Cyber Security Services for MERCEDES PAY Electronic Payment System - Kiss Software

MERCEDES PAY

Code review and external penetration testing for electronic payment system
Cybersecurity Cybersecurity
Main

Scope

Electronic payment system for the services provided by the Daimler Group.

We provided code review, external penetration testing and counseling services on fixing identified vulnerabilities for their electronic payment system. 

MERCEDES PAY is a part of a transnational automobile manufacturing group of companies of Daimler AG, which provides financial services for the clients and internally.

The project was implemented in 2018, our task was to test a payment service application, which they developed. We had to make security tests from different perspectives: external penetration testing, external security testing, and having got the source code we checked it for logic bugs and code vulnerability.



Scope
PROCESS

Cooperation with PricewaterhouseCoopers

The feature of the project was cooperation of two teams at the same time: our team and local crew of the Big Four from PricewaterhouseCoopers. The project lasted for three months. As a result, our team found more vulnerabilities, then PricewaterhouseCoopers did. 

Also, in this project one more task for us was Open source intelligence, OSINT – collecting information about a client from open sources. We investigated two ways: from one side we were surfing openly available sources such as the Internet and social networks, from the other side we were searching the info about a client through experts-only sources (darkweb, data breach of emails and passes, etc.).

The company wanted to find all the possible vulnerabilities with the help of two parallel teams. 

This project was interesting due to its competitiveness with a strong local company.

Cooperation with PricewaterhouseCoopers
RESULTS

Identified vulnerabilities and investigation process

According to the findings, we provided the client with a report. Our report, based on external penetration testing or security code testing, has the following structure: the description of identified vulnerability, where it was found and how it can affect the resource and application security, what threat level it can be classified.

Threat level can be identified as well due to several criteria: 

-       Possible vulnerability origin

-       Possible damage that it can cause

-       Threat repetition frequency

We conduct each testing in several stages. We find vulnerabilities, make a detailed report with advices on security improvement and vulnerabilities removal. After the client has implemented our recommendations, we make a retest. External penetration testing is conducted manually, we use standards and our own invented developments.  

Also, we made an investigation with Open source intelligence, OSINT and a particular part of our report was dedicated to discovered information about the company’s vulnerability in the Internet.


Identified vulnerabilities and investigation process

More Related Projects

Excited?

Tell us some information about your project.
Lets start doing business!

Let us know about your project, ping us anytime!