Designing Robust Defenses for Modern Payment Systems

Credit, debit, and prepaid cards have dominated the payment landscape for decades, empowering the economy. Unfortunately, these legacy systems were not designed for today’s adversarial environment, and deployment of new technologies is slow, expensive, and difficult to adopt. In this talk, I discuss new ways of identifying and protecting against real threats to existing payment systems. First, we will explore the types of skimmers and how they acquire sensitive card data. We will then examine a use case, gas pumps, where skimming remains prevalent and how the tools available to consumers for detecting these devices also fail. After characterizing real skimmers, we use their properties to design the Skim Reaper, the first external skimmer detection system. Finally, successful attacks allow counterfeit cards to be created; I will demonstrate how the most common way to make these cards introduces artifacts that can also be detected. By using attackers’ own technology against them, these attacks can effectively and inexpensively be reduced.