Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Black Hat USA
August 1-6, 2020
Las Vegas, NV, USA
Black Hat Asia
September 29 - October 2, 2020
Singapore
Black Hat Europe
December 7-10, 2020
Virtual Event
11/20/2019
12:00 PM
Alex Wawro, Special to Dark Reading
Alex Wawro, Special to Dark Reading
News
50%
50%

Black Hat Europe Q&A: Exposing the Weaknesses in Contactless Payments

Researchers Leigh-Anne Galloway and Tim Yunusov chat about their work testing Visa's contactless payments security system vulnerabilities.

Countless financial transactions are conducted every day by customers using contactless payment systems, and next month two security researchers from Positive Technologies will show Black Hat Europe attendees how vulnerable those transactions are to bad actors.

In their Black Hat Europe Briefing on First Contact - Vulnerabilities in Contactless Payments researchers Leigh-Anne Galloway and Tim Yunusov will show how they successfully bypassed (among other things) Visa’s £30 limit on contactless payments made via physical card in the United Kingdom. They’ll also demonstrate a few critical weak points in contactless payments, including flaws in key generation values and unpredictable numbers. 

I recently chatted with the pair about their work, what they’ve learned, and why it’s so important.

Alex: What do you hope to accomplish by giving this talk at Black Hat Europe?

Leigh-Anne: There are probably two outcomes that we'd like. The first is that payment security is a very under-subscribed area, so by talking at a venue like Black Hat, we're hoping to interest other researchers in payments. There are incredibly high barriers, or at least it seems that way from the outside. But we want to show people that it is possible to work in this area.

Secondly, one thing we noticed is that even though we have this big growth in the financial sector, over the last year we've seen all these digital-only "neo-banks" spring up, and at the same time payments are being monopolized at the highest level. If you look under the surface of these new digital banks, a lot of them sit on the infrastructure of existing financial institutions, like other brick-and-mortar banks. And if you go higher up the levels of the payment infrastructure, it becomes more and more like a monopoly.

So when you don't have much competition, you stagnate in terms of standards. That means that people like Visa and MasterCard can dictate how they want to work and how they want to operate in the marketplace, and no one else regulates them, because they are the regulators of everyone else.

Alex: A Visa rep was quoted in a Forbes article responding to your research by suggesting it wasn’t a threat worth addressing. How do you feel about that response?

Leigh-Anne: Visa and MasterCard have slightly different stances on how they approach things; it is rather infuriating, and I would imagine that some of the banks feel a bit similar, because it's them saying "we can't be bothered to do anything about that," whereas if you reported a security issue to a big corporation like Google, even if the issue wasn't so significant, they'd probably resolve it rather than saying "we don't want to do anything about it, go on your way."

For example, there isn't a formalized set of processes in the payment sector to deal with these things in the way that we see in bug bounty programs elsewhere, where you would formalize a process for how to categorize the risk of security issues, and how to resolve them.

But their stance is actually ... in a lot of cases Visa says, based on their own data (though they don't provide any clarity on what that data is) they say, "based on our own data, we don't see applications of this attack in the wild, and therefore we're not going to do anything about it."

When we look at this idea [banks promote] that contactless payment systems have resulted in fraud reduction, you find really different views. Visa just published a statement, at the same time that we released information about our research, to say that they had a 40% reduction in fraud in contactless payments over the last two years. But if you look at the footnote, it says the source is just "Visa data" and there's no explanation of the actual source.

If we look at data in the UK, if we look at the actionable data collected by the police, which is probably going to be on the conservative side because a lot of fraud doesn't get reported to police, there are some significant losses. So it's really hard to know what's going on. 

Alex: What are you hoping Black Hat Europe attendees will get out of your talk?

Leigh-Anne: In plain language, I always try to think of payments as something everyone interacts with every day, but yet we have very little knowledge about how they work. So with the work that we do, and the presentation we're giving, we're hoping to remove some of that mystery and encourage people to get involved in this area, because it is massively undersubscribed, and there is a lot of work to be done.

Do you think more financial institutions should be implementing bug bounty programs, the way many tech companies do?

Leigh-Anne: I think it could be helpful. I think there's a different view among some of those newer banks, the neobanks, where we're finding some of them have adopted a bug bounty approach. But most of them don't have any sort of formal framework. And if you look at the larger institutions, like HSBC, if you want to report a security issue to them, it's almost impossible to work out how to do that.

I remember actually contacting customer services on chat and they said, "Oh you can just tell us, and we'll pass along the information," which isn't the appropriate way to share that information. But these are some of the challenges that we face. So I think it would probably accelerate a security standard. I mean of course the financial industry is pretty heavily regulated, but those standards don't necessarily correlate strongly with security, as we know. You can be fully compliant and still be breached.

Learn more about Leigh-Anne and Tim’s Briefing (as well as lots of other cutting-edge content) in the Briefings schedule for Black Hat Europe, which returns to The Excel in London December 2-5, 2019.

For more information on what’s happening at the event and how to register, check out the Black Hat website.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We are really excited about our new two tone authentication system!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29440
PUBLISHED: 2020-11-30
Tesla Model X vehicles before 2020-11-23 do not perform certificate validation during an attempt to pair a new key fob with the body control module (BCM). This allows an attacker (who is inside a vehicle, or is otherwise able to send data over the CAN bus) to start and drive the vehicle with a spoof...
CVE-2020-29441
PUBLISHED: 2020-11-30
An issue was discovered in the Upload Widget in OutSystems Platform 10 before 10.0.1019.0. An unauthenticated attacker can upload arbitrary files. In some cases, this attack may consume the available database space (Denial of Service), corrupt legitimate data if files are being processed asynchronou...
CVE-2020-4127
PUBLISHED: 2020-11-30
HCL Domino is susceptible to a Login CSRF vulnerability. With a valid credential, an attacker could trick a user into accessing a system under another ID or use an intranet user's system to access internal systems from the internet. Fixes are available in HCL Domino versions 9.0.1 FP10 IF6, 10.0.1 F...
CVE-2020-11867
PUBLISHED: 2020-11-30
Audacity through 2.3.3 saves temporary files to /var/tmp/audacity-$USER by default. After Audacity creates the temporary directory, it sets its permissions to 755. Any user on the system can read and play the temporary audio .au files located there.
CVE-2020-16849
PUBLISHED: 2020-11-30
An issue was discovered on Canon MF237w 06.07 devices. An "Improper Handling of Length Parameter Inconsistency" issue in the IPv4/ICMPv4 component, when handling a packet sent by an unauthenticated network attacker, may expose Sensitive Information.