Testing slide visibility Feb 2016.pdf · Hosting, PCI. Payment Express (DPS) px_post, px_pay,...

Testing slide visibility

Credit card fraud

You don't want to bethe common point of purchase

Who am I?

Dan Wallis, fredden

Christchurch, NZ

@mrdanwallis, https://web.fredden.org/

I'm a sysadmin doing some web development.

Views are my own, et cetera.

ISIG, OWASP, music, family

E2 Digital, Harvey Cameron

● Agency● Joomla, Magento, Silverstripe● Hosting, PCI

Payment Express (DPS)

px_post, px_pay, px_fusion

UA Website DPSCard

Success/fail

Amount, Card

Success/fail

UA Website DPSAmount

Success/fail

Token, Card

Success/fail

px_post

px_pay

Magento

● Open-source shopping website framework● PHP/MySQL - “standard LAMP stack”● Very complex

● Slow.

Problem: Website is slow

● Concurrent users● Content Delivery Network● Minimum page load time● User experience

Scaling

● Vertical versus horizontal

Scaling

● One box

WebFiles

Database

Scaling

● Two boxen

WebFiles

Database

Scaling

● Small cluster● TLS

Load balancer

WebFiles

Database

Scaling

● Small cluster● TLS

Load balancer

Web Web

Files Database

Scaling

● Bigger clusterLoad balancer

Load balancer

Web Web WebWeb

Web Web Web Web

Database

Database Database

Heartbleed● Peek into server's memory● https://xkcd.com/1354/

Varnish & Turpentine

● TLS

Website

Transparent proxy

Checkout experience

Login orGuest

Billingaddress

Shippingaddress

Shippingmethod

Paymentmethod

Terms,Confirm

Payment(px_pay)

Checkout experience

Login orGuest

Billingaddress

Shippingaddress

Shippingmethod

Paymentmethod

Terms,Confirm

Payment(px_pay)

Done“One-step checkout”

AJAX AJAX AJAX AJAX AJAX

Checkout experience

Login orGuest

Billingaddress

Shippingaddress

Shippingmethod

Paymentmethod

Terms,Confirm

Payment(px_pay)

Done“One-step checkout” + px_fusion

AJAX AJAX AJAX AJAX AJAX AJAX

Checkout experience

Login orGuest

Billingaddress

Shippingaddress

Shippingmethod

Paymentmethod

Terms,Confirm

Payment(px_pay)

AJAX AJAX AJAX AJAX AJAX AJAX

Checkout experience

Login orGuest

Billingaddress

Shippingaddress

Shippingmethod

Paymentmethod

Terms,Confirm

Payment(px_pay)

AJAX AJAX AJAX AJAX AJAX* AJAX

Success

● Website no longer “slow.”● Win!

● The end.

It's never the end

Problem: “website hacked”

● Incident response

● SVN● DB in staging & dev

Credit card fraud

● Common point of purchase

Load balancer

Web Web WebWeb

Web Web Web Web

Database

Database Database

Transparent proxy

Credit card fraud

● Common point of purchase● Single-use card

Checkout experience

Login orGuest

Billingaddress

Shippingaddress

Shippingmethod

Paymentmethod

Terms,Confirm

Payment(px_pay)

AJAX AJAX AJAX AJAX AJAX* AJAX

Multi-factor

● Credit card details sent to web server● Heartbleed to read these out of memory

Lessons learnt

● Patch CVEs. Whose responsibility.● Expect the unexpected from users.● Staff attrition. Hand-overs important.● Documentation of policy, process.● Incident team, process.

Thanks

Testing slide visibility Feb 2016.pdf · Hosting, PCI. Payment Express (DPS) px_post, px_pay,...

Documents

Transcript of Testing slide visibility Feb 2016.pdf · Hosting, PCI. Payment Express (DPS) px_post, px_pay,...

Dps printscreens

Perceived Criminality, Criminal Background Checks, and the ...irp.wisc.edu/publications/dps/pdfs/dp125402.pdf3In addition, individuals who serve time fail to accumulate work experience,

bibliotecadigital.ipb.pt · Flávio Arrais, UA José Melo, UA Maria Fonseca, UA Nélia Alberto, UA Raul Simões, UA Vítor Silva, UA . Comissão Científica A. Simões, UA A. Sousa

Pembahagi Fail-fail Panitia

i' All DPS High School Students · i' • • • • • Legend • 0 • • l DPS Schools ch Special School o DPS Students All DPS High School Students • • __ • ..... •

DPS analysis

2014 Annual Inspection Form - DRAFTPass Fail Pass Fail Pass Fail Pass Fail Interstitial Monitoring Pass Fail Pass Fail Pass Fail Pass Fail UST-01 Rev Date: 08/24/20 Dispenser Area

SISTEM FAIL & KLASIFIKASI FAIL

DELHI PUBLIC SCHOOL€¦ · Daulatpur, DPS Dehradun, DPS Firozabad, DPS Gwalior, DPS Meerut, DPS Prayagraj, DPS Saharanpur and DPS Ranipur. The venue was Delhi Public School Ranipur,

DPS - witron.de · Be innovative • Be committed • Be successful DPS DPS – Logistik-Erfolgskonzept Wie funktioniert DPS? Als vollständig integriertes Logistiksystem basiert

DPS - witron.de · DPS DPS – Successful Logistics Concept How does DPS work? As a fully integrated logistics system, the storage and picking solution DPS (Dynamic Picking System)

Fail fail fail, until you succeed

CONFIDENTIAL DPS EHS - 001...confidential dps ehs - 130. confidential dps ehs - 131. confidential dps ehs - 132. confidential dps ehs - 133. confidential dps ehs - 134. confidential

Dps evidence

Anleitung für das Gehäuse JT-DPS-Case mit JT-DPS-5015anleitung.joy-it.net/wp-content/uploads/2018/09/JT-DPS-Case-Anleitung.pdf · Das JT-DPS- ase können Sie mit unserem JT-DPS-5015

DEUTZ POWER SOLUTIONS. - Diesel Parts & Service · 4 G SERIES G SERIES Generator Model DPS 21 DG DPS 33 DG DPS 44 DG DPS 62 DG DPS 81 DG DPS 110 DG DPS 140 DG DPS 170 DG Generator

DPS Survey Results...DPS Survey Results DPS Members Meeting 6 October 2010 . Previous DPS Member Surveys • General Membership Surveys 1995, 2005 ... Number of Proposals Necessary

YOTG Hamburg - Frank Wolfram - Fail fast, fail cheap, fail often

hoshiarpur.nic.inhoshiarpur.nic.in/list.pdfMr. Gurprit Singh Result Typing Test (Punjabi) FAIL FAIL PASS FAIL FAIL PASS FAIL FAIL FAIL PASS FAIL FAIL FAIL FAIL PASS ABSENT FAIL PASS

POMPE A DOUBLE MEMBRANES - anest-iwata.fr · 3 4 36 inox dps 70-3c.te dps 90-3g.te dps 120-3c.te dps 70-4c.te dps 90-4g.te dps 120-4c.te dps 70-36c.te dps 90-36g.te dps 120-36c.te