the reason I call this mother of all fallacies in security is this is one thing security completely evolves around. Okay, which is breaking all assumptions. So, just to give you an anecdote here from one of my colleagues from earlier. Let's say this, there's a statement. Tom bought a book for a piece Sunday. How many of you could say how many assumptions are there in this statement? How many of you would say three assumptions are there? Are there any assumptions? Raise your hand. Yes, no. How many? Three? Four? Anyone else? Whatever sentence made up of six words, there are five assumptions. Let's say it was an e-commerce website and my data says, like let's say I'm the owner of that e-commerce website, my data says Tom bought a book for a piece Sunday. The first assumption is the guy who is actually buying a book is Tom. Then he is buying. Okay, because my database says he is buying. Then he bought a book. Then he bought a book. Then he bought it for a piece Sunday. Just because I have a database and these are saying someone did this, doesn't actually make, like how does this happen? It's something I'll cover in the next couple of slides. Okay. Just an image that can explain you. There's a complete door with a sliding door and a hole just to slide the door. And there's a complete bypass of it. So security faces that we'll be covering. This isn't the complete list. But this is something that I'll be touching upon for this presentation. Compliance. What is actually compliance? It's the first question that we need to ask. Compliance means that if some company certifies that the process they are following to get compliance, that all the process that they are doing is all good. And it doesn't certifies that any product is good enough or not. For example, PCI DSS. PCI DSS means that the process that the company is following is all good, but it never guarantees that the company is secure. Okay. And there are tons of examples of that. So compliance is a part of security, not security. You should be running for compliance, obviously. If there is no business, there's no point of security. If there is no security, your business won't run for long. So compliance is all about a bit of policies, standard rules and a strategy. If something goes wrong, what and how would you go about it? Okay. Yes. So let me ask you one question. How many of you have phones which came in post September 2017? Almost all of you, no? Which were released post September 2017. So why don't you do that with security? Again, I'll talk about EQ facts where I was compliant enough, being EQ facts, I was compliant enough for way too long. I was handling all the PI data, everything, credit card numbers. And I was storing cards in MD5. Is that right? Because no one can figure out, does that mean I can do whatever I want? Or is compliance making you secure? Something that you have to think. Application security integration. This is one big topic. The first segment I'll make, I'm not discussing about OASOP 10. I'll assume that's the baseline that everyone would have because we can go on days talking about OASOP 10 is not going to end. So that is something I'm thinking as a baseline. What I'll be talking about here is with all my experience for the last 7-8 plus years, I've seen tons of big companies and banks that have fallen victim to these and their companies are still falling victim to these kind of small goofups which I'm demonstrating. Hashes. So here the first one that I have is algorithm. So the thing I'll start with is about like 5 years back where there are 5 to 6 years back where there were not too many favorite companies. Big enough. And one of the big payment in companies that I was testing which was there for more than 2 decades had hashed in place for all the integrity check. The problem with that was the algorithm they were using was algorithm 32 which is way too weak. It's a 32-bit thing and it's way too weak. I can discuss about the details. Now the problem with that was I could actually buy everything for free though they had integrity check in place. Now the other problem that comes is now sometimes I see that payment company is actually using a good enough salted integrity hash check in but what they lack is that your load includes all the parameters in place like the transaction ID or the merchant name. So what happens now for any transaction ID I can actually use the same check in that they had just because for the same amount obviously like there are certain prerequisites but they don't include all of those things. The third part I'm saying is validation. Now I've seen companies like this is one of the most common where they are using the right algorithm. They have all the parameters validation but they are not validating the checks in. I know it sounds like hey that's like basic 101 but that's what I'm saying that's what's missing right now. Like I have tested tons of companies I'm telling you this is what is missing right now. Just to give you an example with two images I'll give you guys a second to see the first and the second image. Like a guy has invested enough to keep a security guard to do a check and that was happening and this happens I'm telling you with tons of like the latest 2016-17 companies as well. You have everything is checking it but there's no point of having them there. Payment secrets and salts. Here is something I want to talk about is all the companies that I know of almost the way they share secrets is either it's available on a portal or they actually most many companies they send it across to the guy they are interacting with the merchant. Now it's the salt. If I know so obviously me interviewing a product guy will forward to an engineer then someone would integrate. Now the salt has been thrown out to so many people that all of those can actually go ahead and do free transactions and there is no way to trace it back. What's missing right now is we have to come up with smart ways on how the salt sharing should happen between the payment gateway and the merchants which is there not in a very good fashion. The other problem is when a salt gets compromised then a lot of companies again do not support 2 plus salts. They say you could go ahead and change it from salt 1 to salt 2 but the problem is there are value use cases where we have to support 2 salts and that's not there. The problem with that is either the merchant loses customer or there is a compromise on the monetary compromise that happens. Talking about transactional logic wallet security any product folks here awesome wallet security so you guys obviously warned that hey ideally the payment should be without any friction like guys should come to product and the moment he thinks and there should be payment done that's where the wallet came in because India has to have it in place. Now the problem with wallet security is and almost all the wallet companies have P2P in place. The moment I log in I can do a transaction think about this my account is compromised someone logs in transfer of my PTP to someplace else now the problem is what kind of securities do we have in place just that okay you are responsible for the account security of your account. Apart from that do we have any kind of fingerprint in place I'm not talking about that naive fingerprint okay 5 items that we figured out can you actually determine a legitimate guy versus a non-legitimate guy because more ease see usability and security go hand in hand the more user experience the less is security the more security the bad is an experience correct. So this is something that I'll say you guys have to figure out in terms of what's the kind of security do we have in our wallet system that will make sure that our legitimate users don't get compromised and we can track the illegitimate ones. Give card security here almost like I'm talking about 2 years back all websites all all the companies were broken in certain fashion or the other okay the way they were generating the pin they had like the same goes for a coupon abuse as well the way they were generating the pin they had all could have been good for misuse and you wouldn't know about it. I'm saying the aim here is to see have you thought it through and I'm telling you about a company few days back which had very bad logic of generating good okay it's not something of real pass I'm talking about it's something that happened see it could be like okay you are the lead you know how to do it but the moment you delegated to someone else to do does he has the right capability to do it or not he could be a fresher or you could bank on him or he could think who would know or figure this out that I'm just changing the last digit right. Then UPI so I'll just talk about one example of UPI is when someone initiate and says hey I know push notification push notification comes to app the point is then there is no hash in place okay from UPI itself okay now the point is people can change from 100 rupees to one though they are paying for one but there is no validation of what's happening okay those are couple of things I wanted to talk about an application security integration so maybe you have awesome security in place but integration is not equal to your security integration I can't tell you how many times I've seen broken just because because not two parties are involved it's just not you you are security savvy enough but the other party is not they are not validating then you have refund API is your tons of other things in place so you have to make sure at the end how the integration is happening okay network network infra cloud this is another big one where we assume we move all of us have moved not all of us but mostly all of us have moved from typical DC to cloud and we assume now cloud would take care of everything in place just giving example of AWS it's clearly mentioned on the website security is 50 50 percent shared responsibility between the person using it and AWS itself okay now the problem there is how do you go about saying okay I have security in cloud I have in cloud what all things you have to take care of and what all things do I don't as simple as all other systems that are there let's say maybe your systems are good enough but like just talking about dirty cow which was a Linux privileged escalation vulnerability the point is someone at the end it's one place where all the things are there now how you have configured is something that I could exporting someone else can get into your system a classic example would be four years back an Indian company got hacked where someone exported shell shock vulnerability got into the servers which was running for more than four years old okay and send an email to all the customers that we are shutting down okay now whose responsibility is this like shell shock was patched but this is there they had a box which was running for more than four years and it was just a part of fraud VPC that was the only problem security issue due to missed call infigration RMQ is just one rabbit messaging Q is just one example here I can't tell you how many screw ups I guess Akash would be talking about all those things in place where like the reason example I put RMQ is there I have seen businesses that actually completely work on like that messaging Q has their business logic not the business logic such critical data and they have no authentication in place and the administrator account for login account for RMQ is guess guess which is publicly available and anyone can access it so the point is when you see the data you see okay the whole business depend on this I consume it they wouldn't know about it and it's all gone okay so RMQ just one example there are tons of things you have to take care on how do you fix it I have seen databases which are publicly available and have no authentication in place broad databases okay so the reason I have the third point here is I was talking to couple of senior security not security devops guys and they said hey after I'll just give example of Amazon because after Amazon started patching in December spectra and this almost all the systems the CPU latency went high now people are saying for every CPU latency that's going high they are saying it's because Amazon is doing it and one was actually getting attacked now again it's an assumption that because I have seen like three systems Amazon is patching latency goes up my source utilization goes up one guy didn't realize that someone was actually exploiting his system okay so cloud security is all about thing about this these two bug in itself no one knew for two decades everyone was good okay the problem with cloud security is not just cloud the security is the ROI or you don't know you cannot quantify how good it is if Intel would have patched like two decades back like how big is this 20 years later we know the impact we can quantify it now not like 20 years back right patch update the like again couple of months back when Node.js says all their versions are vulnerable to DOS and they are using a patch and there was like a time of 15-20 days where there was no patch how do you go about it how of you actually knew about it how many of you actually did something about it okay not just patching the system that are running but let's say your whole application is hosted on Node.js and every version is vulnerable to DOS how do you go about it it's something we need to think very hard I am for all devices the reason I'm talking I am for all devices I am means identity and access management is we have inventory in place like the other example that I was giving where company was hacked just because they had a system running for a machine running easy to machine running for 4 years is because when you are small you have 5 people you know everything and there is a time the moment you become 200 or 100 the point is now all the things that I was saying has been delegated to this guy okay or I will give you a real example where we figured out a small company one of the devops was running a gaming server in the prod server a counter side gaming server in the prod box and no one had idea about it this could be happening to any of us how do you keep a track of it or now anyone can be using it for mining as well because they are the folks that are doing that okay DDoS protection again 30 more than like 3 decades old thing still exists just moving to cloud doesn't help you a small scale of DDoS they say they can handle but for others you have to handle okay now the DDoS is just not now sync attack itself now you have APIs all around I've seen companies just they are down because someone is abusing one APIs of theirs okay how you architect your system is again important okay just think about this one API bringing your whole system down okay I just can't name companies for the naming and shaming but because I interact with a lot of CTOs I am telling you companies actually go like weird when these kind of things happen and you scratch your head because while starting you didn't care about it it's a small company who cares you care but not that much and then when you hit the security is not the most important thing log analysis and correlation here it's actually important again this is just not a simple a simple shock what I am talking about it's actually far more than that so you need to have a small engineering team to correlate all the logs that you have to so I'll give you one example of Ola this is just one answer from Ola I am talking about where think about this drivers are getting really smart okay fraud could be any level okay now let's say our customer partner what I'll say customer care calls are increasing that for certain cases okay and we see jump in one API now we know drivers are abusing certain thing in a certain manner just if you can correlate these two things this is one very naive example that I am giving you guys have far more valuable use cases now if you can keep a track of what's happening like if you could connect these systems and telling you all the frauds actually you can detect in real time it's just that we need to put in effort to figure that out which is actually missing from all of us this is just one example like I was talking to one of the guys like CTO and they said hey we are setup so they set up their hosted a gate it was publicly available with protected by username password which was integrated with their LDAP so obviously no one can access though it was publicly available a small misconfiguration issue was this now the point is by default when you set up a local gate you can sign in with Google at the regmail as well with this I actually signed logged in into his not his personal like company's official gift repo and I could see all the code in the log of it think about this you think hey everything is protected just one small problem your whole code is gone and you can't figure that out I log in I copy paste the whole code you can't figure that out and it's like the image experience itself you think it is just one small what's the what are the odds of someone getting through it in one shot and I'm saying like the odds are way too high than you think just because you're on this side of the table doesn't mean someone on that side of the table is not smart enough so cloud security is all about raising the attack surface area where this much is the attack surface area you reduce it to this much that only very smart guys could get through earlier thousand guys could get through now only one but there is always a possibility that someone would get through and probably in one shot ok couple of goof ups that happens this and the next one are big ones where I have tons of data on the slides but I didn't wanted to miss out any of those github I'll explain this just by another major unicorn company got hacked two months back where one guy because this was a way too big organization one guy committed some credentials in public github and I as an attacker when and exploited the system right it sounds funny but think about this when you have 2000 plus guys with you you cannot keep a track of it what happened to them can happen to anybody and it's not a breach in some fashion but it's a breach in some fashion ok now how do you make sure that your guys so again I'll give you one more example of not I'll skip that but how about this where like I wrote some awesome automation I committed that code to github obviously you need to show your awesome coding skills on github now the only part that because it had tons of code in it the only part that was missing was it had my let's say corporate account password and username and the whole thing works on SSO how about that now my account gets compromised for every place ok so the aim here is you need to have system in place being payment that if one of you guys by mistake commit codes to github you should be notified in real time github is just one example to be any place like paceman paste any place ok because people copy paste the code outside asking couple of questions what happens that and that's your logic of doing something really important now you don't know everyone knows that this is how you generate coupons I'm just giving example ok third party dependency again how many of you can say right now you can name all the third party dependencies in your company from Kafka sentry to everything log for everything how many projects are being used what also think that are being used any of one of you can say the whole inventory of third party projects ok I'm saying that's that's what happened with equifax like can you say like you're using a purchase search in couple of projects but can you name right now how many projects are using a purchase search no and when someone exploits it then you come to know what I'm saying is you guys need to have list of all third party dependencies which of them are vulnerable which are of them not is something that you need to have ok at Ola we do maintain all of these things ok to figure out ok which are vulnerable how exactly we are using it how exactly we are not what could go wrong are the vulnerable components that we are using or we are not ok something that I'll say for payments it's actually must OTPs man this one is a big one I can't tell you like how many different kind of OTP bypass I have found in my life one second I have seen code which says 1000 plus ok well I have seen so much code which is I just call them blacksmith code in terms of key I label as like hey my parent company has military get security and like it's a blacksmith code that's half running behind like 1000 plus this or just changing one character no that's not how you validate OTP or generate OTP ok even though you could say hey sign up on my website happens via OTP validation like that's fair but have you been sure that there is no bypass to that ok I have seen issues where just going a bit technical where people put the OTPs in reddish and that this cast gets clear and then there is no validation happening I'm saying understand at the end of the day it's a guy who's writing code with certain mindset and certain assumptions on how it's going to be used ok whether that code is running in an airplane or in a payment system ok and because I have written that code with certain assumption there is always a possibility to be bypassed ok that's all I'll say how you generate OTP is really important how you validate is very important like I'm saying that there is cash I'm telling you it gets cleared or you spawn a new cluster there are no things and you are validating it at the end just a code bug ok vendors here what I mean is obviously we have to use tons of vendors to send OTPs transactional OTPs login OTPs and tons of other things to the customers how exactly is your contract with them what happens if they get breached because you say for this one number the OTP is this ok I'll talk about a I'll talk about a just biggest goof up like it was one of the biggest bank in India right now I'm telling you like 3 years old story where when you go to that 2FA page of the bank you say I want to pay by credit card ok you go to that 2FA page the 3D secure pin so that bank the way it was doing so after you put in your thing they used to generate a small checksum which was like a 8 digit code not a checksum I'll say ok that was just authorizing that transaction now the fun part was every time I do a transaction if I return that code the transaction was successful this is I'm talking about one of the biggest bank in India like at the end as I said like it's one guy writing a piece of code with certain assumptions in mind ok to store passwords email GPS location of the customers you want to give them a better user experience I understand now how and where do you store it is these 2 points cover it's ok to hold on to that information not on the device and not in plain text format understand device is something that you do not own ok there are tons of 1000 things on the app I've seen customers getting exploited just because some company was storing some other information ok I'll give you an example password and there was a malware in the phone which was taking that password and trying on all different websites and that guy had same password across pre-auth this is so important I can't tell you where all of you from payments companies know how many fraud requests you get in a day where people have added 11, 15, 20 debit cards to one account then one debit card to 20,000 accounts ok those are all frauds you figure out when a cyber camp complaint comes to you do you know right now how can you fix it for better user put a guys for better user experience we don't add pre-auth let him add and then we'll see whenever he wants to transact but can you take a step back and think can we mandate pre-auth for adding all the cards because I can't tell companies but I've seen finance guys the head of finance getting spoofed into sharing his credit card details to someone and then getting breached ok I'm not sure how many of you have supports multi-currency this is one funny we have seen let's say on my credit card for US I have 100 dollars negative balance what I do just because they don't have validation check on the currency I change it to INR I actually pay 100 INR and in that thing and the currency is not a part of the checksum so I change it back to US USD now just paying 100 rupees I clear my debt of 100 dollars this happens how do you handle multi-currency is something that you have to look and there are tons of cases around that refund API I can't tell you how much abuse I have seen of refund API from so many folks refund API just means that obviously when you integrate with merchants they run something and at the end what happens is because of the bank field transaction or net banking takes up to 4-5 days of transactions you have to refund whatever needs to happen the way all the companies generally implement I'm not generalizing the statement I'm saying mostly implement is they have just an API key you are a merchant I give you merchant key 1 that's the security of a refund API which actually credits money to a customer's account some of few folks have gone a bit deep but again I can talk about all of that but I'm saying it's not secure refund API you don't know how much abuse has been happening just because you don't have the metrics and not collecting the data just as good as third party libraries that I talked about until you get exploited of it you're like it's all good I'm saying it's not it's linked to the refund API itself payment systems obviously have a lot of crons to do daily analysis and then send the rest of the money here to the company's bank account or this do all the validation the cron obviously means it has the power to send money push money tons of things in place ok how many people in your organization have access to that cron that means obviously there would be some API key some access token some place if I as a dev product guy devops knows about it and I start misusing it what happens do you guys even know about it these are big goof ups that no one is looking at is something that I'm trying to cover success you are there failure you are there replay attacks so this goes back to my hash validation part where when from payment gateway merchant if you're coming back to merchant merchant obviously defines for failure URL go here success URL go here just because you don't include success or the failure URL in this in your validation hash validation you can screw up big time big time means big time leakage of sensitive information something all good I'll run through just because there's still a lot to cover goof up operationally is let me talk about couple of important things in terms of data security here is we at the end trust that our customer our employees won't misuse the data I'm not like pointing a finger there but I'm saying at the end if you grow big you'll have tons of employees who would have access to a lot of customer data if you don't plan to have data security from starting you're gonna be screwed up big time is what I'm saying because you have all the salts of all the merchants and everyone and everyone has access to all of it just a reality check is something that you have to see is what is stored how it is stored where is it stored who have access to that kind of a data I'm just running through there's something important I'll discuss in detail how are they stored and what kind of people have access to that and have you classified the data from starting so right now I understand when you're small it's like what's the need like it's just ten four and we know this is critical this is confidential this is ok but the more that you won't be 10 people and they won't understand your definition of critical confidential non-confidential ok why is security hard there is no way to quantify what you're doing security is like medical insurance you pay premium for the next ten years nothing happens you like dude all the money gone bad you pay premium for a year something happens and that money comes in use you're like see I paid one year premium or I had the money insurance just for this so it's hard to quantify what you're doing is adding value or not then it actually doesn't add something to your business growth and derivatives in terms of again numbers this is one important one because assume I mean is where we have a couple of devs who are security savvy ok the problem with that is they think hey let's go injections no worry we'll use prepared statements now just giving example active records which is prepared statements and Ruby could also have because you are doing a concatenation at the end just an example so assuming that hey I'm good enough I don't need security probably wrong do not improve security you have to create application in from which is secure don't think let me build on it I'll add security later security is not like like you'll build a fortress around it it's not gonna work that way I'll skip this example latency versus security something I'll cover again very big vendor in payments in India they support latency up to 60 seconds so what happens is if you start a transaction with them while they are doing a transaction you could actually do all the money as P2P and that transaction was still successful this is I'm telling you like 4 years back ok now I could actually do anything on that payment vendor for anything for everything for free security is always soft down if you think the senior this leadership is not understanding it's not gonna go anywhere why it's even harder when you're scaling up just one example here and I'll wind up is brute-forcing let's say for our folks if the login has brute-forcing possible a security guy would say hey have captcha in place now you know on a mobile lab you cannot have captcha ok now how do you fix it now all the standard solutions of security do not work in a product based company is something or one of the biggest problem when you're scaling up then you have PlayStore signing keys available in your gate I as an employer move out I upload my APK and what happens there I'll just sign off on race condition is something so I'll put up the slides later and you guys can take a look at it there are couple of dos and do not tips that I covered which is a way to comprehensive list that I had in place and I wanted to cover all of this which was important just one proposal that I'm proposing is with all the payment companies is I'll say we need to have a negative database sharing where somehow people could say hey this is bad data and all others could consume in certain fashion is what I'm proposing I'm saying you need to have a scoring for all your customers preparedness of reach is something I'm proposing and you need to manage all your frauds apart from that a disclaimer is this there's nothing specific to a law and I haven't touched upon these things it was general 101 session for security to give you guys a flavor of what security is and why you should care about it just the flavor of it more questions I'll be available around you guys can catch up and discuss with me sorry for taking more time than expected