Processing payments for the paranoid - Andy McKay

Tags: django, djangocon

Everyone should be paranoid when processing payments. The client, the programmer, everyone.

He works on Firefox OS and more especially the marketplace (“don’t call it an app store”). The marketplace is powered by Django. And of course it accepts payments. And of course it is open source (even the presentation is on github).

Btw, they have a bug bounty in place. If you find a real bug, mail them and they’ll pay you a bounty!

The firefox add-on website already allows donations for firefox add-ons, handled through paypal. 500-2000 dollar per day. But the marketplace will process much larger amounts of money, so they needed to increase their paranoia level.

For online payments, you need tokens and credentials. And they need to be stored somewhere. And suddenly you’re a big fat juicy target just waiting to be hacked.

  • XSS (cross site scripting) is an oft-occurring problem. Django has build-in protection for common cases. There’s also content security policy that further limits it.

    They also started navigator.mozpay.

  • Phishing. In-person tricks. For instance for getting your hand on a database for test usage. You do need something for debugging, so they now create an automatic anonymized debug database.

  • SQL injection and so. They now have a REST api (solitude) for payments. This isolation helps preventing injections. Inside the database, lots is encrypted. And several items are stored outside of the databases. At the moment, the transaction data is separated from the payments data which is separated from the payment provider credentials.

    This is defence in depth: hedging against your own stupidity, basically.

    Access can happen through requests and oath1. Andy uses curling and slumber.

    There is a list of common problem points: OWASP. After reading through it they started django-paranoia which for instance provides paranoid forms: if you submit more key/values than expected, it will be logged. Also something that watches if your user agent changes during a session… IP changes are also logged, but normally they’ll be valid. But if the first IP is in Poland and 5 minutes later it is in China…

About the phone: version 1 isn’t done yet, but very very nearly. Which means they’ll start to have scaling problems soon which need solving :-)

 
vanrees.org logo

Reinout van Rees

My name is Reinout van Rees and I program in Python, I live in the Netherlands, I cycle recumbent bikes and I have a model railway.

Weblog feeds

Most of my website content is in my weblog. You can keep up to date by subscribing to the automatic feeds (for instance with Google reader):