Attacking Mobile Payment Systems - from App to Pay

Author(s): Ki-Taek.Lee
Min-Kyo Seo
Category: Penetration Test
Duration: 45
Summary: Recently, the use of mobile payment services (like Apply Pay and PayPal)
has been increasingly popular over time. Being closely related to financial
transactions, those systems are often required to be highly secure in order
to defend against possible security threats. However, due to lack of
concrete examples of hacking attempts and studies on the security of the
payment services, they are still considered to be at a high risk of such
threats. To address this issue, S Pay for instance has been known to employ
a security solution which what is called the ARM® TrustZone® technology to
protect sensitive information with a more secure environment. Combined with
other security enhancements and features, the solution has been chosen as
one of the most high-rated mobile security solutions per the recent
evaluation of mobile security solutions conducted by Gartner. In this
context, we would like to announce the case study of S pay vulnerability
and the methodology we have used for auditing the security of such systems..


In this talk, we present the results of vulnerability assessment of
existing mobile payment services using the list of common threats of mobile
payment services derived through the STRIDE methodology. As the S****** Pay
has elaborated its security via the use of the ARM® TrustZone® technology,
we'll cover the S****** Pay vulnerability analysis in four layers - each in
relation to the TrustZone architecture: the application layer, the library
layer, the kernel layer, and finally the Secure World layer. This case
study of S****** Pay application illustrates how one could achieve the
equivalent effect of bypassing the Warranty Bit protection mechanism on
modified Galaxy devices; it also demonstrates how to carry out payments via
NFC (success) and MST (work in progress, Is it possible?) on such devices.
Finally, we propose a threat model for such mobile payment services and
applications on Android-based systems derived from earlier research.

Likes: 0

Comments

hwhw

awesome :)


jaisonyi

well.. it is possible but take a lot of effort to do it.. it is quite interesting talk and wish to hear


jaisonyi

Breaking a mobile payment through NFC and MST :) Cool and interesting