1 / 29

Secure Payments Over Mixed Communication Media

Web enabled systems are now an integral part of everything we interact with, from microelectronics to voice enabled hardware, from text messages and phone calls to email, and really we’re just limited by our imaginations as to what we can connect. As we explore vast new realms of communication over mixed digital media, we have to ask ourselves how we protect our critical data within potential unsecure environments. Going beyond that, how do we protect some of our more critical data, payment information, in this same realm. As we look at a multitude of different environments, we’ll be exploring how to secure user identity and payment information through the communication channels, covering topics like: * Securing identity and payment data through voice commands or text. * Tokenization and encryption security. * Techniques for triggering secure transactions from communications media. At the end of the session, we’ll have a stronger understanding of proper techniques for working with new communication media sources, and see how we can apply fundamental security precepts in potentially insecure environments.

jcleblanc
Télécharger la présentation

Secure Payments Over Mixed Communication Media

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Payments over Mixed Communication Media Identity, Data, and Payment Security Practices Jonathan LeBlanc Head of Global Developer Advocacy PayPal / Braintree Twitter: @jcleblanc | Email: jleblanc@paypal.com

  2. Considerations in the Payments World • Identity: Securing who the user is • Data in Motion: Securing what the user is doing • Payments: Securing how the user is buying Twitter: @jcleblanc | Hashtag: #dfist

  3. Protecting Identity Transmitting information about who you are Twitter: @jcleblanc | Hashtag: #dfist

  4. Protecting Account Information Twitter: @jcleblanc | Hashtag: #dfist Source: http://digitaltrends.com

  5. Protecting Identity through the Password • Salting: Hardening the user password • Good encryption algorithms: bcrypt, scrypt, PBKDF2 • Protects against: Rainbow tables, dictionary attacks Twitter: @jcleblanc | Hashtag: #dfist

  6. Android: POST request to server to encrypt data client.java String urlString = "https://myserver.com/auth"; try{ //create HTTP objects HttpClient httpClient = new DefaultHttpClient(); HttpPost httpPost = new HttpPost(urlString); ENTER FILENAME/LANG //create nvp of POST data List<NameValuePair> nameValuePair = new ArrayList<NameValuePair>(1); nameValuePair.add(new BasicNameValuePair("password", "123456789")); //encode and POST data httpPost.setEntity(new UrlEncodedFormEntity(nameValuePair)); HttpResponse response = httpClient.execute(httpPost); catch (Exception ex){ Log.e("Debug", "error: " + ex.getMessage(), ex); } Twitter: @jcleblanc | Hashtag: #dfist

  7. Salting & Encrypting Passwords with bcrypt auth.js ENTER FILENAME/LANG //node bcrypt package var bcrypt = require('bcrypt’); function bcrypt_encrypt(username, password){ //generate a random salt with 10 rounds bcrypt.genSalt(10, function(err, salt){ //generate hash using password & salt bcrypt.hash(password, salt, function(err, key){ console.log('key: ' + key.toString('hex')); console.log('salt: ' + salt.toString('hex')); }); }); } Twitter: @jcleblanc | Hashtag: #dfist

  8. Salting & Encrypting Passwords with PBKDF2 auth.js //node standard crypto package var crypto = require('crypto’); ENTER FILENAME/LANG function pbkdf2_encrypt(username, password){ //generate random 32 byte salt crypto.randomBytes(32, function(ex, salt){ //generate PBKDF2 hash with specified iterations and length crypto.pbkdf2(password, salt, 4096, 512, 'sha256', function(err, key){ if (err) throw err; console.log('key: ' + key.toString('hex')); console.log('salt: ' + salt.toString('hex')); }); }); } Twitter: @jcleblanc | Hashtag: #dfist

  9. Protecting Data in Motion Transmitting privileged user information between services Twitter: @jcleblanc | Hashtag: #dfist

  10. Taking Cues from Hardware Security Twitter: @jcleblanc | Hashtag: #dfist Source: http://estimote.com

  11. Protecting Data in Motion • Asymmetric Public / Private Key Encryption • Two pairs of public / private keys (sender + receiver) • Encrypt with recipient public key, sign with sender private key • Decrypt with recipient private key, verify with sender public key Twitter: @jcleblanc | Hashtag: #dfist

  12. Learning from Beacons Central Device Beacon Hardware IP Address Endpoint Twitter: @jcleblanc | Hashtag: #dfist

  13. Android: POST request to server to transmit data client.java String urlString = "https://myserver.com/server"; try{ //create HTTP objects HttpClient httpClient = new DefaultHttpClient(); HttpPost httpPost = new HttpPost(urlString); ENTER FILENAME/LANG //create nvp of POST data List<NameValuePair> nameValuePair = new ArrayList<NameValuePair>(2); nameValuePair.add(new BasicNameValuePair("action", "login")); nameValuePair.add(new BasicNameValuePair("user", "ntesla")); //encode and POST data httpPost.setEntity(new UrlEncodedFormEntity(nameValuePair)); HttpResponse response = httpClient.execute(httpPost); catch (Exception ex){ Log.e("Debug", "error: " + ex.getMessage(), ex); } Twitter: @jcleblanc | Hashtag: #dfist

  14. Generating Public / Private Key Pairs ENTER FILENAME/LANG server.js //node module for RSA public/private key OpenSSL bindings var ursa = require('ursa'); //generate sender private and public keys var senderkey = ursa.generatePrivateKey(1024, 65537); var senderprivkey = ursa.createPrivateKey(senderkey.toPrivatePem()); var senderpubkey = ursa.createPublicKey(senderkey.toPublicPem()); //generate recipient private and public keys var recipientkey = ursa.generatePrivateKey(1024, 65537); var recipientprivkey = ursa.createPrivateKey(recipientkey.toPrivatePem()); var recipientpubkey = ursa.createPublicKey(recipientkey.toPublicPem()); Twitter: @jcleblanc | Hashtag: #dfist

  15. Preparing Message, Encrypting, and Signing ENTER FILENAME/LANG server.js //prepare JSON message and stringify var msg = { 'user':'Nikola Tesla', 'address':'W 40th St, New York, NY 10018', 'state':'active' }; msg = JSON.stringify(msg); //encrypt and sign message for sending var encrypted = recipientpubkey.encrypt(msg, 'utf8', 'base64'); var signed = senderprivkey.hashAndSign('sha256', msg, 'utf8', 'base64'); Twitter: @jcleblanc | Hashtag: #dfist

  16. Hardware is Used as Bridge to Endpoint Central Device Beacon Hardware IP Address Endpoint Twitter: @jcleblanc | Hashtag: #dfist

  17. Decrypting and Verifying Message ENTER FILENAME/LANG server.js //decrypt data received var decryptedmsg = recipientprivkey.decrypt(encrypted, 'base64', 'utf8'); //validate signature var validatedmsg = new Buffer(decryptedmsg).toString('base64'); if (!senderpubkey.hashAndVerify('sha256', validatedmsg, signed, 'base64')){ throw new Error("invalid signature"); } else { //decrypted message console.log('decrypted message', decryptedmsg, '\n'); } Twitter: @jcleblanc | Hashtag: #dfist

  18. The Better Way • Transmission over HTTPS • Asymmetric or Symmetric algorithms • Trusted protocols such as OAuth Twitter: @jcleblanc | Hashtag: #dfist

  19. Protecting Payments Transmitting credit card and payment details Twitter: @jcleblanc | Hashtag: #dfist

  20. Taking Cues from Email / SMS Communications Twitter: @jcleblanc | Hashtag: #dfist Source: http://mashable.com

  21. Tokenization Credit Card Number Expiration Date 1a472HDsabejmasiw8371480 isajlkarsi742198ue Customer Name Postal Code Twitter: @jcleblanc | Hashtag: #dfist

  22. Twitter: @jcleblanc | Hashtag: #dfist

  23. Twitter: @jcleblanc | Hashtag: #dfist Source: http://fineartamerica.com

  24. Extending Secure Protection Using wearables to extend security Twitter: @jcleblanc | Hashtag: #dfist

  25. Twitter: @jcleblanc | Hashtag: #dfist Source: http://theverge.com

  26. Capturing Wearable Device Information ENTER FILENAME/LANG devices.java //get all devices currently attached via bluetooth Set<BluetoothDevice> pairedDevices = mBluetoothAdapter.getBondedDevices(); //loop through all paired devices found if (pairedDevices.size() > 0){ // Loop through paired devices for (BluetoothDevice device : pairedDevices) { //DEVICE NAME: //DEVICE MAC ADDRESS: device.getAddress() } } device.getName() Twitter: @jcleblanc | Hashtag: #dfist

  27. Twitter: @jcleblanc | Hashtag: #dfist Source: http://droid-life.com

  28. Securing Data Communications Identity, data, and payments within different communication methods Twitter: @jcleblanc | Hashtag: #dfist

  29. Thank you! Questions? Twitter: @jcleblanc Email: jleblanc@paypal.com

More Related