#RSAC
SESSION ID:
#RSAC
SESSION ID:
Tanay Deshmukh
API Security Exposure for Gift
Card Fraud:
A 15-year old’s guide
HT-W11
High School Student
Amador Valley High School
Pleasanton, CA
#RSAC
About Me
• High school sophomore
• Student at Amador Valley High School in Pleasanton
• Self taught and started coding at age 12
• Found major vulnerabilities for Chipotle, Spotify, NCR,
and JambaJuice
• Built Chrome extensions for buying high demand
items
• Participant in HackerOne
• Platinum tier for US Cyberpatriot
• Github: t4nay
#RSAC
What will you learn and how can you use the learnings?
Use the best practices to
secure APIs and learn new
tools & techniques
How hackers can exploit
vulnerabilities
Securing API for services &
gift cards
What will I talk about?
What will you learn?
How can you apply the learnings?
#RSAC
Goals for my talk
4
– Understand how hackers exploit vulnerabilities using
• Credential stuffing
• SQL Injection
• Web scraping
– Use techniques to protect by implementing
• Captcha
• Rate Limiting
• Limiting public use, VPN access and increasing verifications
#RSAC
What is a Gift Card or Cash Card?
A gift card (also known as gift certificate in North America, or gift voucher or gift
token in the UK) is a prepaid stored-value money card, usually issued by a retailer or
bank, to be used as an alternative to cash for purchases within a particular store or
related businesses.
Source - Wikipedia