Solutum Cumulus Mediocris

Presented at Black Hat Asia 2014, Unknown date/time (Unknown duration)

Hosted payment gateways may offer an instant PCI compliance option for enterprises of any size. These solutions usually concede flow control between the merchant website and payment gateway to the end user's browser. This is a flawed design and leaves the merchant account highly exposed. In addition to traditional price manipulation and replay attacks, it can allow an attacker to hijack their API access. Once the account has been hijacked, the attacker can bypass payment forge payment received notifications or even issue refunds. In this presentation, I will demonstrate how using GPU clusters and cloud computing can allow an attacker to hijack merchant accounts in a short timeframe.

Presenters:

• Eldar Marcussen - BAE Systems Applied Intelligence
  Eldar is a Principal Consultant and researcher at BAE Systems Applied Intelligence. As a penetration tester, he works with enterprises of all sizes and sectors. As such, he has experience hacking anything from embedded systems to enterprise applications and even ATMs.

Links:

• https://www.blackhat.com/asia-14/briefings.html#Marcussen
• https://www.youtube.com/watch?v=x_WzXDagfS4

Similar Presentations:

• Black Hat Asia 2018 / All Your Payment Tokens Are Mine: Vulnerabilities of Mobile Payment Systems
• Black Hat Asia 2021 Virtual / Mining and Exploiting (Mobile) Payment Credential Leaks in the Wild
• 32C3 (2015) / Shopshifting: The potential for payment system abuse