BSidesLV 2016 has ended
Welcome to BSidesLV 2016, our 8th annual BSides in beautiful Las Vegas, Nevada!
Tuesday, August 2 • 14:00 - 15:00
Breaking the Payment Points of Interaction (POI)

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

The payment industry is becoming more driven by security standards. However, the corner stones are still broken even with the latest implementations of these payments systems, mainly due to focusing on the standards rather than security. The best example for that is the ability to bypass protections put in place by points of interaction (POI) devices, by simple modifying several files on the point of sale or manipulating the communication protocols. In this presentation, we will explain the main flaws and provide live demonstrations of several weaknesses on a widely used pinpad. We will not exploit the operating system of the pinpad, but actually bypass the application layer and the business logic protections, i.e. the crypto algorithm is secure, but everything around it is broken. As part of our demos, we will include EMV bypassing, avoiding PIN protections and scraping PANs from various channels.

avatar for Nir Valtman

Nir Valtman

Nir Valtman is heading the application security of the software solutions for NCR Corporation. Before the acquisition of Retalix by NCR, Nir lead the security of the R&D in the company. As part of his previous positions, he was working in several application security, penetration... Read More →
avatar for Patrick Watson

Patrick Watson

Application Security Architect, NCR Corporation
Patrick Watson is an Application Security Architect specializing in electronic payment systems. He joined Radiant Systems, later acquired by NCR Corporation, to build payment middleware for point of sale suites. Working with over 50 payment processor interfaces, primarily in the petroleum... Read More →

Tuesday August 2, 2016 14:00 - 15:00 PDT
Breaking Ground Florentine A