Infiltrate Security Conference OPEN CFP

TALK PROFILE
This CFP is not yet open - Check back soon!

Attacking Mobile Payment Systems - from App to Pay

Penetration Test
45

Recently, the use of mobile payment services (like Apply Pay and PayPal) has been increasingly popular over time. Being closely related to financial transactions, those systems are often required to be highly secure in order to defend against possible security threats. However, due to lack of concrete examples of hacking attempts and studies on the security of the payment services, they are still considered to be at a high risk of such threats. To address this issue, S Pay for instance has been known to employ a security solution which what is called the ARM® TrustZone® technology to protect sensitive information with a more secure environment. Combined with other security enhancements and features, the solution has been chosen as one of the most high-rated mobile security solutions per the recent evaluation of mobile security solutions conducted by Gartner. In this context, we would like to announce the case study of S pay vulnerability and the methodology we have used for auditing the security of such systems.. In this talk, we present the results of vulnerability assessment of existing mobile payment services using the list of common threats of mobile payment services derived through the STRIDE methodology. As the S****** Pay has elaborated its security via the use of the ARM® TrustZone® technology, we'll cover the S****** Pay vulnerability analysis in four layers - each in relation to the TrustZone architecture: the application layer, the library layer, the kernel layer, and finally the Secure World layer. This case study of S****** Pay application illustrates how one could achieve the equivalent effect of bypassing the Warranty Bit protection mechanism on modified Galaxy devices; it also demonstrates how to carry out payments via NFC (success) and MST (work in progress, Is it possible?) on such devices. Finally, we propose a threat model for such mobile payment services and applications on Android-based systems derived from earlier research.

Back to Open CFP
Rated 4 - 11 reviewers

Comments

hwhw

awesome :)

jaisonyi

well.. it is possible but take a lot of effort to do it.. it is quite interesting talk and wish to hear

jaisonyi

Breaking a mobile payment through NFC and MST :) Cool and interesting

Interested in Speaking?

We are pleased to announce the Call For Papers for INFILTRATE 2018 is now open. If you would like to present and have an offense-focused-fresh-content presentation, please submit an abstract, Bio and headshot to cfp@immunityinc.com. This information will be included on our Open CFP site, here, where the public can vote on which presentations they are most interested in seeing at INFILTRATE. Call for papers will close on December 14th, 2017. Shortly after this date, the winning speakers will be notified.

Some of the benefits of speaking at INFILTRATE are: