- Select Tickets
- Payment
- invoice
- Attendee details
Total ₹0
Cancellation and refund policy
Memberships can be cancelled within 1 hour of purchase
Workshop tickets can be cancelled or transferred upto 24 hours prior to the workshop.
For further queries, please write to us at support@hasgeek.com or call us at +91 7676 33 2020.
Arjun BM
@arjunbm
The Art of Exfiltration : Digital Skimming
Submitted Jul 4, 2019
Section:
Crisp talk (20 mins)
Category:
Security
The explosion of online digital e-commerce platforms has triggered a race for customer acquisition which no retailer wants to lose or be left out of. As businesses look to deliver faster, easier and better services, security has always been an important factor in the customer value-chain. E-commerce websites continue to be lucrative targets to threat actors, who seek to compromise sensitive guest information. Several high-profile data breaches of ecommerce sites in 2018 has once again forced security researchers to don their thinking hats. New threat actors and vectors are emerging, making online shopping a riskier proposition. While not sacrificing customer experience, how can businesses stay safe in a highly competitive and ever-changing environment? What can be done to safeguard customer data and promote online shopping confidence?
A “digital skimmer” is a malicious JavaScript code embedded into checkout page of hacked websites, to capture payment information of customers. The talk provides an introduction to digital skimming and its recent history, highlighting why this poses high risk to businesses. The workflow of digital skimming operations uncovers how stolen data is monetized in underground markets. The talk will next explore various threat actors involved and attack techniques employed in this type of attack. Diving deeper into code will provide insights into the nuts and bolts of a digital skimmer. Digital skimming being a complex threat, has various challenges in understanding and dealing with it. Lastly, we will look at various counter-measures that can be implemented to reduce the risk of digital skimmers, which can help protect customer data and brand reputation.
Outline
Digital skimming is a threat which many CISOs admit, keeps them up at night. This talk is a comprehensive analysis, articulated from a rare combination of theoretical understanding and applied practical experience of this threat. The real-life hands-on operational experience the speaker has had in dealing with this threat is invaluable information. The talk is crisp, concise and purposeful - focused at providing key take-aways to the audience and equipping them with the capability to strengthen security controls within their own organization.
INTRODUCTION TO DIGITAL SKIMMING
WHAT IS A DIGITAL SKIMMING ATTACK?
MODUS OPERANDI OF THE ATTACK
THREAT ACTORS AND ATTACK VECTORS
ANATOMY OF A DIGITAL SKIMMING ATTACK
CHALLENGES IN DEALING WITH THIS ATTACK
COUNTERMEASURES AND REMEDIATION STEPS
CONCLUSION
Speaker bio
Arjun is a Lead Information Security Analyst at Target Corporation. He is a security professional with diverse experience in architecting, designing, implementing & supporting IT Security & Vulnerability Management solutions in Enterprise & Cloud environments. He is an information security enthusiast with diverse experience in areas like Application Security, Security Architecture, DevSecOps, Cloud Security & Machine Learning. Currently, Arjun is working as a Security Analyst ensuring end-to-end implementation, design and governance of security measures for Target’s Digital & Marketing e-commerce platforms, aimed at brand protection and improving guest confidence. He has been closely following the digital skimming threat and is actively involved within his organization to research upon and ensure that defenses are in place to counter this threat.
Slides
https://www.slideshare.net/ArjunBM3/root-conf-digitalskimmingv4arjunbm
Comments
Hybrid access (members only)
Hosted by
We care about site reliability, cloud costs, security and data privacy
Login to leave a comment
Anwesha Sarkar
@anweshaalt
MageCart Attack
MageCart Attack, this data harvesting attack added a new dimension to the data exfiltration. The impact of the attack was enormous. The attackers managed to steal millions of customers’ credit card information. Among many other companies Britsih Airways, newegg.com and ticketmaster are the primary ones to lose the data. More than the massive scale of the data being lost, what is interesting is that the period for which the attack took place. For British Airways the attack took place for half a month to steel 500K data. For newegg.com the period was 1 month and the data stolen was 45K. The most prolonged period was 8months; during that period, 40 K data was stolen from ticketmaster.
MageCart: How were a group of cybercriminals able to make e-commerce giants fall on their knees? Read about it here: https://www.riskiq.com/blog/external-threat-management/inside-magecart/
To know more about this join Arjun on his talk on Digital Skimming, at Rootconf Pune 2019.
Anwesha Sarkar
@anweshaalt
Data Exflirtation and the digital skimming two topics go hand in hand. Let us have a look at this talk https://www.youtube.com/watch?v=s6dmPYRxd1U by Lavakumar delivered at Rootconf 2019, to have a overview of the topic.
To further the discussion on digital skiming join Arjun on his talk on Digital Skimming at Rootconf Pune 2019.
Anwesha Sarkar
@anweshaalt
The feedback from today's rehearsal :
Submit the revised slides by this Friday.
Regards
Anwesha
Arjun BM
@arjunbm Submitter
Updated deck: https://www.slideshare.net/ArjunBM3/root-conf-digitalskimmingv4arjunbm
Anwesha Das
@anweshasrkr
Thank you Arjun we will get back to you with the feedback.
Regards
Anwesha
Anwesha Sarkar
@anweshaalt
Hello Arjun,
These are the feedback from today's rehearsal:
Avoid having the agenda slide, it will save some time.
Need more energy in the talk.
Include an ending slide, having your contact details.
Include why the JS libraries are malicious?
Explain the threat policy?
Include the Vial integrity monitoring
Divide the slides into different parts.
Need to go deep in explaining to the code.
Need The information attack vector
Start the talk with a story and then progress with the problem.
Include demo
Explanation of what is there in the slides will be nice.
Dark web aspect is unclear, confusing.
How exactly does the attack happen? Include more visualization / slides.
Source of reference for the stats.
Case studies to be explained a little further.
Got analogy needs to be mentioned with more context
File integrity monitoring
Code visibility was not there.
Refer to Lava's talk.
Explain the Game of Thrones analogy
Submit your revised slides by 30th August (latest).
Cheers
Anwesha
Arjun BM
@arjunbm Submitter
Updated slides: https://www.slideshare.net/ArjunBM3/root-conf-digitalskimmingv3
Anwesha Sarkar
@anweshaalt
Hi Arjun,
The feedback regarding your slides are as follows:
regards,
Anwesha
Arjun BM
@arjunbm Submitter
Thank you for the feedback. I have updated the slides.
https://www.slideshare.net/ArjunBM3/root-conf-digitalskimmingv2arjunbm
Zainab Bawa
@zainabbawa Editor & Promoter
Thanks for this proposal, Arjun. We are confirming your talk for Rootconf Pune. The next steps from here are mainly with respect to improving the slides, with the following pointers:
Submit revised slides by 31 July so that we can conduct a pre-event rehearsal.
Arjun BM
@arjunbm Submitter
Hi Zainab, Thank you for the feedback.
I have updated the slides. Kindly review.
https://www.slideshare.net/ArjunBM3/root-conf-digital-skimming