Presentation Title Credit Card Skimming and PIN Harvesting in an EMV World
The EMV global standard for electronic payments is widely used for inter-operation between chip equipped credit/debit cards, Point of Sales devices and ATMs.
Following the trail of the serious vulnerabilities published by Murdoch and Drimer’s team at Cambridge University regarding the usage of stolen cards, we explore the feasibility of skimming and cloning in the context of POS usage.
We will analyze in detail EMV flaws in PIN protection and illustrate skimming prototypes that can be covertly used to harvest credit card information as well as PIN numbers regardless the type/configuration of the card. The attacks are believed to be unreleased so far to the public (which however does not mean fraudster are not exploiting them) and are effective in bypassing existing protections and mode of operations.
As usual cool gear and videos are going to be featured in order to maximize the presentation.
Note: Presenting with Adam Laurie
About Daniele Bianco
He began his professional career during his early years at university as system administrator and IT consultant for several scientific organizations. His interest for centralized management and software integration in Open Source environments has focused his work on design and development of suitable R&D infrastructure. One of his hobbies has always been playing with hardware and electronic devices.
At the time being he is the resident Hardware Hacker for international consultancy Inverse Path where his research work focuses on embedded systems security, electronic devices protection and tamperproofing techniques. He presented at many IT security events and his works have been quoted by numerous popular media.
About Adam Laurie
Adam Laurie is a freelance security consultant working the in the field of electronic communications. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. He quickly became interested in the underlying network and data protocols, and moved his attention to those areas and away from programming, starting a data conversion company which rapidly grew to become Europe’s largest specialist in that field (A.L. downloading Services). During this period, he successfully disproved the industry lie that music CDs could not be read by computers, and, with help from his brother Ben, wrote the world’s first CD ripper, ‘CDGRAB’.
At this point, he and Ben became interested in the newly emerging concept of ‘The Internet’, and were involved in various early open source projects, the most well known of which is probably their own ‘Apache-SSL’ which went on to become the de-facto standard secure web server. Since the late Nineties they have focused their attention on security, and have been the authors of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of re-using military data centres (housed in underground nuclear bunkers) as secure hosting facilities.
Adam has been a senior member of staff at DEFCON since 1997, and also acted as a member of staff during the early years of the Black Hat Briefings, and is a member of the Bluetooth SIG Security Experts Group and speaks regularly on the international conference circuit on matters concerning Bluetooth security. He has also given presentations on forensics, magnetic stripe technology, InfraRed and RFID.
He is the author and maintainer of the open source python RFID exploration library ‘RFIDIOt’, which can be found at http://rfidiot.org. Adam is a Director and full time researcher working for Aperture Labs Ltd., specialising in reverse engineering of secure systems.