HITB2011KUL - Chip & PIN - Protocol Analysis EMV POS

["research () vulnerability-lab com" <research () vulnerability-lab com>]

Title:
======
HITB2011KUL - Chip & PIN - Protocol Analysis EMV POS


Date:
=====
2012-01-26


References:
===========
Download:       http://www.vulnerability-lab.com/resources/videos/399.wmv
View:           http://www.youtube.com/watch?v=5zFlqMFWYhc



VL-ID:
=====
399


Status:
========
Published


Exploitation-Technique:
=======================
Conference


Severity:
=========
Medium


Details:
========
The EMV global standard for electronic payments is widely used for inter-operation between chip equipped 
credit/debit cards, Point of Sales devices and ATMs.

Following the trail of the serious vulnerabilities published by Murdoch and Drimer’s team at Cambridge 
University regarding the usage of stolen cards, we explore the feasibility of skimming and cloning in the 
context of POS usage.

We will analyze in detail EMV flaws in PIN protection and illustrate skimming prototypes that can be covertly 
used to harvest credit card information as well as PIN numbers regardless the type/configuration of the card.

Our updated research also explores in depth the design, implementation and effectiveness of tamper proof 
sensors in modern and widely used POS terminals, illustrating different techniques for bypass and physical 
compromise. As usual cool gear and videos are going to be featured in order to maximize the presentation.


Credits:
========
Andrea Barisani
Andrea Barisani is a security researcher and consultant. His professional career began 10 years ago but all really 
started 
when a Commodore-64 first arrived in his home when he was 10. Now, 18 years later, Andrea is having fun with 
large-scale 
IDS/Firewalls deployment and administration, forensic analysis, vulnerability assessment, penetration testing, security 
training and his Open Source projects. He eventually found that system and security administration are the only 
effective 
way to express his need for paranoia.

Being an active member of the international Open Source and security community he’s maintainer/author of the tenshi, 
ftester 
projects as well as the founder and project coordinator of the oCERT effort, the Open Source Computer Emergency Reponse 
Team.

He has been involved in the Gentoo project, being a member of the Gentoo Security and Infrastructure Teams, and the 
Open 
Source Security Testing Methodology Manual, becoming an ISECOM Core Team member. Outside the community he has been a 
security consultant for Italian firms and he’s now the co-founder and Chief Security Engineer of Inverse Path Ltd. He 
has 
been a speaker and trainer at PacSec, CanSecWest, BlackHat and DefCon conferences among many others, speaking about 
TEMPEST 
attacks, SatNav hacking, 0-days, LDAP and other pretty things.



Daniele Bianco
He began his professional career during his early years at university as system administrator and IT consultant for 
several 
scientific organizations. His interest for centralized management and software integration in Open Source environments 
has 
focused his work on design and development of suitable R&D infrastructure. One of his hobbies has always been playing 
with 
hardware and electronic devices.

At the time being he is the resident Hardware Hacker for international consultancy Inverse Path where his research work 
focuses on embedded systems security, electronic devices protection and tamperproofing techniques. He presented at many 
IT 
security events and his works have been quoted by numerous popular media.


Disclaimer:
===========
The information provided in this video is provided as it is without any warranty. Vulnerability-Lab disclaims all 
warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. 
Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss 
of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such 
damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing 
limitation 
may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from 
Vulnerability-
Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, 
including the use of 
other media, are reserved by Vulnerability-Lab or its suppliers.

                                                Copyright © 2012|Vulnerability-Lab




-- 
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
Contact: admin () vulnerability-lab com or support () vulnerability-lab com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/