Amsterdam – March 20th 2017: “Cash is king” – this statement might become obsolete as we progress to an increasingly cashless future. However, the risk of money getting stolen remains very real, regardless of whether physical money or a digital wallet is being used. Petty thieves are now replaced with criminal hackers; methods and sophistication have changed but the motivation remains the same – to profit from stealing your money and/ or financial data.
A fast growing number of people is paying contactless via app’s on their mobile device, such as Google Wallet or Apple Pay. Near Field Communication (NFC) technology set the standard for these services and the introduction of Host Card Emulation (HCE) has provided another set of software architecture that has enabled organizations to implement contactless payment systems, making use of existing hardware in the mobile devices. How much do we know about the risks that are associated with HCE?
On April 13th, at the 8th annual HITB Security Conference in Amsterdam, Slawomir Jasek from SecuRing will be presenting his research in this area entitled “Can’t Touch This: Cloning Any Android HCE Contactless Card”. His talk discusses core HCE technology and how it can be compromised with mobile malware. He will also cover several possible attacks against HCE including a universal method of cloning any Android contactless payment (including Google’s own Android Pay) to a different device. The intention with all research presented at HITB, is to create awareness of the risks associated with the underlying technology in order to formulate risk mitigating actions.
While digital pickpocketing focuses on end-user devices, the holy grail for criminal hackers remains the digital equivalent of a bank robbery: the hacking of the bank itself, by intruding and abusing the back-end systems used for financial transactions. It may come to a surprise to many that a significant volume of the world’s business critical processes is still powered by Mainframes – large clusters of servers colloquially known as ‘big iron’. The Customer Information Control System or CICS developed by IBM, is the most widely deployed transaction system in the world with more than 20 billion transactions a day relying on its services.
According to Ayoub Elaasasal, a penetration tester from Wavestone, for every person who withdraws money, there is a fair chance that multiple CICS applications are involved somewhere along the request chain. His presentation at the conference on “Breaking the Fourth Wall: Hacking Customer Information Control System” will open the audience’s eyes to how a CICS can be compromised and how to identify such vulnerabilities during pentesting such systems.
The full event agenda is available here. For further details regarding media participation please contact our media team. Ongoing announcements regarding the event will also be posted online and tweeted via @HITBSecConf and @HITBMedia on Twitter.
NOTE TO EDITORS
Visiting the Hack In The Box Conference as press can be done by sending a request for a Media Pass to email@example.com. Specific requests for interviews with speakers can also be sent to this address.
HITB Security Conference or HITBSecConf is a community-backed, not-for-profit series of security conferences held annually in various locations in Asia and Amsterdam, The Netherlands. The annual series has also previously been held in the Middle East and Asia with conferences in Kuala Lumpur, Bahrain and Dubai. The main aim of HITBSecConf is to enable the dissemination, discussion and sharing of deep knowledge network security information with a focus on groundbreaking attack and defense methods. HITBSecConf is endorsed by various government and professional associations.
PR Contact (International)
Mei Ling Foo
HITB Core Crew – Media Coordination
Tel: +603-26157299 (0900 – 1800 MYT)
PR Contact (Netherlands)
Tel: +31 6 818 799 04