The Price of Convenience: How Security Vulnerabilities in Global Transportation Payment Systems Can Cost You

Presented at DEF CON 31 (2023), Aug. 13, 2023, 1 p.m. (45 minutes)

Public transportation payment systems have undergone significant changes over the years. Recently, mobile payment solutions have become increasingly popular, allowing passengers to pay for their fare using their smartphones or other mobile devices. The evolution of public transportation payment systems has been driven by the need for faster, more convenient, and more secure payment methods, and this trend is likely to continue in the years to come, But how secure are mobile payment solutions for public transportation? In this presentation, we will examine the security risks associated with transportation applications, using Moovit as a case study. Moovit is a widely used transportation app operating in over 100 countries and 5000+ cities. Through our investigation of the app's API, including SSL-encrypted data, we discovered specific vulnerabilities, which we will discuss. We will also demonstrate a custom user interface that can obtain a "free ticket" and cause someone else to pay. Furthermore, we will explain how an attacker could gain unauthorized access to and exfiltrate Personal Identifiable Information (PII) of registered users. Our findings offer practical recommendations to improve the security of transportation apps. REFERENCES: https://github.com/httptoolkit/frida-android-unpinning/blob/main/frida-script.js https://moovit.com/

Presenters:

• Omer Attias - Security Researcher at SafeBreach Labs
  Omer Attias is an accomplished security researcher with over five years of experience in the field of cybersecurity. He currently works as a researcher at SafeBreach Labs. With a background in the Ministry of Defense and the Israeli Defense Forces (IDF), Omer has honed his skills in network research, including a deep understanding of Windows internals and Linux kernel components. In addition to his professional pursuits, Omer is a passionate technology and science enthusiast who is always eager to explore emerging trends and innovations in these fields.

Links:

• https://forum.defcon.org/node/246125

Similar Presentations:

• Black Hat Asia 2018 / All Your Payment Tokens Are Mine: Vulnerabilities of Mobile Payment Systems
• Black Hat Asia 2021 Virtual / Mining and Exploiting (Mobile) Payment Credential Leaks in the Wild
• 32C3 (2015) / Shopshifting: The potential for payment system abuse