K
K
kirbak2013-09-24 12:09:17
Information Security
kirbak, 2013-09-24 12:09:17

Protection of payments through the Privat24 API

We have been thinking for a long time about the question of how to organize protection when sending payments through Privat24 api (PrivatBank Ukraine). The bank itself provides protection only in the form of an ID/Password/ip limit.

Accordingly, if the site is hacked, all this data will easily leak to an attacker, he himself will make a request to send funds, only to his card.

Link to api: api.privatbank.ua/article/5/

Answer the question

In order to leave comments, you need to log in

3 answer(s)
M
Maxim Dyachenko, 2013-09-24
@Mendel

In a similar situation, we didn’t think of anything better than how to move interaction with such an API to a separate domain, on a separate VDS, requests for which from the site went through almost the same API, only slightly corrected.
It is more difficult to break a remote secure server because there are fewer points of contact, it only accepts requests from our site, etc. Of course, having the details received on the site and making changes to the site itself, you can send your requests, but not all hacks allow you to change the code, plus several heuristics were added on the secure side for suspicious requests, for the number of requests per period, volumes, etc. Something received a delay, something was executed but with sending SMS to the administrator ...

S
Sergey Cherepanov, 2013-09-24
@fear86

So there is any operation via SMS, isn't it?

C
codecity, 2013-09-24
@codecity

And what can the bank improve from your point of view? Set limits? Or use a digital signature instead of a password (if so, why is it better)?

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question