Trainer Name: Timur Yunusov

Title: Offensive Payment Security

Duration: 3 Days

Dates: Sept. 20, 2023 To Sept. 22, 2023

Training Objectives

We interact with payments every day. Yet how many of us actually know how they work? Join us to learn about payments and techniques for spotting vulnerabilities in them.

This "Payments 101" training course covers vulnerability research in payments and related issues and attacks.

The main goal of this course is to break the status quo of payment insecurity. We help our audience to gain a better understanding of how to :

  • Find vulnerabilities in payment systems while staying within the law
  • Obtain the necessary skills and equipment

Learn from the best in the industry and leave with your wallet a little lighter.

Training level: Intermediate; Advanced; Basic

Training Outlines

Day 1.

Part I. Background

  • Introduction
  • History of payments
  • Scope. What is a "Payment system"?
  • Setting up the "lab"
  • Ethics and the law. White-hat mentality.
  • Hands-on time

Part II. Hacking online payments

  • Online banking systems and their common vulnerabilities
  • Registration Issues
  • Logical issues - float rounding
  • Hands-on
  • Authorization bypass
  • Top three One-Time Code issues
  • Hands-on
  • Business logic issues:
  • Replay, Brute Force, and Race Condition
  • Promotion and cashback abuse
  • Open banking API threats
  • Hands-on

Day 2.

Part III. Card Not Present

  • Card Requisites Bruteforcing
  • OTP issues
  • Mobile wallets enrolment
  • Replay and Brute Force attacks
  • 3D-Secure vulnerabilities, PSD2, CNP payment types
  • Refunds
  • Technical overdraft
  • Hands-on

Part IV. EMV/NFC attacks

  • EMV history and stack
  • Deep dive into the EMV/NFC specs
  • Hands-on
  • EMV attacks
  • Transaction stream manipulation
  • Authentication bypass
  • Authorization bypass
  • Verification bypass
  • Other attacks (Cryptogram Confusion, Card Brand Mixup)
  • Hands-on

Part V. Mobile wallets

  • The danger of custom HCE
  • Apple Pay's known attacks and threats
  • Google Pay, and Samsung Pay known attacks and threats
  • Wallet’s/tokenization service liability model
  • Other wallets/tokens/wearables/etc
  • Weaponizing wallets

Day 3.

Part VI. Onboarding and KYC

  • Definitions: AML, KYC, CDD
  • Intro to KYC/Onboarding procedures
  • Examples
  • How to hack KYC in fintech for fun and profit

Part VII. POS Security

  • PCI requirements
  • Types of POS terminals
  • Physical vectors
  • Logical vectors
  • Attacks and threats

Part VIII. ATM Security

  • Intro to ATM and security
  • Physical level
  • Network level
  • OS level
  • Logical level
  • Attacks and threats

What to Bring?

  • Kali Linux or Ubuntu (VM or native)
  • Windows 10 or similar (VM or native)
  • Web hacking tools, e.g. Burp Suite

Training Prerequisite

Highly recommended, but not mandatory:

  • Knowledge of the basic security concepts (integrity, availability, confidentiality, weakness, vulnerability, attack)
  • OWASP Top 10 knowledge.

Who Should Attend?

  • Bounty hunters who got tired of "duplicates" and who would like to explore a new security domain
  • Security researchers who are interested in finding logical vulnerabilities using a black-box approach and staying within the law
  • Infosec specialists with or without preliminary knowledge of payments who want to keep up with up-to-date attacks and vulnerabilities in payments

What to Expect?

  • Practical experience in hacking online banking systems, POS, ATMs, and banking cards
  • Deep dive into the unknown technology stack
  • Hints on hacking systems using the black-box approach, which can be applied to any area

What attendees will get

  • VMs with vulnerable online banking systems (up to three different VMs)
  • VMs with vulnerable ATM emulators
  • NFC Man-in-The-Middle kits and Android APK for MiTM bridge
  • Card readers, both EMV and NFC
  • Card Hacking Challenge kit (a vulnerable card and the SoftPOS app)

What not to expect?

Trainer has an app sec background, so 99% of the training is taking place within this domain.

We do not provide a full explanation of how the card processing or any other payment instruments work. This is the training on how to find vulnerabilities and hack these systems, which sometimes brings more questions than answers;-)

About the Trainer

Timur Yunusov, Head of the research unit. Twelve years of experience in practical security assessment and security research. Specializing in the security assessment of financial systems: online, core, and mobile banking, ATM, POS, and card processing. Expert in banking application security. One of the DEF CON Payment Village organizers.