Bug bounty’s in Payment Systems

Timur Yunusov


  • Timur Yunusov
  • Bug bounty’s in Payment Systems
  • $499
  • 2
  • October 26-27
  • 9:00AM
  • Hands-On Zoom

Speaker Bio:

Timur Yunusov, Head of the research unit. 12 years of experience in practical security assessment and security research. Specializing in the security assessment of financial systems: online, core and mobile banking, ATM, POS, card processing. Expert in banking application security and member of the Positive Research and SCADAStrangeLove teams. One of the DEF CON Payment Village organizers

We interact with payments every day. Yet how many of us actually know how they work? Join us to learn about payments and techniques for spotting vulnerabilities in them.
This is a “payments 101” training course covering vulnerability research in payments and related issues and attacks.

The main goal of this course is to break the status quo of payment insecurity. We help our audience to gain a better understanding to:
•  Find vulnerabilities in payment systems while staying within the law
•  Obtain necessary skills and equipment.

Learn from the best in the industry—and leave with your wallet a little lighter.


Day 1
•  History of payments
•  Background
•  Magstripe, chip/EMV, NFC, card not present, mobile wallets
•  POS and ATM
•  Exercises
Card present/card not present (CNP) issues
•  Magstripe attacks and threats
•  EMV and threats
•  NFC attacks and threats
•  CNP/online issues

Day 2
•  What is a “payment system”, and what’s the key difference from classic targets. Issues and the threat model
•  Setting up “the lab”.
•  Typical scope: where what, and how we search. Where do we find a payment system to analyze it?
•  What are the most interesting findings for the owners of bug bounty programs in financial organizations? How do you amplify the impact of your findings?
•  Examples of found and confirmed issues