The payment industry is becoming more driven by security standards. However, the corner stones are still broken even with the latest implementations of these payments systems, mainly due to focusing on the standards rather than security. The best example for that is the ability to bypass protections put in place by points of interaction (POI) devices, by simple modifying several files on the point of sale or manipulating the communication protocols. In this presentation, we will explain the main flaws and provide live demonstrations of several weaknesses on a widely used pinpad. We will not exploit the operating system of the pinpad, but actually bypass the application layer and the business logic protections, i.e. the crypto algorithm is secure, but everything around it is broken. As part of our demos, we will include EMV bypassing, avoiding PIN protections and scraping PANs from various channels.
Nir Valtman is heading the application security of the software solutions forNCR Corporation. Before the acquisition of Retalix by NCR, Nir lead thesecurity of the R&D; in the company. As part of his previous positions, hewas working in several application security, penetration testing and systemsinfrastructure security positions. Nir is a frequent speaker at leadingconferences around the world, including Black Hat, Defcon, OWASP etc. Nir hasa Bachelor of Science in Computer Science but his knowledge is mainly based oncowboy learning and information sharing with the techno-oriented communities,such as blogging and releasing open source tools (including AntiDef,Cloudefigo and SAPIA).
Patrick Watson is an Application Security Architect specializing in electronicpayment systems. He joined Radiant Systems, later acquired by NCR Corporation,to build payment middleware for point of sale suites. Working with over 50payment processor interfaces, primarily in the petroleum market, Patrick hasdesigned and implemented many of the security systems protecting your creditcard and personal data. No stranger to PA-DSS and PCI DSS, he continues tochampion security beyond compliance. He holds a Bachelor of Science inComputer Science from the Georgia Institute of Technology in addition toCISSP, CSSLP, and CIPP/US certifications.