Virtual Terminals, POS Security and becoming a billionaire overnight! presented at BSidesUK 2015

by Grigorios Fragkos,

Summary : Very few people use cash nowadays, as most use a debit or a credit card for their everyday needs. These transactions are performed through a Point-of-Sale (POS) device or through a Virtual Terminal. All the certified POS devices and Virtual Terminal applications, make use of strong encryption and secure communication channels in order to connect to the authorisation servers, and complete the transactions. Equally, in 2014 we saw the evolution of POS-affecting malware, where some large/global organizations like Target, Home Depot, and UPS were targeted by the BlackPOS, FrameworkPOS, and Backoff respectively, ending up in millions of card details being stolen, and millions of customers being affected from identity theft and financial fraud.
Following on the above, during this presentation, a number of features (provided in POS devices as standard functionality) and the ability to misuse them during a transaction will be demonstrated. But the main focus will be on a Threat Modelling engagement, undertaken against Virtual Terminals. More specifically, I will demonstrate the major difference between last year's POS malware targeting Card Holder Data (CHD) and a different approach, which targets the actual money directly. In other words, I will show you how I could have ended up with billions in my account, without having to steal a single card number. Dr. Grigorios Fragkos, follow: @drgfragkos