Answer the question
In order to leave comments, you need to log in
Protection of payments through the Privat24 API
We have been thinking for a long time about the question of how to organize protection when sending payments through Privat24 api (PrivatBank Ukraine). The bank itself provides protection only in the form of an ID/Password/ip limit.
Accordingly, if the site is hacked, all this data will easily leak to an attacker, he himself will make a request to send funds, only to his card.
Link to api: api.privatbank.ua/article/5/
Answer the question
In order to leave comments, you need to log in
In a similar situation, we didn’t think of anything better than how to move interaction with such an API to a separate domain, on a separate VDS, requests for which from the site went through almost the same API, only slightly corrected.
It is more difficult to break a remote secure server because there are fewer points of contact, it only accepts requests from our site, etc. Of course, having the details received on the site and making changes to the site itself, you can send your requests, but not all hacks allow you to change the code, plus several heuristics were added on the secure side for suspicious requests, for the number of requests per period, volumes, etc. Something received a delay, something was executed but with sending SMS to the administrator ...
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question