lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 07 Feb 2012 17:56:39 +0100
From: "research@...nerability-lab.com" <research@...nerability-lab.com>
To: full-disclosure@...ts.grok.org.uk
Subject: HITB2011KUL - Chip & PIN - Protocol Analysis EMV
	POS

Title:
======
HITB2011KUL - Chip & PIN - Protocol Analysis EMV POS


Date:
=====
2012-01-26


References:
===========
Download:	http://www.vulnerability-lab.com/resources/videos/399.wmv
View: 		http://www.youtube.com/watch?v=5zFlqMFWYhc



VL-ID:
=====
399


Status:
========
Published


Exploitation-Technique:
=======================
Conference


Severity:
=========
Medium


Details:
========
The EMV global standard for electronic payments is widely used for inter-operation between chip equipped 
credit/debit cards, Point of Sales devices and ATMs.

Following the trail of the serious vulnerabilities published by Murdoch and Drimer’s team at Cambridge 
University regarding the usage of stolen cards, we explore the feasibility of skimming and cloning in the 
context of POS usage.

We will analyze in detail EMV flaws in PIN protection and illustrate skimming prototypes that can be covertly 
used to harvest credit card information as well as PIN numbers regardless the type/configuration of the card.

Our updated research also explores in depth the design, implementation and effectiveness of tamper proof 
sensors in modern and widely used POS terminals, illustrating different techniques for bypass and physical 
compromise. As usual cool gear and videos are going to be featured in order to maximize the presentation.


Credits:
========
Andrea Barisani
Andrea Barisani is a security researcher and consultant. His professional career began 10 years ago but all really started 
when a Commodore-64 first arrived in his home when he was 10. Now, 18 years later, Andrea is having fun with large-scale 
IDS/Firewalls deployment and administration, forensic analysis, vulnerability assessment, penetration testing, security 
training and his Open Source projects. He eventually found that system and security administration are the only effective 
way to express his need for paranoia.

Being an active member of the international Open Source and security community he’s maintainer/author of the tenshi, ftester 
projects as well as the founder and project coordinator of the oCERT effort, the Open Source Computer Emergency Reponse Team.

He has been involved in the Gentoo project, being a member of the Gentoo Security and Infrastructure Teams, and the Open 
Source Security Testing Methodology Manual, becoming an ISECOM Core Team member. Outside the community he has been a 
security consultant for Italian firms and he’s now the co-founder and Chief Security Engineer of Inverse Path Ltd. He has 
been a speaker and trainer at PacSec, CanSecWest, BlackHat and DefCon conferences among many others, speaking about TEMPEST 
attacks, SatNav hacking, 0-days, LDAP and other pretty things.



Daniele Bianco
He began his professional career during his early years at university as system administrator and IT consultant for several 
scientific organizations. His interest for centralized management and software integration in Open Source environments has 
focused his work on design and development of suitable R&D infrastructure. One of his hobbies has always been playing with 
hardware and electronic devices.

At the time being he is the resident Hardware Hacker for international consultancy Inverse Path where his research work 
focuses on embedded systems security, electronic devices protection and tamperproofing techniques. He presented at many IT 
security events and his works have been quoted by numerous popular media.


Disclaimer:
===========
The information provided in this video is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability-
Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of 
other media, are reserved by Vulnerability-Lab or its suppliers.

    						Copyright © 2012|Vulnerability-Lab




-- 
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
Contact: admin@...nerability-lab.com or support@...nerability-lab.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ