Breaking the Payment Points of Interaction (POI)

BSidesLV 2016

Presented by: Nir Valtman, Patrick Watson
Date: Tuesday August 02, 2016
Time: 14:00 - 15:00
Location: Florentine A
Track: Breaking Ground

The payment industry is becoming more driven by security standards. However, the corner stones are still broken even with the latest implementations of these payments systems, mainly due to focusing on the standards rather than security. The best example for that is the ability to bypass protections put in place by points of interaction (POI) devices, by simple modifying several files on the point of sale or manipulating the communication protocols. In this presentation, we will explain the main flaws and provide live demonstrations of several weaknesses on a widely used pinpad. We will not exploit the operating system of the pinpad, but actually bypass the application layer and the business logic protections, i.e. the crypto algorithm is secure, but everything around it is broken. As part of our demos, we will include EMV bypassing, avoiding PIN protections and scraping PANs from various channels.

Nir Valtman

Nir Valtman is heading the application security of the software solutions for NCR Corporation. Before the acquisition of Retalix by NCR, Nir lead the security of the R&D; in the company. As part of his previous positions, he was working in several application security, penetration testing and systems infrastructure security positions. Nir is a frequent speaker at leading conferences around the world, including Black Hat, Defcon, OWASP etc. Nir has a Bachelor of Science in Computer Science but his knowledge is mainly based on cowboy learning and information sharing with the techno-oriented communities, such as blogging and releasing open source tools (including AntiDef, Cloudefigo and SAPIA).

Patrick Watson

Patrick Watson is an Application Security Architect specializing in electronic payment systems. He joined Radiant Systems, later acquired by NCR Corporation, to build payment middleware for point of sale suites. Working with over 50 payment processor interfaces, primarily in the petroleum market, Patrick has designed and implemented many of the security systems protecting your credit card and personal data. No stranger to PA-DSS and PCI DSS, he continues to champion security beyond compliance. He holds a Bachelor of Science in Computer Science from the Georgia Institute of Technology in addition to CISSP, CSSLP, and CIPP/US certifications.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats