Mining and Exploiting (Mobile) Payment Credential Leaks in the Wild

Presented at Black Hat Asia 2021 Virtual, May 6, 2021, 11:20 a.m. (40 minutes)

<p>Over the past decade, an increasing number of mobile apps have integrated the third-party payment function from service providers or so-called Cashiers. Thus, end-users can perform the payment within the smartphone through these Cashiers readily. To secure their services, the Cashiers define various payment credentials, e.g., PKCS#12 certificates, and share them with mobile apps for authentication and authorization operations, such as refund. Despite the security-critical nature of these payment credentials, the existing works focus on the specific credential leaks from known sources, e.g., Android APKs or GitHub. In contrast, little effort has been spent to study the prevalence of payment credential leaks in the wild and their security impacts.<br><br>In this talk, we begin by giving the background of the mobile payment service from four first-tier Cashiers that serve over 1 billion users globally. After that, we introduce the potential leaking sources of the payment credentials, including the new ones that have not been investigated on a large scale before. For example, we find that the backend servers of mobile apps can expose payment credentials to the public inadvertently. Then, we describe four exploits enabled by the payment credential leaks when combining other implementation flaws. These exploits all bring about serious consequences, ranging from direct financial loss to the mobile apps to privacy violations for end-users. Specifically, with the leaked payment credentials, the attacker may steal money from the account of the mobile apps directly and obtain all the user payment records.<br><br>Further, we design and implement an automatic tool to conduct credential mining from public VCS and APKs at a market scale. Consequently, we discovered around 20,000 leaked payment credentials, affecting thousands of apps and millions of end-users. We have made the responsible disclosure to the Cashiers, and some leaking apps revoked their credentials afterward.</p>

Presenters:

• Wing Cheong Lau - Associate Professor, The Chinese University of Hong Kong
  Wing Cheong Lau is currently an Associate Professor in the Department of Information Engineering and the Director of the Mobile Technologies Centre (MobiTeC) at the Chinese University of Hong Kong (CUHK). Wing received the B.S.(Eng) degree from The University of Hong Kong and the M.S. and PhD degrees in Electrical and Computer Engineering from the University of Texas at Austin. Before returning to academia, Wing worked in the US industry for a decade: He was a Member of Technical Staff with the Performance Analysis Department, Bell Laboratories, Holmdel, New Jersey, where he conducted research in high-speed network protocol design and performance analysis. Wing also had a stint with Qualcomm, San Diego, California where he designed the architecture and protocols for the Next Generation Wireless Packet Data Networks and actively contributed to the standardization of such protocols in the Internet Engineering Task Force (IETF) and 3GPPs. While on leave from Bell Labs, Wing had taught at the University of Hong Kong and served as the Associate Director for the MSc Programme in E-Commerce and Internet Computing. Wing's innovations have led to the granting of 19 U.S. patents. Related research findings have culminated in more than 100 publications in major international conferences and journals. His recent research interests include: Security and Privacy of Online Social Networks and Mobile Payment Systems, Resource allocation and Optimization for Big Data Processing/ Cloud Computing Systems, Authenticated 2D barcodes and their applications. Dr. Lau is a Senior Member of IEEE and is a member of ACM and Tau Beta Pi. He is/has been a TPC member of ACM MobiHoc, Sigmetrics, IEEE Infocom, SECON, WiOpt, ICC, Globecom, WCNC, VTC, ITC, VNC and COMSNETS. He also served as a Guest Editor for the special issue on High-speed Network Security of IEEE Journal of Selected Areas in Communications (JSAC). For their work in Single-Sign-On SDK security, Wing and his team received the 2018 Internet Defense Prize (2nd-runner up) from Usenix and Facebook.
• Xianbo Wang - PhD student, The Chinese University of Hong Kong
  Xianbo Wang is currently a PhD student in the Department of Information Engineering at The Chinese University of Hong Kong. His supervisor is Wing Cheong Lau. His current research interests include web application security and Android security. He enjoys participating in CTFs and bug bounty programs.
• Shangcheng Shi - PhD student, The Chinese University of Hong Kong
  Shangcheng Shi is currently a PhD student in the Department of Information Engineering at The Chinese University of Hong Kong. His supervisor is Wing Cheong Lau. His main research interests are mobile security and system security.

Links:

• https://www.blackhat.com/asia-21/briefings/schedule/#mining-and-exploiting-mobile-payment-credential-leaks-in-the-wild-22257

Similar Presentations:

• Black Hat USA 2018 / For the Love of Money: Finding and Exploiting Vulnerabilities in Mobile Point of Sales Systems
• Black Hat Asia 2018 / All Your Payment Tokens Are Mine: Vulnerabilities of Mobile Payment Systems
• 32C3 (2015) / Shopshifting: The potential for payment system abuse