May 23–26, 2024, Moscow, Luzhniki sports complex

5/7/2021

Payment Village: the ins and outs of banking system security at PHDays 10

This year, Positive Hack Days will again be holding several events based on the Payment Village. It will be more than just a competition. Participants will first get an overview of the theory, and then they’ll apply what they learn to try to hack ATMs, cash registers, and POS terminals.

We use bank cards, POS terminals, and ATMs every day, but we know little about their structure or the different security aspects of the payment process. The primary aim of the Payment Village platform is to change this situation and make knowledge about the payment industry more readily accessible to enthusiasts, such as users, analysts, and bounty hunters.

Payment Village will bring together people who are interested in the vulnerabilities in banking and payment systems, and who enjoy tinkering around in the inner workings of ATMs, self-checkout, and POS terminals. You’ll learn about how intruders crack these systems and how the payment industry is protecting them.

We will also be holding contests to find and reward the most curious conference participants.

Payment Village is sponsored by iSimpleLab, Azbuka Vkusa, and ARinteg.

The topics of this year's talks are:

  • Physical and logical security of POS terminals
  • Vulnerabilities in retail and payment processes
  • Logical vulnerabilities in RBS systems

«The iSimpleBank 2.0 RBS platform is used to build digital channels by leading Russian businesses, so it goes without saying that our customers retain security of the utmost importance when working with our platform. iSimpleLab has recently completed several initiatives related to procedural and administration security. We performed an analysis of vulnerabilities for our iSimpleBank 2.0 RBS platform based on the requirements for an evaluation assurance level of at least EAL 4 under GOST R ISO/IEK 15408-3-2013, and we did a real-world field trial of products at events with Positive Technologies. This challenge is interesting for us because it offers a real-life scenario for checking and confirming the readiness of the iSimpleBank 2.0 platform to combat actual cyberthreats,» said Aleksey Kolesnikov, sales director at iSimpleLab.

This year’s challenges include:

  • Hack an RBS system
  • Hack POS terminals
  • Hack ATM security systems
  • Hack payment equipment

«It so happens that payment equipment was long hard to access for research into both online and offline vulnerabilities,» said Dmitriy Kuzevanov, head of the Information Security Department of Аzbuka Vkusa retail chain. «But recently, the situation has changed drastically. Cash registers are increasingly becoming integrated with numerous external and internal services, including loyalty programs, ERP, and the federal tax service. In addition, cash registers are acquiring peripheral equipment, including NFC, card readers, and UPC- and QR-code readers, which connect through Bluetooth or Wi-Fi. All of this opens up many attack vectors for points of sale. In the Payment Village, attendees will be able to materialize them and learn more about the risks and consequences.»

If you can’t join us at the event venue, we’ve prepared a little surprise for you—an ATM protection simulation you can access online to check vulnerabilities. We’ll share more information about this during the conference.

We’re giving away tickets to the conference and Payment Village to a couple of lucky Hacker readers and enthusiasts of bank card technologies. To enter to win, just answer the questions in our survey. The two people who submit the most interesting responses will receive their tickets one week before the conference.

If you’d like to give a talk on vulnerabilities in payment, banking, and retail systems at the Payment Village, email us at phd10@ptsecurity.com.