4 views
Fraud systems, payments engineering, banking malware, and what building secure financial technology looks like inside one of Africas largest retail banks.
These thoughts are my own and I am often wrong, so don’t get too excited if you disagree with me. South Africa is experiencing a banking paradox. Consumers have never had more choice, with digital challenger banks, retailer backed banks, insurer led banks, and mobile first offerings launching at a remarkable pace, while at the […]
Read more →⚠️ LEGAL DISCLAIMER AND TERMS OF USE **READ THIS CAREFULLY BEFORE PROCEEDING** Legal Requirements: **AUTHORIZATION REQUIRED**: You MUST have explicit written permission from the system owner before running any of these tests **ILLEGAL WITHOUT PERMISSION**: Unauthorized network scanning, port scanning, or DoS testing is illegal in most jurisdictions **YOUR RESPONSIBILITY**: You are solely responsible for […]
Read more →by Andrew Baker 1. Opening: The Client Has Been Captured The fraud victim approving a transaction they believe is a refund is not making a mistake. They are not confused or careless or naive. They are operating under full psychological capture, executing instructions from an authority figure they have been conditioned over the course of […]
Read more →A companion piece to Core Banking Is a Terrible Idea. It Always Was. It is 1972. A group of very serious men in very wide ties are gathered in a very beige conference room. They are about to make decisions that will haunt your change advisory board fifty years from now. The following is a […]
Read more →To retrieve a list of the SSL/TLS cipher suites a particular website offers you can either use sslscan or nmap alternatively you can just use nmap (note: i use “-e en0” to bypass zscaler): Another variant (including cert dates, again “-e en0” is used to bypass zscaler):
Read more →1. What ShedLock Is and How It Works Spring Boot makes it trivial to schedule a task. You add @EnableScheduling to a configuration class, annotate a method with @Scheduled, and the framework fires it on your chosen cron or interval. The problem surfaces the moment you deploy more than one instance of your application. In […]
Read more →1. Find a list of IP addresses linked to a domain To find the IP address for a particular domain, simply pass the target domain name as an argument after the host command. For a comprehensive lookup using the verbose mode, use -a or -v flag option. The -a option is used to find all Domain records and Zone […]
Read more →1. What Are Stablecoins? Stablecoins are a type of cryptocurrency designed to maintain a stable value by pegging themselves to a reserve asset, typically a fiat currency like the US dollar. Unlike volatile cryptocurrencies such as Bitcoin or Ethereum, which can experience dramatic price swings, stablecoins aim to provide the benefits of digital currency without […]
Read more →The below script will give you basic information on a websites certificate: NMAP is provides a simple way to get a list of available ciphers from a host website / server. Additionally, nmap provides a strength rating of strong, weak, or unknown for each available cipher. First, download the ssl-enum-ciphers.nse nmap script (explanation here). Then from the same […]
Read more →A Comprehensive Security Testing Guide for Mac Users 1. Introduction WordPress xmlrpc.php is a legacy XML-RPC interface that enables remote connections to your WordPress site. While designed for legitimate integrations, this endpoint has become a major security concern due to its susceptibility to brute force attacks and amplification attacks. Understanding how to test your WordPress […]
Read more →1. Size Was Once Mistaken for Stability For most of modern banking history, stability was assumed to increase with size. The thinking was the bigger you are, the more you should care, the more resources you can apply to problems. Larger banks had more capital, more infrastructure, and more people. In a pre-cloud world, this […]
Read more →This is a very short post to help anyone quickly setup vulnerability checking for a site they own (and have permission to scan). I like the vulners scripts as they cover a lot of basic ground quickly with one script.
Read more →