Training Objectives

We interact with payments every day. Yet how many of us actually know how they work? Join us to learn about payments and techniques for spotting vulnerabilities in them.

This "Payments 101" training course covers vulnerability research in payments and related issues and attacks.

The main goal of this course is to break the status quo of payment insecurity. We help our audience to gain a better understanding of how to :

Find vulnerabilities in payment systems while staying within the law
Obtain the necessary skills and equipment

Learn from the best in the industry and leave with your wallet a little lighter.

Training level: Intermediate; Advanced; Basic

Training Outlines

Day 1.

Part I. Background

Introduction
History of payments
Scope. What is a "Payment system"?
Setting up the "lab"
Ethics and the law. White-hat mentality.
Hands-on time

Part II. Hacking online payments

Online banking systems and their common vulnerabilities
Registration Issues
Logical issues - float rounding
Hands-on
Authorization bypass
Top three One-Time Code issues
Hands-on
Business logic issues:
Replay, Brute Force, and Race Condition
Promotion and cashback abuse
Open banking API threats
Hands-on

Day 2.

Part III. Card Not Present

Card Requisites Bruteforcing
OTP issues
Mobile wallets enrolment
Replay and Brute Force attacks
3D-Secure vulnerabilities, PSD2, CNP payment types
Refunds
Technical overdraft
Hands-on

Part IV. EMV/NFC attacks

EMV history and stack
Deep dive into the EMV/NFC specs
Hands-on
EMV attacks
Transaction stream manipulation
Authentication bypass
Authorization bypass
Verification bypass
Other attacks (Cryptogram Confusion, Card Brand Mixup)
Hands-on

Part V. Mobile wallets

The danger of custom HCE
Apple Pay's known attacks and threats
Google Pay, and Samsung Pay known attacks and threats
Wallet’s/tokenization service liability model
Other wallets/tokens/wearables/etc
Weaponizing wallets

Day 3.

Part VI. Onboarding and KYC

Definitions: AML, KYC, CDD
Intro to KYC/Onboarding procedures
Examples
How to hack KYC in fintech for fun and profit

Part VII. POS Security

PCI requirements
Types of POS terminals
Physical vectors
Logical vectors
Attacks and threats

Part VIII. ATM Security

Intro to ATM and security
Physical level
Network level
OS level
Logical level
Attacks and threats

What to Bring?

Kali Linux or Ubuntu (VM or native)
Windows 10 or similar (VM or native)
Web hacking tools, e.g. Burp Suite

Training Prerequisite

Highly recommended, but not mandatory:

Knowledge of the basic security concepts (integrity, availability, confidentiality, weakness, vulnerability, attack)
OWASP Top 10 knowledge.

Who Should Attend?

Bounty hunters who got tired of "duplicates" and who would like to explore a new security domain
Security researchers who are interested in finding logical vulnerabilities using a black-box approach and staying within the law
Infosec specialists with or without preliminary knowledge of payments who want to keep up with up-to-date attacks and vulnerabilities in payments

What to Expect?

Practical experience in hacking online banking systems, POS, ATMs, and banking cards
Deep dive into the unknown technology stack
Hints on hacking systems using the black-box approach, which can be applied to any area

What attendees will get

VMs with vulnerable online banking systems (up to three different VMs)
VMs with vulnerable ATM emulators
NFC Man-in-The-Middle kits and Android APK for MiTM bridge
Card readers, both EMV and NFC
Card Hacking Challenge kit (a vulnerable card and the SoftPOS app)

What not to expect?

Trainer has an app sec background, so 99% of the training is taking place within this domain.

We do not provide a full explanation of how the card processing or any other payment instruments work. This is the training on how to find vulnerabilities and hack these systems, which sometimes brings more questions than answers;-)

TRAINING