DEF CON Training
Salavador Mendoza - Payment Systems: The Art of Analyzing Mag-stripe, Tokenization, NFC & EMV Technologies $1,800
Name of training: Payment Systems: The Art of Analyzing Mag-stripe, Tokenization, NFC and EMV Technologies
Salvador Mendoza is director of research and development at Metabase Q and member of the Ocelot Offensive Security Team.
Salvador focuses on tokenization processes, payment systems and embedded prototypes. He has presented on tokenization flaws and payment methods in different conferences such as Black Hat USA, DEF CON, HITB, Troopers and many others. Also, Salvador designed different tools to research about payment systems, Bluetooth, and tokenization processes.
Author of “Show me the (e-) money Hacking a sistemas de pagos digitales: NFC. RFID, MST y Chips EMV“. A Spanish-written book with a collection of different attacks against payment systems.
Trainer(s) social media links:
Do you have links to sites that promoted your past training so we can better understand how you presented it to the public?
I taught a slightly version of this training in the RFID/NFC in Troopers edition: https://troopers.de/troopers19/trainings/eryskc/
Short description of your class:
Payment Systems training is a perfect space to learn from day one by practicing, analyzing, and testing EMV, NFC, Tokenized and Magstripe banking data. Using the BomberCat as main tool to practice with NFC and magnetic stripe information. For contact EMV transactions, we will be implementing ELMA to emulate contact transactions. Other tools that will be using are Android and ACR122.
The training is divided by technologies and communication protocols to have a better and easy understanding to conceptualize techniques. The intensive hand-on training will give the students the opportunity to learn, practice and interact with real attack scenarios focusing on EMV standards. Understanding how malicious individuals can bypass, find or exploit security mechanisms in payment systems, and what are the applied countermeasures in each technology.
There are many questions that this training will try to solve, such as, how difficult was to make a contact or NFC replay attack? Is it possible? What type of hardware is involved in attack surface? What are the limitations in a relay approach and its characteristics? Is it possible to replay a tokenized number from a third-party technology? Or to downgrade an EMV transaction in the actual payment systems? Can we relay contact EMV data over internet?
We will be practicing with real NFC/Magstripe/Tokenization/EMV banking cards starting right away from the first day. Demonstrations and real scenarios will be presented with physical and digital payment systems and their possible exploitation. Furthermore, we will discuss new type of attacks or data extraction that is not very well documented.
Outline the class in enough detail that we can determine the hour-by-hour experience a student will experience:
Introduction to the training dynamics - ½ hour
Objective: Explaining how the training sessions are divided. Adding that we will analyze goals and perspectives about the training. Also detailing how the training is organized and a short introduction from each member of the session.
Module 1 - Payment systems and Security – 1 hour
Objective: Understanding the base fundamentals in the payment system environments. The trainees will be on the same page about payment system security, and how to approach the payment system analysis. Learning about how the transactions are verified and processed in the communication with the terminal. Answering important questions, such as, why the communication APDU protocol is not encrypted, and what are the other mechanisms that protects the transactions?
Module 2 - Toolset Environments – 2 hours
Objective: Analyzing specialized payment system scenarios, we must follow adequate procedures. Knowledge is important, but also the tools and methodologies that we will implement in this session. Those tools should be specialized for each payment system technology to help us in the training learning process. We will talk about the lab environment, its organization and how to navigate through it.
Module 3 - Magnetic Stripe Data – 1 hour
Objective: Learning Magstripe data is important to understand actual concepts and technologies. To learn more complex payment system scenarios, we should understand the past ideas of security and encoding.
Module 4 - Communication Process for EMV Transactions – 2 ½ hours
Objective: Jumping into the APDU protocol to understand the communication between the terminal/PoS and other technologies such as NFC or EMV contact transactions. Understanding the packet generation, commands, and responses to know the structure and the transactions core. We will finish this module knowing how to handle NFC and EMV communication transactions.
Module 5 - EMV Technology – 2 hours
Objective: Relating tendencies with Magstripe and APDU communication process, we will be ready to analyze contacted transactions. Analyzing advanced APDU commands and responses mechanisms to see how the security approach is in this payment method. In this process, we will implement a special hardware tool to emulate EMV data.
Module 6 - Near Field Communication – 2 hours
Objective: Applying concepts from Module 5 and Module 6, the trainees will be able to relate security procedures in the NFC protocol. Previous knowledge will be used to understand and detail NFC transactions, APDU communications, cryptogram analysis and cardholder verification methods.
Module 7 - Tokenization Process – 1 hour
Objective: Following Modules 3, 4 y 6, the tokenization process will take us to the opposite side of the static Magstripe data. Analyzing the art of seeding in the encryption process for token generation; adding that we should understand what and how the current technologies implement the tokenization process including digital wallets.
Module 8 - Cloning, Replay and Downgrade Attacks – 2 hours
Objective: Reversing and analyzing transactions to understand wild attacks in the payment systems. Knowing how to perform and generate PoCs implementing our advanced toolset environment. Adding that the trainees will participate in real hand-on exercises to run specific attacks.
Module 9 - Relay Magstripe, NFC and EMV Technologies – 2 hours
Objective: Giving all the previous methodologies and attack scenarios, we will integrate them into a new level of attacks. To learn how to generate relays in the payment systems is important, and how to analyze time-bounding countermeasure mechanisms. The participants will use our laboratory to relay APDU data locally to understand the timing and the transaction countermeasures limitations in all the technologies.
Technical difficulty of the class:
Experience or skills needed: Python, Linux environment experience but not required
Suggested prerequisites for the class. What should the student have read or prepared in advance to get the most out of your class? This could be videos to watch, books or white papers to read, etc.
- Overview of Contactless Payment Cards: https://www.blackhat.com/docs/us-15/materials/us-15-Fillmore-Crash-Pay-How-To-Own-And-Clone-Contactless-Payment-Devices-wp.pdf
- Chip and PIN is Broken: https://www.cl.cam.ac.uk/research/security/banking/nopin/oakland10chipbroken.pdf
- Samsung Pay: Tokenized Numbers, Flaws and Issues: https://www.blackhat.com/docs/us-16/materials/us-16-Mendoza-Samsung-Pay-Tokenized-Numbers-Flaws-And-Issues-wp.pdf
- PIN Automatic Try Attack: https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Salvador%20Mendoza%20-%20PINATA-%20PIN%20Automatic%20Try%20Attack.pdf
Items students will need to provide:
We will provide the hardware tools for each student. Also, a Virtual Machine for the lab environment. These tools are not included in the training price. Some of the tools might be available for purchase after the training.
The students are required to bring a laptop with VMWare Fusion or VMWare Player with at least 20 GB in hard drive space and 4GB in RAM memory.
The students can bring their own NFC cards that are expired or canceled to test them in the training.
This training is unique. For example, we will emulate EMV contact transactions; something that it is not in any other training around the globe (not even sure if there is other payment system training like this in different events) What about relaying EMV contact data over internet? Sometimes we heard about NFC relay information, but EMV contact data? We will use the ELMA tool that we presented with PINATA research in DEFCON last year.