In 2022, most of us have bought goods and services online or using mobile apps, for convenience, for safety (e.g., pandemic) or as a matter of personal preference. As mobile payments and integrations with third-party payment processors become more and more prevalent, common AppSec mistakes from the past reappear under new forms. Merchants who overlook security best practices and fail to secure their systems can be victims of fraud.
In this talk, we will cover some examples of payment APIs and mobile in-app purchases (e.g., with Apple Pay or Google Play Store) that fail to perform sufficient validation in ways that may have devastating financial and reputational impact to merchants. We aim to bring awareness to these often-overlooked issues and provide recommendations to avoid these vulnerabilities with real-world examples.