I returned to defcon this year, and once again spent all my time w/ the payment village. This time, I had the opportunity to volunteer! I’ll write about that separately.
They also gave me the opportunity to give a talk, so I put something together about my experience in crowdfunding and e-commerce as it relates to dealing with different types of attacks as an online merchant accepting card payments.
Talk Overview
My talk begins with an overview of the anatomy of a credit card, including the importance of the Primary Account Number (PAN). Then a brief history of card-not-present (CNP) transactions, and the roles of merchant, issuer, acquirer and the card networks.
The Threat Landscape
I focus on three specific types of attacks that online merchants face:
Data Thieves – Aim to steal card details by intercepting data in transit or accessing stored card data. For example, the 2018 British Airways hack compromised 380,000 cardholder details. Emphasized the importance of PCI-DSS compliance to protect cardholder data.
Card Testers – Use merchant systems to verify stolen card details, often through automated scripts. Discussed detection strategies like monitoring auth rates and traffic patterns, and suggested mitigation measures such as using CVV, AVS, and 3D Secure.
Fraudsters – Exploit stolen card details to purchase goods, services, or extract money directly. Stressed the necessity of a robust risk engine to detect anomalous patterns and effectively mitigate fraud.
Balancing Risk
One of the key takeaways from my talk is the challenge of balancing security with customer experience. The ideal system would block 100% of fraudulent transactions while converting 100% of legitimate ones, but in reality, this balance is much more nuanced. Merchants must pull in different signals and make informed decisions based on the specific risks their business faces.
Slides / Recording
There is no recording of the talk, but I’m happy to share my slides here. If you’d like to discuss any of these topics in more detail please reach out :)
Online Payments: Attack and Defense @ 2024 DC32 Payment Village - PDF
Epilogue
Something I didn’t explore, which I started to think about after the talk, was the absurdity of how volatile a card number is, in 2024. Particularly given how commoditized the exploitation of card details has become. While there are many more secure alternatives to processing cards online now, the fact that a card number is still enough to move money is the root of a lot of the problems mentioned in my talk.
>> Home