Star 0

Abstract

Hosted payment gateways may offer an instant PCI compliance option for enterprises of any size. These solutions usually concede flow control between the merchant website and payment gateway to the end user's browser. This is a flawed design and leaves the merchant account highly exposed. In addition to traditional price manipulation and replay attacks, it can allow an attacker to hijack their API access. Once the account has been hijacked, the attacker can bypass payment forge payment received notifications or even issue refunds. In this presentation, I will demonstrate how using GPU clusters and cloud computing can allow an attacker to hijack merchant accounts in a short timeframe.