Wednesday, 2 November 2016

BruCON 2016 (0x08) - Speaking about POS, POI & VT (the undisclosed talk)

It was a great honour for me to present this year at a hacking conference like BruCON (
As many of you already know, I started this because I wanted to know how the payment process works behind the scenes (Payment Card Industry - PCI) and how secure these systems are, which we take for granted on a daily basis. 

After researching Point-of-Sales (POS), Point-of-Interaction (POI) devices and Virtual Terminals (VT) for almost 4 years, it was about time to do a presentation that wouldn't be behind closed doors as I usually do. I talked with a number of acquires, issuers, payments processors and POI OS manufacturers and let them know about my findings way before this talk. 

As a side note, I was very pleased to see so many people coming to my talk and I had some really good feedback afterwards. I am glad people enjoyed it and I would like to thank all of you for attending my talk. According to the Internet usage during those two days, it seems that during my talk, the lowest numbers of Internet access were recorded (Popularity talk vs. Internet usage) excluding breakfast and coffee breaks (obviously!). A bit of self sarcasm here; I really hope that was because they were loving the talk so much and not because they fall asleep! :)

BruCON has everything (workshops, training, hacking, awesome people) and it is very well organised. Also, BruCON takes place in Belgium, which is a fantastic opportunity for everyone to visit Brussels and Ghent (where the event takes place). 

My abstract of my talk can be found here: 
Very few people use cash nowadays, as most use a debit or a credit card for their everyday needs. These transactions are performed through a Point-of-Interaction (POI) device or through a Virtual Terminal. Although payment terminals and virtual terminals make use of strong encryption and secure communications channel the Point of Sale (POS) is still a target for criminals. The malware affecting point of sale systems seen in previous years demonstrates that criminals continually adapt to find ways to target card payment channels and keep the cycle going.
Following on the above, during this presentation, a number of features (provided in POI devices as standard functionality) and the ability to misuse them during a transaction will be demonstrated. But the main focus will be on a Threat Modelling engagement, undertaken against Virtual Terminals. More specifically, it will demonstrated how POS malware can shift and instead of targeting Card Holder Data (CHD) can targets the actual money directly. In other words, I will show you how someone ended up with billions overnight, without having to steal a single card number. Dr. Grigorios Fragkos, follow: @drgfragkos

As this is the undisclosed version of the talk, it was allowed to be recorded and the video can be found at BruCON's youtube channel a this link.

I really enjoyed my time at BruCON, and I am looking forward to going back next year. If you never been to BruCON, take the time and plan ahead for your trip. It is totally worth it and you will definitely enjoy everything about the conference. Once again, thank you for coming to my talk and filling about such a huge room. :D 

No comments:

Post a Comment