Explore groundbreaking security research on NFC payment readers in a 40-minute conference talk from DEF CON 31 that reveals critical code execution vulnerabilities affecting major ATM brands, point-of-sale systems, and payment terminals worldwide. Learn about the technical details of exploitable flaws discovered in application protocol data units (APDU) across multiple vendors including IDtech, Ingenico, Verifone, CPI, BBPOS, Wiseasy, and Nexgo. Witness live demonstrations showing how payment readers can be compromised using a custom Android app through simple NFC tapping, and understand the financial implications of firmware exploitation including card data theft. Dive into advanced attack scenarios involving USB-connected host compromise through SDK vulnerabilities and potential ATM jackpotting methods leveraging IDtech readers. Gain insights from years of ATM security testing experience and learn about the technical feasibility of various attack vectors targeting payment infrastructure.
Overview
Syllabus
DEF CON 31 - Contactless Overflow Code Execution in Payment Terminals & ATMs - Josep Rodriguez
Taught by
DEFCONConference