Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Thursday, November 21 • 10:00am - 10:50am
PiOSoned POS - A Case Study in iOS based Mobile Point-of-Sale gone wrong

Sign up or log in to save this to your schedule and see who's attending!

Video of session:
https://www.youtube.com/watch?v=CAtc7Z1VD2I&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=18


Mobile Point of Sale (POS) are becoming more and more common in a wide variety of retail outlets. And why not, it adds speed and convenience to shopping and can increase a retailers ability to sell. But POS and Mobile are hard to get right and secure. What happens when you try to combine the two on trendy iOS devices and rush your solution out the door?
Based on multiple mobile tests conducted by Trustwave SpiderLabs' application security, Mike Park will walk through the typical mobile POS apps for iOS and show how and why they can be attacked, often with no sign an attack is going on.
Mike will cover technological shortcomings, coding mistakes and the common misunderstanding of the underlying platform that almost always occur and result in an insecure application. This will include some hardware card reader devices that default to allowing almost no security.
Outline

1. Introduction
2. Why Mobile POS?
3. Why iOS?
4. The Problem
    Poorly written apps
    Speed of jailbreaking
    Ability to hide the jailbreak
    The Card Reader
5. A walk through of the PiOSon POS demo app
    What the app does
    How the app reads CHD
    How the app processes and send the data to the backend
    How typical is this
6. Hacking the POS - Demo
    Jailbreak
    Intro to Method Swizzling
    Setting up the device
    Adding the reader
    Installing the malware
    Capture the Track data
7. How to improve this
    Understand the underlying platform
    Understand the way your card reader works
    Why is this so insecure?
    View a safer version of the app – AntidOte POS
8. What to do
    Coding best practices
    Choosing a card reader
    Outside the device – MDM?
9.Conclusion

Speakers
avatar for Mike Park

Mike Park

Managing Consultant, Trustwave SpiderLabs
Mike Park is a Managing Consultant at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has over 12 years experience building and securing software for a variety of companies. Mike is a CISSP and specializes in application security assessment, penetration testing, reverse engineering and secure development life cycle. Mike is an... Read More →


Thursday November 21, 2013 10:00am - 10:50am
Salon 3 (5th Floor Ballroom) NY Marriott Marquis