filmov
tv
Threat Modeling Against Payment Systems - Dr. Grigorios Fragkos
Показать описание
This talk was presented at OWASP London Chapter Meeting on 18-May-2017.
Payment systems are part of our everyday lives, with most of the transactions performed through the use of a Point-of-Interaction (POI) device or a Virtual Terminal. Although payment terminals and virtual terminals make use of strong encryption and a secure communications channel, the Point of Sale (POS) is still a target for cyber-criminals. The malware affecting point-of-sale systems seen in previous years has demonstrated that criminals continually adapt to find ways to target card payment channels and keep the cycle going. This presentation however, attempts to go a step further and asses payment systems from a hypothetical attacker's point of view, by undertaking at threat modeling exercise against payment systems. The purpose of the threat modeling is to provide defenders with a number of scenarios (attack vectors) that it is possible to be used by attackers, while their activity remain unnoticed. One of the most important lessons of this Threat Modeling exercise was the discovery of a potential scenario that could allow cyber-criminals to shift from targeting Card Holder Data (CHD) to targeting the money directly.
Speaker Bio:
Dr. Grigorios Fragkos is the Head of Offensive Cybersecurity for DeepRecce(invinsec). He has a number of publications in the area of Computer Security and Computer Forensics with active research in CyberSecurity and CyberDefence. His R&D background in Information Security, including studies on applied CyberSecurity at MIT, along with his experience in the CyberDefense department of the Greek military, is invaluable when it comes to safeguarding mission critical infrastructures. Written the next generation SIEM as part of his PhD research with “notional understanding” of network event for real-time threat assessment. Grigorios (a.k.a. Greg) has been invited to present in a number of security conferences, workshops and summits over the years, and he is also the main organiser for Security BSides Athens. Thinking ahead and outside-the-box when dealing with information security challenges is one the key characteristics of his talks.
Payment systems are part of our everyday lives, with most of the transactions performed through the use of a Point-of-Interaction (POI) device or a Virtual Terminal. Although payment terminals and virtual terminals make use of strong encryption and a secure communications channel, the Point of Sale (POS) is still a target for cyber-criminals. The malware affecting point-of-sale systems seen in previous years has demonstrated that criminals continually adapt to find ways to target card payment channels and keep the cycle going. This presentation however, attempts to go a step further and asses payment systems from a hypothetical attacker's point of view, by undertaking at threat modeling exercise against payment systems. The purpose of the threat modeling is to provide defenders with a number of scenarios (attack vectors) that it is possible to be used by attackers, while their activity remain unnoticed. One of the most important lessons of this Threat Modeling exercise was the discovery of a potential scenario that could allow cyber-criminals to shift from targeting Card Holder Data (CHD) to targeting the money directly.
Speaker Bio:
Dr. Grigorios Fragkos is the Head of Offensive Cybersecurity for DeepRecce(invinsec). He has a number of publications in the area of Computer Security and Computer Forensics with active research in CyberSecurity and CyberDefence. His R&D background in Information Security, including studies on applied CyberSecurity at MIT, along with his experience in the CyberDefense department of the Greek military, is invaluable when it comes to safeguarding mission critical infrastructures. Written the next generation SIEM as part of his PhD research with “notional understanding” of network event for real-time threat assessment. Grigorios (a.k.a. Greg) has been invited to present in a number of security conferences, workshops and summits over the years, and he is also the main organiser for Security BSides Athens. Thinking ahead and outside-the-box when dealing with information security challenges is one the key characteristics of his talks.
0:47:24
0:12:26
0:06:36
0:37:53
0:14:00
0:03:50
0:03:20
0:42:45
1:01:32
0:42:48
0:19:21
0:23:35
1:07:26
0:47:31
1:48:55
0:00:42
0:51:21
0:50:34
0:02:55
0:51:57
0:40:01
0:53:03
0:56:48
1:12:39