Solid architecture. For those not familiar with payment industry terms PCI stands for Payment Card Industry. You usually know this as PCI DSS (Data Security Standard). Basically all the payment card providers got together and said that you need to follow these rules if you want to accept credit cards. The rules are pretty straightforward ( have a firewall, don't save CVVs, encrypt credit card #s at rest). You then pay an auditor to audit against PCI DSS.
If I were looking for vulnerabilities I'd probably start with any XSS. Chances are the credit card data is locked down tight and encrypted. But what if I can scoop it up as it gets transformed into a token? Also look at where you store the encryption keys to decrypt the card data. There are hardware devices you can use that are especially hardened.
The problem with bitcoin is that it necessitates an even more secure architecture because you don't have a 3rd party to run to if things hit the fan. Suppose all your credit #s got stolen in this case. You can run to Visa/Mastercard and they will invalidate the card #s in bulk. Or at least do monitoring on them. What do you do when all your bitcoins are stolen?
With the Coinbase integration, the OAuth secret is the equivalent of the card number (and stored in knox like all other sensitive data, even though OAuth tokens are outside of PCI scope), and so if they got stolen, could be invalidated by Coinbase.
With a name like balanced, I was expecting double entry book keeping[1], so:
you give an account to a device, e.g. the credit card processor, and measure how much money is entering and leaving the company per device.
Plus you give accounts to each customer and measure money going in and out their separate channels.
Then you check these two different modalities of tracking money conclude your the same liquidity measure for your company.
If they do not then you have sprung a leak somewhere and can halt everything.
That would be an extra layer of security. Passing loads of tokens round is still a single point of failure at the conceptual level.
I first have to give you a thumbs-up for calling your fraud detection layer "precog".
Does AWS let you firewall off Knox from the open internet? PayPal's architecture has most of the machines that touch payments isolated behind hardware firewalls, with only certain front-end machines able to punch through the firewall.
Amazon has VPCs which are virtual private clouds. They let you configure networks with specific requirements, such as being closed off from the outside world.
Once closed off from the world, only your servers within the public subnets can access those in the private subnet. By default, the private subnet can't talk to the outside world. You'd typically setup a NAT instance in your public subnet that tunnels your private subnet's internet to the outside world (because the NAT is in a public subnet, it can access the outside world).
That's just an example setup. It's a very powerful tool for securing your infrastructure. For example, you should typically put your databases, and anything that isn't password protected that stores information or something (except web servers) in a private network so that only your public servers have access to them.
User -> Public Network -> Public Server -> Private Network -> Private Server -> NAT (Tunnel) -> Public Network -> Internet
VPC does take quite a bit of effort to setup, but after that, it's pretty straightforward.
I wonder: is EC2 secure enough for this type of credit card store? What if the management layer running the underlying hosts is vulnerable or a XEN zero-day vulnerability shows up?
I'm sure Amazon does a lot on securing its infrastructure, but for credit card data wouldn't a physical, fenced off server be more secure?
I suppose it comes down to the amount of investment available. Amazon can pour resources into security, monitoring and have a large staff actively keeping an eye on such things. They're signed off for PCI compliance Level 1[0] (Any service provider that stores, processes and/or transmits over 300,000 transactions annually) which helps isolate you from a lot of costs around getting your dedicated hardware audited yourself.
It's also worth noting that Amazon.com itself is hosted off AWS (since ~2010) though I'm struggling to find a good cite for that
Am I wrong to want to know more about how (for instance) communication between the networks and components is implemented? This post, while well written, doesn't really answer the questions I might ask about any given architecture.
It seems like a lot of people are interested in hearing more details, so I'll try to get into that eventually in another post. Always more to talk about!
Thanks very much. The question about latency is certainly relevant, and I would add reliability to that too. I'd definitely be interested in a technical follow-up, when you have the time.
I would really love to use Balanced, I'm really excited for the escrow and the bitcoin features... If only they accepted customers from the Netherlands.
> We already log these to a centralized server using RSYSLOG, so I already had
> a data source to draw from. Next, I went and brewed a fresh pot of coffee and
> bestowed it upon bninja for his prescient work in building our log parser,
> Slurp. We wrote a quick Slurp script that read the HTTP status code from each
> request and then fed them into Graphite buckets. Each bucket was based on
> service name (DASHBOARD, API, JS) and then response code family (2xx, 3xx,
> 4xx, 5xx, and a special case timeout for slow requests).
If infrastructure stuff is interesting to you, you may want to check out https://github.com/balanced/balanced-infra . If there's interest, I might blog about it in the future.
The HN mods typically sanitize titles to match the title of the underlying article. (Except when they don't, of course.) They are generally unwilling to explain themselves, even when their edits are clearly making the title worse.
It's honestly a mystery to me why the system even lets submitters specify titles.
The problem I have is that Stripe, a competitor to Balanced, seems to keep the (YC S) emblem every time they have a story. It feels like YC is trying to hide the fact that Balanced is a YC company I guess. Pair this along with the fact that (IMHO) Balanced is killing it, but I only ever see PR about Stripe (except for a few weeks ago, when Balanced announced a partnership with CoinBase, another YC company)
I think you are paranoid. I see them both tagged and stripped equally. Just depends on the random whims of the moderators who do not explain themselves at all.
If I were looking for vulnerabilities I'd probably start with any XSS. Chances are the credit card data is locked down tight and encrypted. But what if I can scoop it up as it gets transformed into a token? Also look at where you store the encryption keys to decrypt the card data. There are hardware devices you can use that are especially hardened.
The problem with bitcoin is that it necessitates an even more secure architecture because you don't have a 3rd party to run to if things hit the fan. Suppose all your credit #s got stolen in this case. You can run to Visa/Mastercard and they will invalidate the card #s in bulk. Or at least do monitoring on them. What do you do when all your bitcoins are stolen?