HF 2022 - Call for Papers

Your locale preferences have been saved. We like to think that we have excellent support for English in pretalx, but if you encounter issues or errors, please contact us!

Defrauding merchants like it’s Y2K
10-29, 09:00–09:20 (Canada/Eastern), Track 2
Language: English

In 2022, most of us have bought goods and services online or using mobile apps, for convenience, for safety (e.g., pandemic) or as a matter of personal preference. As mobile payments and integrations with third-party payment processors become more and more prevalent, common AppSec mistakes from the past reappear under new forms. Merchants who overlook security best practices and fail to secure their systems can be victims of fraud.

In this talk, we will cover some examples of payment APIs and mobile in-app purchases (e.g., with Apple Pay or Google Play Store) that fail to perform sufficient validation in ways that may have devastating financial and reputational impact to merchants. We aim to bring awareness to these often-overlooked issues and provide recommendations to avoid these vulnerabilities with real-world examples.


Classic attacks such as parameter and price manipulation have been widely known since the 2000’s, if not before. What we have found from our client engagements and research is that sometimes, given the complexity involved with tokenized third-party payment processing or integrating mobile payment services (e.g., Apple Pay, Google Play Store), applications often overlook basic security best practice and become too trusting – allowing users to use fraudulent payment cards or to commit purchase fraud.

The following is a tentative agenda:
• A look back at history (2 minutes)
• Using third-parties for payment (5 minutes)
• What can go wrong? (5 minutes)
• Examples (5 minutes)
• Remediation guidance (3 minutes)


Are you releasing a tool? – no Was this talk already given? – yes

Yuk Fai Chan

Principal & Co-Founder, Proack Security Inc.

Yuk Fai is a Principal and Co-Founder of Proack Security Inc. He has over 12 years of proven experience advising clients on application security, vulnerability management, threat modelling, penetration testing, incident response, breach preparedness, and cyber security programs. He has also been the Co-Leader of the Open Web Application Security Project (OWASP) Toronto Chapter since 2011.

Certifications:
• Offensive Security Certified Professional (OSCP)
• GIAC Certified Forensic Examiner (GCFE)

Principal & Co-Founder, Proack Security Inc.

Craig is a Principal and Co-Founder of Proack Security Inc. He is an experienced security consultant & researcher who specializes in infrastructure and application penetration testing and threat and vulnerability management. He has extensive experience with mobile testing, specifically API and Android testing. In his spare time, he enjoys finding vulnerabilities in everyday household apps.

Certifications:
- Offensive Security Certified Professional (OSCP)
- Certified Information Systems Security Professional (CISSP)
- GIAC Web Application Penetration Tester (GWAPT)
- Certified Ethical Hacker (CEH)

This speaker also appears in: