Virtual Terminals, POS Security and becoming a billionaire overnight

Presented at BruCON 0x08 (2016), Oct. 28, 2016, 10:30 a.m. (60 minutes)

Very few people use cash nowadays, as most use a debit or a credit card for their everyday needs. These transactions are performed through a Point-of-Interaction (POI) device or through a Virtual Terminal. Although payment terminals and virtual terminals make use of strong encryption and secure communications channel the Point of Sale (POS) is still a target for criminals. The malware affecting point of sale systems seen in previous years demonstrates that criminals continually adapt to find ways to target card payment channels and keep the cycle going. Following on the above, during this presentation, a number of features (provided in POI devices as standard functionality) and the ability to misuse them during a transaction will be demonstrated. But the main focus will be on a Threat Modelling engagement, undertaken against Virtual Terminals. More specifically, it will demonstrated how POS malware can shift and instead of targeting Card Holder Data (CHD) can targets the actual money directly. In other words, I will show you how someone ended up with billions overnight, without having to steal a single card number.

Presenters:

• Grigorios Fragkos

Links:

• https://brucon0x082016.sched.com/event/8Y7n/virtual-terminals-pos-security-and-becoming-a-billionaire-overnight

Similar Presentations:

• DerbyCon 6.0 Recharge (2016) / Point of Sale Voyuer- Threat Actor Attribution Through POS Honeypots
• Black Hat Europe 2020 Virtual / POSWorld. Should You be Afraid of Hands-On Payment Devices?
• DEF CON 25 (2017) / DOOMed Point of Sale Systems