There are several distinct communities that do security related research. One that most readers of this blog are used to are software vendors and consultants that target PSPs and fintechs, such as Okay. This makes sense, as one of our tasks is to help companies deal with regulatory directives from various government and industry bodies such as EMVCo.

But another group that is often overlooked is the more practical security-oriented organizations/independent security researchers. While we in the payment space have yearly conferences (such as Pay360) to talk about the latest updates in our field, it is fascinating to look at the other side: the hackers and independent security researchers.

A good place to look at hacker-oriented news and updates are conferences, such as Black Hat. Their latest conference was back in August 2020, but they recently published the event's videos on their Youtube channel. Why wait seven months to release the videos? Because it gives any mentioned companies time to prepare for public discussion of the vulnerabilities in their products. 

Even if your technical implementation is perfect, there is one constant threat: Social engineering. Two videos showed examples of this: the first was “How I created my clone using AI-Next-Gen Social Engineering”, which has a practical example of how to build a bot to impersonate yourself (or someone else), including video and voice.

The second was "Repurposing Neural Networks to Generate Synthetic Media for Information Operations" which discusses the protection against synthetically generated bots. The danger with this type of bot is its ability to automate attacks on helpdesk services and video-based KYC procedures. Of course, attacking a helpdesk service of KYC is a much simpler target than the general "speak about anything" case.

Many consumer payments take place on mobile phones, making them a clear target for malicious actors. And as an attacker, having your software running on a target's device is a good first step to attacking the transactions themselves. 

One of the vectors used to infect such devices is Bluetooth. An interesting video on this topic, "BlueRepli", details some old and new attacks. For example, the BlueRepli attack itself steals a phone’s contacts and downloads any received text messages without the target having to take any user action.

Another Android attack that might be of interest is the "TiYunZong" exploit, used to gain root on a device by opening a web page in Chrome. Of course, iOS is not forgotten: this video shows five new ways to get root on iOS devices.

The vast majority of PSPs hopefully use transport Layer Security (TLS). While TLS is easy to implement, the standard is quite massive, and there are ways to target internal services through a TLS endpoint using Server-Side Request Forgery (SSRF). "When TLS Hacks You" is a good introduction to how to implement this category of attacks.

Hardware-based secure execution environments are generally considered the most secure environment for storing keys and for performing authentications. The most well-known environment is probably Samsung's KNOX. "Breaking Samsung's Root of Trust: Exploiting Samsung S10 Secure Boot" has a good introduction to KNOX and how it can breach security through a USB connection. 

Further down from KNOX we come to the firmware of the device. Rewriting device firmware has mostly been the domain of state-sponsored groups (feel free to google NSA's IRATEMONK), but rewriting a device's firmware to enable features has become more of a topic lately. "Beyond Root: Custom Firmware for Embedded Mobile Chipsets" is a good example of this. The danger here is that companies see the firmware as secure, leading them to falsely believe that an attacker can't manipulate the chips used for NFC payments. This opens up an entirely new area of vulnerability that PSPs need to be aware of.

These videos are just the tip of the iceberg. For more on topics such as reverse engineering Tesla battery management, detecting fake 4G towers, or exploiting the online version of Excel, take a look here. Has your interest been peaked? We highly recommend checking out the Chaos Computer Club for more information about the hacking world.

Of course, the videos listed above are only a small selection of the Black Hat videos we felt would be a great introduction to relevant practical mobile security topics. To hear more and join in on the conversation pertaining to the world of online transactions and security, feel free to follow us on LinkedIn.