Electronic payment system for the services provided by the Daimler Group.
We provided code review, external penetration testing and counseling services on fixing identified vulnerabilities for their electronic payment system.
MERCEDES PAY is a part of a transnational automobile manufacturing group of companies of Daimler AG, which provides financial services for the clients and internally.
The project was implemented in 2018, our task was to test a payment service application, which they developed. We had to make security tests from different perspectives: external penetration testing, external security testing, and having got the source code we checked it for logic bugs and code vulnerability.
The feature of the project was cooperation of two teams at the same time: our team and local crew of the Big Four from PricewaterhouseCoopers. The project lasted for three months. As a result, our team found more vulnerabilities, then PricewaterhouseCoopers did.
Also, in this project one more task for us was Open source intelligence, OSINT – collecting information about a client from open sources. We investigated two ways: from one side we were surfing openly available sources such as the Internet and social networks, from the other side we were searching the info about a client through experts-only sources (darkweb, data breach of emails and passes, etc.).
The company wanted to find all the possible vulnerabilities with the help of two parallel teams.
This project was interesting due to its competitiveness with a strong local company.
According to the findings, we provided the client with a report. Our report, based on external penetration testing or security code testing, has the following structure: the description of identified vulnerability, where it was found and how it can affect the resource and application security, what threat level it can be classified.
Threat level can be identified as well due to several criteria:
- Possible vulnerability origin
- Possible damage that it can cause
- Threat repetition frequency
We conduct each testing in several stages. We find vulnerabilities, make a detailed report with advices on security improvement and vulnerabilities removal. After the client has implemented our recommendations, we make a retest. External penetration testing is conducted manually, we use standards and our own invented developments.
Also, we made an investigation with Open source intelligence, OSINT and a particular part of our report was dedicated to discovered information about the company’s vulnerability in the Internet.