Hand in Your Pocket Without You Noticing: Current State of Mobile Wallet Security
Conference: BlackHat USA 2021
2021-11-11
Summary
The speaker discusses vulnerabilities found in various payment systems, including Mastercard, Visa, and Apple Pay, and how they can be exploited.
- Four out of eight Mastercard cards tested were vulnerable to attacks, with two requiring modified terminals
- No Russian Mastercard cards were found to be vulnerable
- Visa cards were vulnerable in all regions tested
- Apple Pay was vulnerable to a carbon mix-up attack
- The speaker was able to steal a zero-pound cryptogram from Apple Pay and reuse it with a modified amount
- The speaker was able to intercept a cryptogram from a Visa card and modify the amount before reusing it
- The speaker was able to exploit vulnerabilities in payment systems by traveling to London Underground terminals and using a Proxmark device
Abstract
Apple Pay, Google Pay, and Samsung Pay are the de-facto payment services for mobile users. Their growth and popularity during COVID-19 have given mobile users the option to pay with ease, often without the need to touch a payment terminal. Mobile wallets are considered by many to be state-of-the-art when it comes to payment security. But in fact, these brands do not protect their customers well enough against malicious actors. They only protect themselves.In our research, we've found inconsistencies in "contactless payments for public transport" schemes that lead to potential fraud using lost or stolen mobile phones. We successfully defrauded victims using stores located around the planet without the phone ever leaving the victim's pocket. This talk will delve into the fascinating world of contactless payments on mobile wallets and the background of its infrastructure and liability rules.
Materials:
Tags: