Breaking banks or saving them
Download as PPTX, PDF
0 likes149 views
Payment technologies are an integral part of our lives, yet few of us know much about them. What payment security consists of? What careers options it can bring to the table? What exiting security research hackers had come up in the last decade and how can you fit into that? We are not promising to answer all your questions, but we will try to help you with the first steps and give guidelines to move forward.
![Variations
Currency exchange doesnt work everywhere
Online acquiring PayPal/Square ($) + GBP card + refund
C2C: send $0.02 to GBP account (receive 0.02GBP)
PayPal 0.01[ANY] (PHP, RUB) -> 0.01[YOUR] highly profitable](https://image.slidesharecdn.com/breakingbanksorsavingthem-210218132809/85/Breaking-banks-or-saving-them-21-320.jpg)
Breaking banks or saving them
- 1. Breaking banks or saving them Introduction to payment security Timur Yunusov, Cyber R&D Lab PaymentVillage.org
- 2. Payment security domains Career options and ideas Personal examples Industry problems Q&A
- 6. Online banking Mobile banking apps Currency exchange Blockchain Hybrid OWASP Logical vulns Cryptography
- 9. Bug bounty
- 10. Bug bounty Low entry barriers Great way to start learning Wide options Can be mentally hard Needs a lot of stamina 2FA is everywhere Learns how to write/read Learns how to look for an impact Keep an eye on the market Learn how to do something new Visa/MC Square/Clover/Stripe Starling/N26/TransferWise
- 11. Red Team
- 12. You will always have a job Requires a lot of different skills Wheres the money? Follow the money
- 13. HW/RE
- 14. RE/ HW Everything is in your scope Years and years of education/training Ledger - https://wallet.fail/ mPOS, POS, ATM https://paymentvillage.org https://leigh-annegalloway.com Self-checkout kiosks and terminals Biometric POS, SoftPOS, mPOS Bitcoin ATMs Currency exchange (MT4, MT5)
- 15. Blue team
- 16. RE/ HW The only way of making changes Not so much glory MasterCard will integrate support for cryptocurrencies by the end of the year Anti-fraud KYC DevSecOps Blue Teams
- 17. Rounding 2001
- 18. Rounding How: https://youtu.be/f7tWWyCeqNM Details: 1 GBP = 1,30 USD 0.02 USD => float(0.0153; 2) == 0.02 GBP Profit = 0.0047 USD
- 19. How: https://youtu.be/f7tWWyCeqNM Details: 1 GBP = 1,30 USD 0.02 USD => float(0.0153; 2) == 0.02 GBP Profit = 0.0047 USD Rounding
- 20. How: https://youtu.be/f7tWWyCeqNM Details: 1 GBP = 1,30 USD 0.02 USD => float(0.0153; 2) == 0.02 GBP Profit = 0.0047 USD x500 ($2) x10,000 ($47) OTP bypass Antifraud bypass Dont need to do everything manually Rounding
- 21. Variations Currency exchange doesnt work everywhere Online acquiring PayPal/Square ($) + GBP card + refund C2C: send $0.02 to GBP account (receive 0.02GBP) PayPal 0.01[ANY] (PHP, RUB) -> 0.01[YOUR] highly profitable
- 24. OS / Software vulns /Kiosk mode bypass /a66at/launch-impossible-current-state-of-application- control-bypasses-on-atms Network attacks https://www.ptsecurity.com/ww-en/about/news/positive-technologies-researcher- detects-vulnerability-in-kaspersky-lab-security-solution/ Hardware security https://i.blackhat.com/us-18/Thu-August-9/us-18-Stennikov-Blackbox-is-dead--Long- live-Blackbox!.pdf Hardware Network OS
- 25. PIN OK How: https://www.paymentvillage.org/wiki/pinok Details: Replace the first cardholder verification rule to Offline PIN Enter a random PIN Card sends 63C2 (Wrong PIN, 2 attempts left) Replace the answer to 9000 (PIN OK)
- 26. PIN OK 2005 Chip and Spin, Ross Anderson, Mike Bond, Steven J. Murdoch Chip and PIN is broken, Steven J. Murdoch, Saar Drimer, Ross Anderson, Mike Bond 2010 2011 2020 Bypassing of PSD2 Cumulative limits https://www.cyberdlab.com/research-blog/card-fraud-in-a-psd2-world-a-few-examples 2021 Stay tuned
- 27. Legacy
- 29. Lack of options
- 30. High entry barriers/Lack of awareness
Editor's Notes
- 5 years ago bug bounty and finances never intersected Now we have visa, mc bb, square, clover, fintech startups with official bb programs, etc, etc
- 5 years ago bug bounty and finances never intersected Now we have visa, mc bb, square, clover, fintech startups with official bb programs, etc, etc
- Instead of answering the question spear phishing, internal attacks, external attacks, we slowly move to
- Instead of answering the question spear phishing, internal attacks, external attacks, we slowly move to industry-specific goals during pentests and application security projects. For example, we started doing a lot of ATM assessments and questions like *** Trying to simulate famous SWIFT heist and steal money from such systems. A lot of attention comes to invest banking instruments.