Breaking the Payment Points of Interaction (POI)

Presented at BSidesLV 2016, Aug. 2, 2016, 2 p.m. (60 minutes).

The payment industry is becoming more driven by security standards. However, the corner stones are still broken even with the latest implementations of these payments systems, mainly due to focusing on the standards rather than security. The best example for that is the ability to bypass protections put in place by points of interaction (POI) devices, by simple modifying several files on the point of sale or manipulating the communication protocols. In this presentation, we will explain the main flaws and provide live demonstrations of several weaknesses on a widely used pinpad. We will not exploit the operating system of the pinpad, but actually bypass the application layer and the business logic protections, i.e. the crypto algorithm is secure, but everything around it is broken. As part of our demos, we will include EMV bypassing, avoiding PIN protections and scraping PANs from various channels.


Presenters:

  • Nir Valtman - Head of Application Security - NCR Corporation
    Nir Valtman is heading the application security of the software solutions for NCR Corporation. Before the acquisition of Retalix by NCR, Nir lead the security of the R&D in the company. As part of his previous positions, he was working in several application security, penetration testing and systems infrastructure security positions. Nir is a frequent speaker at leading conferences around the world, including Black Hat, Defcon, OWASP etc. Nir has a Bachelor of Science in Computer Science but his knowledge is mainly based on cowboy learning and information sharing with the techno-oriented communities, such as blogging and releasing open source tools (including AntiDef, Cloudefigo and SAPIA).
  • Patrick Watson - Application Security Architect - NCR Corporation
    Patrick Watson is an Application Security Architect specializing in electronic payment systems. He joined Radiant Systems, later acquired by NCR Corporation, to build payment middleware for point of sale suites. Working with over 50 payment processor interfaces, primarily in the petroleum market, Patrick has designed and implemented many of the security systems protecting your credit card and personal data. No stranger to PA-DSS and PCI DSS, he continues to champion security beyond compliance. He holds a Bachelor of Science in Computer Science from the Georgia Institute of Technology in addition to CISSP, CSSLP, and CIPP/US certifications.

Links:

Similar Presentations: