Hack In, Cash Out: Hacking and Securing Payment Technologies

Presented at LayerOne 2018, May 27, 2018, 2 p.m. (60 minutes)

Have you ever wanted to learn more about how payments work? Do you want to know how criminals bypass security mechanisms on Point of Sales terminals, ATM's and digital wallets? Payment technologies are a transparent part of our lives. They enable us pay for everything from a coffee to a car. In the first part of this talk we take a look at payment technologies past, present and future. Learn how payments have evolved and what transactions look like today. Next we'll dive into the different attacks that are possible with each transaction type and discuss which areas security teams should be focused on now, and in the future. Learn how hackers gain access to banking endpoints, bypass fraud mechanisms, and how they ultimately cash out. Payment methods have changed vastly in the last 50 years. From the development of the ATM to the more recent adoption of digital payment methods. These days it's hard to find a shop, restaurant or café that doesn't accept card or contactless payments. In this talk firstly, we will demystify payment methods so that anyone can understand. What is NFC? EMV? and Tokenization? This talk will leave you with a great understanding of how payments work. In the second part of this talk we will cover demonstrations of the risks associated with payments. If you considering integrating payment technologies into your business, or already accept payments, pay close attention. Working from case studies and our own experience, we'll dive into the different attacks that are possible with each transaction type. We'll look at techniques used to gain access to endpoints such as ATM's and POS's. Next we'll explore the tactics used to bypass fraud detection mechanisms, and the multipliers employed by attackers to make the payout huge.

Presenters:

• Timur Yunusov
  Timur Yunusov - Senior Expert of Banking systems security and author of multiple researches in field of application security including ""Apple Pay replay attacks"" showed at the BlackHat USA 2017, ""Bruteforce of PHPSESSID"", rated in Top Ten Web Hacking Techniques by WhiteHat Security and ""XML Out-Of-Band"" showed at the BlackHat EU. Professional application security researcher. Timur has previously spoken at CanSecWest, BlackHat USA, BlackHat EU, HackInTheBox, Nullcon, NoSuchCon, Hack In Paris, ZeroNights and Positive Hack Days.
• Leigh-Anne Galloway
  Leigh-Anne Galloway is the Cyber Security Resilience Lead at Positive Technologies where she advises organisations on how best to secure their applications and infrastructure against modern threats. She is an expert in the Application Security Unit, specializing in ATM and POS Security and is the author of security research in account recovery processes on social media websites. She has spoken at many conferences including DevSecCon, BSides, InfoSec Europe, Hacktivity, 8dot8, Blackhat EU and Troopers.

Links:

• https://www.layerone.org/speakers/#leighannegallowaytimuryunusov
• https://infocon.org/cons/LayerOne/LayerOne 2018/Hacking and Securing Payment Techn.mp4
• https://infocon.org/cons/LayerOne/LayerOne 2018/Hacking and Securing Payment Techn.eng.srt (subtitles)
• https://www.youtube.com/watch?v=UVL80rcWTeo

Similar Presentations:

• RVAsec 2018 / Demystifying Payments: Payment Technologies and Security Risks
• DEF CON 26 (2018) / For the Love of Money: Finding and exploiting vulnerabilities in mobile point of sales systems
• Black Hat USA 2018 / For the Love of Money: Finding and Exploiting Vulnerabilities in Mobile Point of Sales Systems