ThinSIM-based Attacks on Mobile Money Systems

DEF CON 26

Presented by: Rowan Phipps
Date: Thursday August 09, 2018
Time: 10:00 - 10:45
Location: 101 Track

Phone-based mobile money is becoming the dominant paradigm for financial services in the developing world processing more than a billion dollars per day for over 690 million users. For example, mPesa has an annual cash flow of over thirty billion USD, equivalent to nearly half of Kenya's GDP. Numerous other products exist inside of nearly every other market, including GCash in the Philippines and easyPaisa in Pakistan. As a part of this growth, competitors have appeared who leverage ThinSIMS, small SIM card add ons, to provide alternative mobile money implementations without operating their own mobile networks. However, the security implications of ThinSIMs are not well understood.

This talk dives into decade old telecom standards to explore how ThinSIMs work and what attackers of mobile money systems can do when they control the interface between the SIM card and the phone. We will also demo two proof of concept exploits that use ThinSIMs to steal money from mobile money platforms and detail the difficulties of defense.

Rowan Phipps

Rowan is an undergraduate at the University of Washington where he studies Computer Science. He's a member of Batman's Kitchen and has participated in CTF and CCDC competitions. Last summer he worked in the Digital Financial Services Research Group looking into the security of mobile money. In his spare time he likes to dabble with hardware design. @RowanPhipps


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats