Contactless payments are fast replacing cash and chip inserted transactions. Now Accounting for a staggering 40% of transactions globally. Yet, contactless makes use of protocols much older than the technology itself. With this in mind, just how safe and secure are contactless payments?
In this talk, we discuss the intricacies of the EMV protocols. Our findings show that contactless payments are not as safe and secure as first thought. Their reliance on older technology has introduced several flaws into their protocols.
We detail new vulnerabilities; how to bypass limits for contactless payments made using cards and how to circumvent limits for mobile wallets, even on locked devices. We also cover flaws in the generation keys values, the unpredictable number (UN) and application transaction counter (ATC).
We close the session by discussing how existing implementations of card authorization processes differ from each other. Finally, we talk about the best practices that should be implemented to create a secure environment for payments.
Leigh-Anne Galloway is Head of Commercial Research at Cyber R&D Lab. She specializes in application and payment security. Leigh-Anne started her career in incident response, leading investigations into payment card data breaches. Which is where she discovered her passion for payment technologies. She has presented and authored research on ATM security, application security and payment technology vulnerabilities. Having previously spoken at DevSecCon, BSides, Hacktivity, 8dot8, OWASP, Troopers, Black Hat USA, and Black Hat Europe.
Timur Yunusov is a Head of Offensive Security Research and a Security Expert in the area of banking security and application security. He regularly speaks at conferences and has previously spoken at CanSecWest, PacSec. DEF CON, Black Hat USA, Black Hat Europe.