Payment Applications Handle Lots of Money. No, Really - Lots of It.

Explore the intricate world of payment applications and their security challenges in this 56-minute conference talk from the 44CON Information Security Conference. Delve into the staggering amounts of money funneled through payment gateways by banks and large companies, and uncover the often flawed security measures in place. Examine the disconnect between business process understanding and technical risk awareness, as well as the common pitfalls in vendor recommendations and defense strategies. Discover the alarming prevalence of crypto-related mistakes, including shared private keys and broken algorithms, that lead to false security assurances. Learn about the complex workflow of payment applications, from file creation to processing, and understand the potential attack surfaces throughout the process. Gain insights into how employees in certain roles could potentially exploit these systems for large-scale theft. Finally, explore a real-world example of implementing proper cryptographic solutions using HSM-based infrastructure to mitigate risks, along with practical advice on avoiding common design pitfalls when integrating such solutions into existing applications.