Offensive Payment Security 101
12-09, 13:00–17:00 (Europe/London), Workshop Room 2

This workshop covers payment vulnerability research, issues, and attacks related to payments. We help our audience gain a better understanding of how to find vulnerabilities in payment systems while staying within the law, what are necessary skills and equipment and how to get both.

History of payments
Payment system’ definition
Deep dive into card payments
- CNP and online
- Magstripe
- EMV and NFC
- Mobile Wallets

Finding vulnerabilities
- Top three OTP issues
- Cryptogram replay for online and CNP payments
- Magstripe attacks
- PIN OK attack
- EMV cryptogram replay attacks
- Transaction stream attacks
- Cryptogram confusion

Practical recommendations (bug bounty, ethics, setting up the lab for tests).

Workshop requirements:
- A laptop with Linux or Windows as a host OS,
- VMWare Player 17 (participants will be asked to download a VM image, this will be shared over email),
- Android phone with NFC (not necessary, but a good to have),
- Payment cards - preferably your own :)

Timur Yunusov has twelve years of experience in practical security assessment and security research. Specializing in the security assessment of financial systems: online, core, and mobile banking, ATM, POS, and card processing. Expert in banking application security. One of the DEF CON Payment Village organizers.