SlideShare a Scribd company logo

Creating an In-Aisle Purchasing System from Scratch

Download as PPTX, PDF
Jonathan LeBlanc
Jonathan LeBlanc

The future of retail is in removing the divide between the offline shopping state and the enhanced online buying experience. To create this type of enhanced retail experience, we can remove complexities in the process, such as simplifying checkout. In this session we’ll learn how to use internet-connected microelectronics to attach to a buyer’s mobile device to provide the functionality to buy products right from the aisle.

Technology
1 of 33
Creating an In-Aisle Purchasing System from Scratch Jonathan LeBlanc Twitter: @jcleblanc
• Apple / Android pay type integrations • Secure hardware prototype integrations with microelectronics • Non-register integrations
• Generating, handling, and securing tokens • Building an unbound physical payment architecture • Creating secure payment transmission through potentially poorly secured hardware
A Bit on Tokens
Tokenization Luhn Algorithm
Token Durability Types • Durable: Long lived (~ 48 months), allows customer tracking, merchant preferred. • Transaction: One time use, more secure, ideal for small businesses not tracking customers.
Process Create a surrogate value for customer credit card data Attributes • 13 – 19 digits in length • Passes Luhn check validation For our use case
Starting Value 4539248095434517 Reverse Digits 7154345908429354 Multiply even digits by 2 7+(2)+5+(8)+3+(8)+5+(18)+0+(16)+4+(4)+9+(6)+5+(8) Subtract 9 from numbers above 9 7+(2)+5+(8)+3+(8)+5+(9)+0+(7)+4+(4)+9+(6)+5+(8) Sum all digits 90 Mod 10 verify 0 (remainder) The Luhn Algorithm
Apple / Android pay tokenization system EMV payment tokenisation specification
Merchant register is changed to hardware transfer bridge Network handles direct merchant requests. Vault stores surrogate to token lookup.
Customer to Device Interaction
Secure Element Host-based Card Emulation
Arduino with NFC or BLE Shield
Beacon BLE Hardware
How do you protect privileged information during data transmission?
Asynchronous Cryptography: Securing Data Through Transmission
Device Fingerprinting
Getting Paired Devices
{ requsterid: ‘1234’, usertoken: ‘443478943234’, device: { ... }, payment: { price: ’20.22’, currency: ‘CAD’, quantity: ‘2’ } } Example Payload for Risk Assurance Data
The API Network
/device issue / delete a requester ID for a verified hardware device or terminal. /pay issue / update / cancel a verified payment from a customer. /key issue / update / delete a new encryption key set for a customer device (phone). API Endpoints Needed
When generating new user tokens, how can we reduce the possibility of token collision?
Example Packages (Node) • node-uuid • hat Reducing Collision Risk • hat.rack() function • Additional params to node-uuid or hat to further randomize the generated token Using Respected Modules
The Token Vault
Token Vault Security • Strong physical and logical security measures per industry standards (PCI DSS, OWASP, etc). • Secured internal network • Strong cryptography and security protocols • Restrict user access and roles to system • System is protected from vulnerabilities • ... • Transactions are restricted to domains that are registered to valid token requesters.
Credit Card Vaulting Credit Card Information Address Information Card Holder Name ... 7e29c5c48f44755598dec3549155ad6 6f1af4671091353be4c4d7694d71dc8 66 https://developer.paypal.com/docs/api/vault/
CAP Theorem • Consistency: Data to and from different nodes in the distributed system should always be identical. • Availability: The vault is always available to service requests. • Partition Tolerance: The distributed system can continue to work even in the event of underlying data communications network failure, or hardware failure in a node.
If consistency is dropped, how do we ensure that the payment token retrieved is the correct and newest one?
Multiple Record Storage Surrogate Token Payment Token Delete 5256771698017130 d66f1af4671091353be4c true 5355427967576526 d66f1af4671091353be4c false 5535770792529787 7e29c5c48f4475523ef56 false
Wrapup Links • Host Card Emulation (Android): https://developer.android.com/guide/topics/connectivity/nfc/hce.html • EMV Tokenisation specification: https://www.emvco.com/specifications.aspx?id=263 • Asynchronous cryptography example: https://github.com/iddatasecuritybook/chapter7/tree/master/asymmetric-crypto • Android Build info: http://developer.android.com/reference/android/os/Build.html
Thank you! Slides: slideshare.net/jcleblanc Jonathan LeBlanc Twitter: @jcleblanc

Recommended

Tokenization Webinar featuring Securosis - Intel
Tokenization Webinar featuring Securosis - IntelTokenization Webinar featuring Securosis - Intel
Tokenization Webinar featuring Securosis - IntelIntel - API Security & Tokenization
 
Brains and chains
Brains and chainsBrains and chains
Brains and chains
Felicity Mecha
 
Encryption and Tokenization: Friend or Foe?
Encryption and Tokenization: Friend or Foe?Encryption and Tokenization: Friend or Foe?
Encryption and Tokenization: Friend or Foe?
Zach Gardner
 
Iot fit for purpose v0 2
Iot fit for purpose v0 2Iot fit for purpose v0 2
Iot fit for purpose v0 2
Conclusion Connect enabling industry 4.0 with IoT
 
IoT Fit for purpose - how to be successful in IOT Conclusion Connect
IoT Fit for purpose - how to be successful in IOT Conclusion Connect IoT Fit for purpose - how to be successful in IOT Conclusion Connect
IoT Fit for purpose - how to be successful in IOT Conclusion Connect
Getting value from IoT, Integration and Data Analytics
 
Edcon - Hardware wallets and smart contracts
Edcon - Hardware wallets and smart contractsEdcon - Hardware wallets and smart contracts
Edcon - Hardware wallets and smart contracts
Eric Larcheveque
 
Introduction to Tokenization
Introduction to TokenizationIntroduction to Tokenization
Introduction to Tokenization
Nabeel Yoosuf
 
identity based encryption transformation for flexible sharing of encrypted da...
identity based encryption transformation for flexible sharing of encrypted da...identity based encryption transformation for flexible sharing of encrypted da...
identity based encryption transformation for flexible sharing of encrypted da...
Venkat Projects
 

Recommended

Tokenization Webinar featuring Securosis - Intel
Tokenization Webinar featuring Securosis - IntelTokenization Webinar featuring Securosis - Intel
Tokenization Webinar featuring Securosis - IntelIntel - API Security & Tokenization
 
Brains and chains
Brains and chainsBrains and chains
Brains and chains
Felicity Mecha
 
Encryption and Tokenization: Friend or Foe?
Encryption and Tokenization: Friend or Foe?Encryption and Tokenization: Friend or Foe?
Encryption and Tokenization: Friend or Foe?
Zach Gardner
 
Iot fit for purpose v0 2
Iot fit for purpose v0 2Iot fit for purpose v0 2
Iot fit for purpose v0 2
Conclusion Connect enabling industry 4.0 with IoT
 
IoT Fit for purpose - how to be successful in IOT Conclusion Connect
IoT Fit for purpose - how to be successful in IOT Conclusion Connect IoT Fit for purpose - how to be successful in IOT Conclusion Connect
IoT Fit for purpose - how to be successful in IOT Conclusion Connect
Getting value from IoT, Integration and Data Analytics
 
Edcon - Hardware wallets and smart contracts
Edcon - Hardware wallets and smart contractsEdcon - Hardware wallets and smart contracts
Edcon - Hardware wallets and smart contracts
Eric Larcheveque
 
Introduction to Tokenization
Introduction to TokenizationIntroduction to Tokenization
Introduction to Tokenization
Nabeel Yoosuf
 
identity based encryption transformation for flexible sharing of encrypted da...
identity based encryption transformation for flexible sharing of encrypted da...identity based encryption transformation for flexible sharing of encrypted da...
identity based encryption transformation for flexible sharing of encrypted da...
Venkat Projects
 
DeviceHive overview, Tatyana Matvienko
DeviceHive overview, Tatyana MatvienkoDeviceHive overview, Tatyana Matvienko
DeviceHive overview, Tatyana Matvienko
DataArt
 
Confidential Computing - Analysing Data Without Seeing Data
Confidential Computing - Analysing Data Without Seeing DataConfidential Computing - Analysing Data Without Seeing Data
Confidential Computing - Analysing Data Without Seeing Data
Maximilian Ott
 
IRJET- Blockchain Technology in Cloud Computing : A Systematic Review
IRJET- Blockchain Technology in Cloud Computing : A Systematic ReviewIRJET- Blockchain Technology in Cloud Computing : A Systematic Review
IRJET- Blockchain Technology in Cloud Computing : A Systematic Review
IRJET Journal
 
Raabit and bacteria
Raabit and bacteriaRaabit and bacteria
Raabit and bacteria
sabin kafle
 
GreenButton Technical Overview (July 2014)
GreenButton Technical Overview (July 2014)GreenButton Technical Overview (July 2014)
GreenButton Technical Overview (July 2014)
John Teeter
 
What is an IoT Agent
What is an IoT AgentWhat is an IoT Agent
What is an IoT Agent
Fernando Lopez Aguilar
 
Novelti Intro at Machine Learning Spain Meetup
Novelti Intro at Machine Learning Spain MeetupNovelti Intro at Machine Learning Spain Meetup
Novelti Intro at Machine Learning Spain Meetup
Novelti
 
Blockchain & microsoft
Blockchain & microsoftBlockchain & microsoft
Blockchain & microsoft
İbrahim KIVANÇ
 
RSA SecurID Access
RSA SecurID AccessRSA SecurID Access
RSA SecurID Access
MarketingArrowECS_CZ
 
Demystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchIDDemystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchID
Sebastián Guerrero Selma
 
1 importance of light weight authentication in iot
1 importance of light weight authentication in iot1 importance of light weight authentication in iot
1 importance of light weight authentication in iot
Chintan Patel
 
Practical advice for cloud data protection ulf mattsson - jun 2014
Practical advice for cloud data protection ulf mattsson - jun 2014Practical advice for cloud data protection ulf mattsson - jun 2014
Practical advice for cloud data protection ulf mattsson - jun 2014Ulf Mattsson
 
Distributed Intelligence
Distributed IntelligenceDistributed Intelligence
Distributed Intelligence
Nuri Cankaya
 
PKI.pptx
PKI.pptxPKI.pptx
PKI.pptx
alirezafiroozian
 
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
SecuRing
 
Bigdata based fraud detection
Bigdata based fraud detectionBigdata based fraud detection
Bigdata based fraud detection
Mk Kim
 
Blockchain e mercato
Blockchain e mercatoBlockchain e mercato
Blockchain e mercato
CDagata
 
Blockchain general presentation nov 2017 v eng
Blockchain general presentation nov 2017 v engBlockchain general presentation nov 2017 v eng
Blockchain general presentation nov 2017 v eng
David Vangulick
 
Blockchain for Business
Blockchain for BusinessBlockchain for Business
Blockchain for Business
Ahmad Gohar
 
Cryptographic Agility in Corda
Cryptographic Agility in CordaCryptographic Agility in Corda
Cryptographic Agility in Corda
Guy Hochstetler
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices World
Diogo Mónica
 
New Business Models enabled by Blockchain
New Business Models enabled by BlockchainNew Business Models enabled by Blockchain
New Business Models enabled by Blockchain
Slash
 

More Related Content

What's hot

DeviceHive overview, Tatyana Matvienko
DeviceHive overview, Tatyana MatvienkoDeviceHive overview, Tatyana Matvienko
DeviceHive overview, Tatyana Matvienko
DataArt
 
Confidential Computing - Analysing Data Without Seeing Data
Confidential Computing - Analysing Data Without Seeing DataConfidential Computing - Analysing Data Without Seeing Data
Confidential Computing - Analysing Data Without Seeing Data
Maximilian Ott
 
IRJET- Blockchain Technology in Cloud Computing : A Systematic Review
IRJET- Blockchain Technology in Cloud Computing : A Systematic ReviewIRJET- Blockchain Technology in Cloud Computing : A Systematic Review
IRJET- Blockchain Technology in Cloud Computing : A Systematic Review
IRJET Journal
 
Raabit and bacteria
Raabit and bacteriaRaabit and bacteria
Raabit and bacteria
sabin kafle
 
GreenButton Technical Overview (July 2014)
GreenButton Technical Overview (July 2014)GreenButton Technical Overview (July 2014)
GreenButton Technical Overview (July 2014)
John Teeter
 
What is an IoT Agent
What is an IoT AgentWhat is an IoT Agent
What is an IoT Agent
Fernando Lopez Aguilar
 
Novelti Intro at Machine Learning Spain Meetup
Novelti Intro at Machine Learning Spain MeetupNovelti Intro at Machine Learning Spain Meetup
Novelti Intro at Machine Learning Spain Meetup
Novelti
 

What's hot (7)

DeviceHive overview, Tatyana Matvienko
DeviceHive overview, Tatyana MatvienkoDeviceHive overview, Tatyana Matvienko
DeviceHive overview, Tatyana Matvienko
 
Confidential Computing - Analysing Data Without Seeing Data
Confidential Computing - Analysing Data Without Seeing DataConfidential Computing - Analysing Data Without Seeing Data
Confidential Computing - Analysing Data Without Seeing Data
 
IRJET- Blockchain Technology in Cloud Computing : A Systematic Review
IRJET- Blockchain Technology in Cloud Computing : A Systematic ReviewIRJET- Blockchain Technology in Cloud Computing : A Systematic Review
IRJET- Blockchain Technology in Cloud Computing : A Systematic Review
 
Raabit and bacteria
Raabit and bacteriaRaabit and bacteria
Raabit and bacteria
 
GreenButton Technical Overview (July 2014)
GreenButton Technical Overview (July 2014)GreenButton Technical Overview (July 2014)
GreenButton Technical Overview (July 2014)
 
What is an IoT Agent
What is an IoT AgentWhat is an IoT Agent
What is an IoT Agent
 
Novelti Intro at Machine Learning Spain Meetup
Novelti Intro at Machine Learning Spain MeetupNovelti Intro at Machine Learning Spain Meetup
Novelti Intro at Machine Learning Spain Meetup
 

Similar to Creating an In-Aisle Purchasing System from Scratch

Blockchain & microsoft
Blockchain & microsoftBlockchain & microsoft
Blockchain & microsoft
İbrahim KIVANÇ
 
RSA SecurID Access
RSA SecurID AccessRSA SecurID Access
RSA SecurID Access
MarketingArrowECS_CZ
 
Demystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchIDDemystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchID
Sebastián Guerrero Selma
 
1 importance of light weight authentication in iot
1 importance of light weight authentication in iot1 importance of light weight authentication in iot
1 importance of light weight authentication in iot
Chintan Patel
 
Practical advice for cloud data protection ulf mattsson - jun 2014
Practical advice for cloud data protection ulf mattsson - jun 2014Practical advice for cloud data protection ulf mattsson - jun 2014
Practical advice for cloud data protection ulf mattsson - jun 2014Ulf Mattsson
 
Distributed Intelligence
Distributed IntelligenceDistributed Intelligence
Distributed Intelligence
Nuri Cankaya
 
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
SecuRing
 
Bigdata based fraud detection
Bigdata based fraud detectionBigdata based fraud detection
Bigdata based fraud detection
Mk Kim
 
Blockchain e mercato
Blockchain e mercatoBlockchain e mercato
Blockchain e mercato
CDagata
 
Blockchain general presentation nov 2017 v eng
Blockchain general presentation nov 2017 v engBlockchain general presentation nov 2017 v eng
Blockchain general presentation nov 2017 v eng
David Vangulick
 
Blockchain for Business
Blockchain for BusinessBlockchain for Business
Blockchain for Business
Ahmad Gohar
 
Cryptographic Agility in Corda
Cryptographic Agility in CordaCryptographic Agility in Corda
Cryptographic Agility in Corda
Guy Hochstetler
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices World
Diogo Mónica
 
New Business Models enabled by Blockchain
New Business Models enabled by BlockchainNew Business Models enabled by Blockchain
New Business Models enabled by Blockchain
Slash
 
Webinar - Loyalty Reward Points Using Blockchain
Webinar - Loyalty Reward Points Using BlockchainWebinar - Loyalty Reward Points Using Blockchain
Webinar - Loyalty Reward Points Using Blockchain
JK Tech
 
chapter4.pptxwgdyjshcbnbhvegwydvquhcjdvqigufwk
chapter4.pptxwgdyjshcbnbhvegwydvquhcjdvqigufwkchapter4.pptxwgdyjshcbnbhvegwydvquhcjdvqigufwk
chapter4.pptxwgdyjshcbnbhvegwydvquhcjdvqigufwk
NiveditaSingh839848
 
Crypto box - crypto casino
Crypto box - crypto casinoCrypto box - crypto casino
Crypto box - crypto casino
MaksymVasylchykov
 
Security and Authentication at a Low Cost
Security and Authentication at a Low CostSecurity and Authentication at a Low Cost
Security and Authentication at a Low Cost
Donald Malloy
 
6 atec ant block chain
6 atec ant block chain6 atec ant block chain
6 atec ant block chain
Chris Skinner
 

Similar to Creating an In-Aisle Purchasing System from Scratch (20)

Blockchain & microsoft
Blockchain & microsoftBlockchain & microsoft
Blockchain & microsoft
 
RSA SecurID Access
RSA SecurID AccessRSA SecurID Access
RSA SecurID Access
 
Demystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchIDDemystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchID
 
1 importance of light weight authentication in iot
1 importance of light weight authentication in iot1 importance of light weight authentication in iot
1 importance of light weight authentication in iot
 
Practical advice for cloud data protection ulf mattsson - jun 2014
Practical advice for cloud data protection ulf mattsson - jun 2014Practical advice for cloud data protection ulf mattsson - jun 2014
Practical advice for cloud data protection ulf mattsson - jun 2014
 
Distributed Intelligence
Distributed IntelligenceDistributed Intelligence
Distributed Intelligence
 
PKI.pptx
PKI.pptxPKI.pptx
PKI.pptx
 
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
 
Bigdata based fraud detection
Bigdata based fraud detectionBigdata based fraud detection
Bigdata based fraud detection
 
Blockchain e mercato
Blockchain e mercatoBlockchain e mercato
Blockchain e mercato
 
Blockchain general presentation nov 2017 v eng
Blockchain general presentation nov 2017 v engBlockchain general presentation nov 2017 v eng
Blockchain general presentation nov 2017 v eng
 
Blockchain for Business
Blockchain for BusinessBlockchain for Business
Blockchain for Business
 
Cryptographic Agility in Corda
Cryptographic Agility in CordaCryptographic Agility in Corda
Cryptographic Agility in Corda
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices World
 
New Business Models enabled by Blockchain
New Business Models enabled by BlockchainNew Business Models enabled by Blockchain
New Business Models enabled by Blockchain
 
Webinar - Loyalty Reward Points Using Blockchain
Webinar - Loyalty Reward Points Using BlockchainWebinar - Loyalty Reward Points Using Blockchain
Webinar - Loyalty Reward Points Using Blockchain
 
chapter4.pptxwgdyjshcbnbhvegwydvquhcjdvqigufwk
chapter4.pptxwgdyjshcbnbhvegwydvquhcjdvqigufwkchapter4.pptxwgdyjshcbnbhvegwydvquhcjdvqigufwk
chapter4.pptxwgdyjshcbnbhvegwydvquhcjdvqigufwk
 
Crypto box - crypto casino
Crypto box - crypto casinoCrypto box - crypto casino
Crypto box - crypto casino
 
Security and Authentication at a Low Cost
Security and Authentication at a Low CostSecurity and Authentication at a Low Cost
Security and Authentication at a Low Cost
 
6 atec ant block chain
6 atec ant block chain6 atec ant block chain
6 atec ant block chain
 

More from Jonathan LeBlanc

JavaScript App Security: Auth and Identity on the Client
JavaScript App Security: Auth and Identity on the ClientJavaScript App Security: Auth and Identity on the Client
JavaScript App Security: Auth and Identity on the Client
Jonathan LeBlanc
 
Improving Developer Onboarding Through Intelligent Data Insights
Improving Developer Onboarding Through Intelligent Data InsightsImproving Developer Onboarding Through Intelligent Data Insights
Improving Developer Onboarding Through Intelligent Data Insights
Jonathan LeBlanc
 
Better Data with Machine Learning and Serverless
Better Data with Machine Learning and ServerlessBetter Data with Machine Learning and Serverless
Better Data with Machine Learning and Serverless
Jonathan LeBlanc
 
Best Practices for Application Development with Box
Best Practices for Application Development with BoxBest Practices for Application Development with Box
Best Practices for Application Development with Box
Jonathan LeBlanc
 
Box Platform Overview
Box Platform OverviewBox Platform Overview
Box Platform Overview
Jonathan LeBlanc
 
Box Platform Developer Workshop
Box Platform Developer WorkshopBox Platform Developer Workshop
Box Platform Developer Workshop
Jonathan LeBlanc
 
Modern Cloud Data Security Practices
Modern Cloud Data Security PracticesModern Cloud Data Security Practices
Modern Cloud Data Security Practices
Jonathan LeBlanc
 
Box Authentication Types
Box Authentication TypesBox Authentication Types
Box Authentication Types
Jonathan LeBlanc
 
Understanding Box UI Elements
Understanding Box UI ElementsUnderstanding Box UI Elements
Understanding Box UI Elements
Jonathan LeBlanc
 
Understanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scopingUnderstanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scoping
Jonathan LeBlanc
 
The Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments GloballyThe Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments Globally
Jonathan LeBlanc
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 
Secure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaSecure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication Media
Jonathan LeBlanc
 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile Payments
Jonathan LeBlanc
 
Node.js Authentication and Data Security
Node.js Authentication and Data SecurityNode.js Authentication and Data Security
Node.js Authentication and Data Security
Jonathan LeBlanc
 
PHP Identity and Data Security
PHP Identity and Data SecurityPHP Identity and Data Security
PHP Identity and Data Security
Jonathan LeBlanc
 
Secure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaSecure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication Media
Jonathan LeBlanc
 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile Payments
Jonathan LeBlanc
 
Future of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable SecurityFuture of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable Security
Jonathan LeBlanc
 
Kill All Passwords
Kill All PasswordsKill All Passwords
Kill All Passwords
Jonathan LeBlanc
 

More from Jonathan LeBlanc (20)

JavaScript App Security: Auth and Identity on the Client
JavaScript App Security: Auth and Identity on the ClientJavaScript App Security: Auth and Identity on the Client
JavaScript App Security: Auth and Identity on the Client
 
Improving Developer Onboarding Through Intelligent Data Insights
Improving Developer Onboarding Through Intelligent Data InsightsImproving Developer Onboarding Through Intelligent Data Insights
Improving Developer Onboarding Through Intelligent Data Insights
 
Better Data with Machine Learning and Serverless
Better Data with Machine Learning and ServerlessBetter Data with Machine Learning and Serverless
Better Data with Machine Learning and Serverless
 
Best Practices for Application Development with Box
Best Practices for Application Development with BoxBest Practices for Application Development with Box
Best Practices for Application Development with Box
 
Box Platform Overview
Box Platform OverviewBox Platform Overview
Box Platform Overview
 
Box Platform Developer Workshop
Box Platform Developer WorkshopBox Platform Developer Workshop
Box Platform Developer Workshop
 
Modern Cloud Data Security Practices
Modern Cloud Data Security PracticesModern Cloud Data Security Practices
Modern Cloud Data Security Practices
 
Box Authentication Types
Box Authentication TypesBox Authentication Types
Box Authentication Types
 
Understanding Box UI Elements
Understanding Box UI ElementsUnderstanding Box UI Elements
Understanding Box UI Elements
 
Understanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scopingUnderstanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scoping
 
The Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments GloballyThe Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments Globally
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
 
Secure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaSecure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication Media
 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile Payments
 
Node.js Authentication and Data Security
Node.js Authentication and Data SecurityNode.js Authentication and Data Security
Node.js Authentication and Data Security
 
PHP Identity and Data Security
PHP Identity and Data SecurityPHP Identity and Data Security
PHP Identity and Data Security
 
Secure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaSecure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication Media
 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile Payments
 
Future of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable SecurityFuture of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable Security
 
Kill All Passwords
Kill All PasswordsKill All Passwords
Kill All Passwords
 

Recently uploaded

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 

Recently uploaded (20)

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 

Creating an In-Aisle Purchasing System from Scratch

  • 1. Creating an In-Aisle Purchasing System from Scratch Jonathan LeBlanc Twitter: @jcleblanc
  • 2. • Apple / Android pay type integrations • Secure hardware prototype integrations with microelectronics • Non-register integrations
  • 3. • Generating, handling, and securing tokens • Building an unbound physical payment architecture • Creating secure payment transmission through potentially poorly secured hardware
  • 4. A Bit on Tokens
  • 6. Token Durability Types • Durable: Long lived (~ 48 months), allows customer tracking, merchant preferred. • Transaction: One time use, more secure, ideal for small businesses not tracking customers.
  • 7. Process Create a surrogate value for customer credit card data Attributes • 13 – 19 digits in length • Passes Luhn check validation For our use case
  • 8. Starting Value 4539248095434517 Reverse Digits 7154345908429354 Multiply even digits by 2 7+(2)+5+(8)+3+(8)+5+(18)+0+(16)+4+(4)+9+(6)+5+(8) Subtract 9 from numbers above 9 7+(2)+5+(8)+3+(8)+5+(9)+0+(7)+4+(4)+9+(6)+5+(8) Sum all digits 90 Mod 10 verify 0 (remainder) The Luhn Algorithm
  • 9. Apple / Android pay tokenization system EMV payment tokenisation specification
  • 10.
  • 11. Merchant register is changed to hardware transfer bridge Network handles direct merchant requests. Vault stores surrogate to token lookup.
  • 12. Customer to Device Interaction
  • 14. Arduino with NFC or BLE Shield
  • 16. How do you protect privileged information during data transmission?
  • 17. Asynchronous Cryptography: Securing Data Through Transmission
  • 18.
  • 21. { requsterid: ‘1234’, usertoken: ‘443478943234’, device: { ... }, payment: { price: ’20.22’, currency: ‘CAD’, quantity: ‘2’ } } Example Payload for Risk Assurance Data
  • 23. /device issue / delete a requester ID for a verified hardware device or terminal. /pay issue / update / cancel a verified payment from a customer. /key issue / update / delete a new encryption key set for a customer device (phone). API Endpoints Needed
  • 24. When generating new user tokens, how can we reduce the possibility of token collision?
  • 25. Example Packages (Node) • node-uuid • hat Reducing Collision Risk • hat.rack() function • Additional params to node-uuid or hat to further randomize the generated token Using Respected Modules
  • 27. Token Vault Security • Strong physical and logical security measures per industry standards (PCI DSS, OWASP, etc). • Secured internal network • Strong cryptography and security protocols • Restrict user access and roles to system • System is protected from vulnerabilities • ... • Transactions are restricted to domains that are registered to valid token requesters.
  • 28. Credit Card Vaulting Credit Card Information Address Information Card Holder Name ... 7e29c5c48f44755598dec3549155ad6 6f1af4671091353be4c4d7694d71dc8 66 https://developer.paypal.com/docs/api/vault/
  • 29. CAP Theorem • Consistency: Data to and from different nodes in the distributed system should always be identical. • Availability: The vault is always available to service requests. • Partition Tolerance: The distributed system can continue to work even in the event of underlying data communications network failure, or hardware failure in a node.
  • 30. If consistency is dropped, how do we ensure that the payment token retrieved is the correct and newest one?
  • 31. Multiple Record Storage Surrogate Token Payment Token Delete 5256771698017130 d66f1af4671091353be4c true 5355427967576526 d66f1af4671091353be4c false 5535770792529787 7e29c5c48f4475523ef56 false
  • 32. Wrapup Links • Host Card Emulation (Android): https://developer.android.com/guide/topics/connectivity/nfc/hce.html • EMV Tokenisation specification: https://www.emvco.com/specifications.aspx?id=263 • Asynchronous cryptography example: https://github.com/iddatasecuritybook/chapter7/tree/master/asymmetric-crypto • Android Build info: http://developer.android.com/reference/android/os/Build.html

Editor's Notes

  1. What does this type of system enable? Walk around payment checkout Direct hardware / beacon payments in aisle Direct table purchases
  2. What we’ll learn today
  3. What does the token look like – 13-19 digit numeric value that passes account and Luhn check validation Durable vs transaction based tokens Durable: merchant preferred as it allows CC ad data storage. Faster purchases (don’t have to request a new token each time). Transaction: more secure, don’t need to track customer details. Good for small businesses
  4. tokenization
  5. Luhn algorithm https://www.rosettacode.org/wiki/Luhn_test_of_credit_card_numbers http://www.freeformatter.com/credit-card-number-generator-validator.html
  6. What we’ll model our breakdown around EMV payment tokenisation specification Apple / Android pay tokenization system
  7. How the apple / android pay system works (diagram)
  8. How our modified system will work
  9. Device / User integration
  10. Secure element functionality on the phone vs HCE
  11. Device hardware – arduino with BLE / NFC shield
  12. Beacon hardware
  13. Protecting card data prior to storage
  14. Asynchronous Cryptography
  15. Creating risk assurance information for verification by the API network
  16. The API network
  17. The endpoints needed for the network /device – create new verified endpoint device (providing a requester ID) /pay – make an encrypted payment /issue – issue new key set for data encryption (new mobile device)
  18. How do we ensure minimal collision in generated tokens?
  19. Node-uuid and hat Hat.rack func
  20. Some storage rules / regulations
  21. https://www.voltage.com/pci/tokenization-of-credit-card-numbers-and-the-cap-theorem/ The theorem states that for distributed data storage systems a system designer has to choose between two of the three following menu items: Consistency. In the card vault example this would imply that no matter which distributed tokenization service was used for tokenization or de-tokenization they would all return the exact same token for a given PAN. It would not be permissible, for example, to return two different tokens for a given PAN. Availability. The card vault is always available to service a request to tokenize or de-tokenize. Partition tolerance. This is perhaps the least understood of the three choices. In summary, for a distributed storage system the system can continue to operate even in the event of underlying data communications network failure, or hardware failure in a node.
  22. How do we ensure the consistency of tokens
  23. Store multiple records of token to payment token mapping with the outdated records flagged for deletion