Andrea Barisani (Chief Security Engineer, Inverse Path) & Daniele Bianco (Inverse Path)

Presentation Title Chip & PIN is Definitely Broken: Protocol and Physical Analysis of EMV POS Devices
Presentation Abstract

The EMV global standard for electronic payments is widely used for inter-operation between chip equipped credit/debit cards, Point of Sales devices and ATMs.

Following the trail of the serious vulnerabilities published by Murdoch and Drimer’s team at Cambridge University regarding the usage of stolen cards, we explore the feasibility of skimming and cloning in the context of POS usage.

We will analyze in detail EMV flaws in PIN protection and illustrate skimming prototypes that can be covertly used to harvest credit card information as well as PIN numbers regardless the type/configuration of the card.

Our updated research also explores in depth the design, implementation and effectiveness of tamper proof sensors in modern and widely used POS terminals, illustrating different techniques for bypass and physical compromise.

As usual cool gear and videos are going to be featured in order to maximize the presentation.

About Andrea Barisani

Andrea Barisani is a security researcher and consultant. His professional career began 10 years ago but all really started when a Commodore-64 first arrived in his home when he was 10. Now, 18 years later, Andrea is having fun with large-scale IDS/Firewalls deployment and administration, forensic analysis, vulnerability assessment, penetration testing, security training and his Open Source projects. He eventually found that system and security administration are the only effective way to express his need for paranoia.

Being an active member of the international Open Source and security community he’s maintainer/author of the tenshi, ftester projects as well as the founder and project coordinator of the oCERT effort, the Open Source Computer Emergency Reponse Team.

He has been involved in the Gentoo project, being a member of the Gentoo Security and Infrastructure Teams, and the Open Source Security Testing Methodology Manual, becoming an ISECOM Core Team member. Outside the community he has been a security consultant for Italian firms and he’s now the co-founder and Chief Security Engineer of Inverse Path Ltd. He has been a speaker and trainer at PacSec, CanSecWest, BlackHat and DefCon conferences among many others, speaking about TEMPEST attacks, SatNav hacking, 0-days, LDAP and other pretty things.

About Daniele Bianco

He began his professional career during his early years at university as system administrator and IT consultant for several scientific organizations. His interest for centralized management and software integration in Open Source environments has focused his work on design and development of suitable R&D infrastructure. One of his hobbies has always been playing with hardware and electronic devices.

At the time being he is the resident Hardware Hacker for international consultancy Inverse Path where his research work focuses on embedded systems security, electronic devices protection and tamperproofing techniques. He presented at many IT security events and his works have been quoted by numerous popular media.