DEF CON 31 - How Vulns in Global Transportation Payment Systems Cost You - Omer Attias

DEFCONConference
DEFCONConference
20,515
0
2023-09-16に共有
Public transportation payment systems have undergone significant changes over the years. Recently, mobile payment solutions have become increasingly popular, allowing passengers to pay for their fare using their smartphones or other mobile devices.

The evolution of public transportation payment systems has been driven by the need for faster, more convenient, and more secure payment methods, and this trend is likely to continue in the years to come, But how secure are mobile payment solutions for public transportation?

In this presentation, we will examine the security risks associated with transportation applications, using Moovit as a case study. Moovit is a widely used transportation app operating in over 100 countries and 5000+ cities. Through our investigation of the app's API, including SSL-encrypted data, we discovered specific vulnerabilities, which we will discuss. We will also demonstrate a custom user interface that can obtain a "free ticket" and cause someone else to pay. Furthermore, we will explain how an attacker could gain unauthorized access to and exfiltrate Personal Identifiable Information (PII) of registered users. Our findings offer practical recommendations to improve the security of transportation apps.
コメント (14)
  • @wessss
    This was a neat talk. I was hoping that the end UI would have implemented and automated the "cancel and use" that was described earlier so one account would purchase, cancel, and enter, then the same for another account which would purchase, cancel, and exit. So there would be no link between entrance and exit. Also curious how the different MaaS operator codes factored into the tickets.
  • @ZephyrCubic
    a 4 digit 2FA code is kinda ridiculous by any measure lol, that's pathetic and so easily improved. At least go to 6 as a bare minimum! preferably alphanumeric. I do want to add that it's very impressive that you were able to achieve so much with such a fundamentally simple approach. Great work!
  • @martinzhang783
    Thanks for the nice talk. Just wondering did you get the authorization from the operator? or you just used your own one as the victim account? I think according to the policy of vulnerability research, we cannot attack other real world account, right?
  • @bigbasspic
    The noise gate on audio is disgusting :(
  • @conceptrat
    And Auckland's transportation payments system goes belly up/hacked 3 weeks ago???
  • @yzrippin
    I totally just like to watch cool Defcon talks that are recommended of the best ones each year and pretend like I know what the hell I'm listening to and talking about but essentially from this what I gained is if I figured this stuff out and got the right things together with just my cell phone I should be able to get planes and Trains and Automobiles tickets all for free and just spoof tickets everything and get like Disneyland tickets and shit you're telling me that if I do this right I can get a ticket for a cruise ship and the drink package for free
  • @thewhitefalcon8539
    They spend so much time trying to prevent black riding. In Berlin they just randomly check people's tickets on the train. Not very often but sometimes. If you don't have a ticket you have to pay a fine. How much the ticket costs? That's easy. For most situations, there's a short ticket and a long ticket. The short ticket lets you go 3 stops. The long ticket lets you go anywhere. That's it. They don't calculate based on where you get on and off. In your country they spend millions of dollars on ticket gate systems instead of just paying a few people to go around checking tickets at random.
  • @nomad_wizard6865
    Scripts is a good, but without active vulnerabilities, its useless. 😅 By the way, thanks you for the research and the presentation.