Crash & Pay: How to Own and Clone Contactless Payment Devices

Presented at Black Hat USA 2015, Aug. 5, 2015, 4:20 p.m. (50 minutes).

With all this talk about NFC payments (Apple Pay, Google Wallet, etc.), are there claims on your card that can't be cloned? What security mechanisms can prevent this? How can they be subverted to make fraudulent transactions?

This talk answers these questions by taking you through how NFC payments work and how you can perform fraudulent transactions with just an off-the-shelf phone and a little bit of software. I'll take you through how you can clone common NFC payment cards; show you the attacks and explain why it is possible. Information will be provided on the inexpensive tools now available for testing NFC devices and how to put together your own testing lab to test for vulnerabilities over these interfaces.


Presenters:

  • Peter Fillmore
    Peter Fillmore is an expert in the security of real world payment systems. He has worked to design and certify many different systems that we all rely on today. He provides consulting and training services to international clients looking to implement, secure and certify systems to international standards. Outside of these services he enjoys looking for WONTFIX bugs in protocols and trolling listeners of music streaming services with unlistenable junk. He enjoys long midnight strolls on the beach, listening to high pitched screaming and ripping important pcb traces off expensive equipment.

Links:

Similar Presentations: