DEF CON 31 - How Vulns in Global Transportation Payment Systems Cost You

DEF CON 31 - How Vulns in Global Transportation Payment Systems Cost You - Omer Attias

8 місяців тому

Public transportation payment systems have undergone significant changes over the years. Recently, mobile payment solutions have become increasingly popular, allowing passengers to pay for their fare using their smartphones or other mobile devices.
The evolution of public transportation payment systems has been driven by the need for faster, more convenient, and more secure payment methods, and this trend is likely to continue in the years to come, But how secure are mobile payment solutions for public transportation?
In this presentation, we will examine the security risks associated with transportation applications, using Moovit as a case study. Moovit is a widely used transportation app operating in over 100 countries and 5000+ cities. Through our investigation of the app's API, including SSL-encrypted data, we discovered specific vulnerabilities, which we will discuss. We will also demonstrate a custom user interface that can obtain a "free ticket" and cause someone else to pay. Furthermore, we will explain how an attacker could gain unauthorized access to and exfiltrate Personal Identifiable Information (PII) of registered users. Our findings offer practical recommendations to improve the security of transportation apps.

КОМЕНТАРІ: 35

@wessss 7 місяців тому

This was a neat talk. I was hoping that the end UI would have implemented and automated the "cancel and use" that was described earlier so one account would purchase, cancel, and enter, then the same for another account which would purchase, cancel, and exit. So there would be no link between entrance and exit. Also curious how the different MaaS operator codes factored into the tickets.

@erkinalp 7 місяців тому

I am sure they already thought of that.

@bigbasspic 7 місяців тому

The noise gate on audio is disgusting :(

@ZephyrCubic 7 місяців тому

a 4 digit 2FA code is kinda ridiculous by any measure lol, that's pathetic and so easily improved. At least go to 6 as a bare minimum! preferably alphanumeric. I do want to add that it's very impressive that you were able to achieve so much with such a fundamentally simple approach. Great work!

@JeanQPublique 7 місяців тому

Wouldn't it just make more sense to cancel the login / password reset attempt after the first OTP entry error?

@thewhitefalcon8539 7 місяців тому

@@JeanQPublique they can try again

@JeanQPublique 7 місяців тому

@@thewhitefalcon8539 Would you design a OTP verification system that allowed infinite retries? No. If the OTP is entered wrong too many times, or if the OTP process is requested too frequently you would lock the account.

@dazeller82 7 місяців тому

4 digit is weak, no question. Not having a rate limit on the endpoint that verifies the 2fa code is just plain stupid.

@carnivorebear6582 7 місяців тому

@@thewhitefalcon8539yeah but there's a big difference in having a 0.01% chance of getting it right each try as opposed to having a 100% chance of getting it right in 10000 tries.

@TheSaGiV13 7 місяців тому

Great talk!

@martinzhang783 Місяць тому

Thanks for the nice talk. Just wondering did you get the authorization from the operator? or you just used your own one as the victim account? I think according to the policy of vulnerability research, we cannot attack other real world account, right?

@conceptrat 7 місяців тому

And Auckland's transportation payments system goes belly up/hacked 3 weeks ago???

@yzrippin 6 місяців тому

I totally just like to watch cool Defcon talks that are recommended of the best ones each year and pretend like I know what the hell I'm listening to and talking about but essentially from this what I gained is if I figured this stuff out and got the right things together with just my cell phone I should be able to get planes and Trains and Automobiles tickets all for free and just spoof tickets everything and get like Disneyland tickets and shit you're telling me that if I do this right I can get a ticket for a cruise ship and the drink package for free

@thewhitefalcon8539 7 місяців тому

They spend so much time trying to prevent black riding. In Berlin they just randomly check people's tickets on the train. Not very often but sometimes. If you don't have a ticket you have to pay a fine. How much the ticket costs? That's easy. For most situations, there's a short ticket and a long ticket. The short ticket lets you go 3 stops. The long ticket lets you go anywhere. That's it. They don't calculate based on where you get on and off. In your country they spend millions of dollars on ticket gate systems instead of just paying a few people to go around checking tickets at random.

@DedmenMiller 7 місяців тому

That is assuming it's only about making people pay. But with the ticket gate system, you know exactly who is going where and when. That might be worth the extra cost. And it also massively increases the hurdle of not paying. Instead of simply not paying and hoping no one checks the ticket (which is rare). You have to jump over a gate, which beeps at you, in front of other people, while being recorded by security cameras. That is quite a effective deterrence. Also remember, people are expensive (if you pay them properly) all the gates for one station, probably cost about as much as one or two people for a month. But the gates will work for years.

@thewhitefalcon8539 7 місяців тому

@@DedmenMiller They can already measure passenger numbers by counting people or the weight of the train. That's not worth the expense of the ticket machines either. The problem with people not paying is that they don't pay, right? You don't have a seething hatred for them, you just want them to pay. So it's fine if one gets away with it occasionally. I accidentally rode with an invalid ticket for a couple of weeks once because I mis-read the expiry date, and I was lucky to not get caught. But if I did get caught, I'd have to pay 60 euros and fair enough. Fine is quite low IMO, it could reasonably be 200 euros. But you see, that's where I'm wrong. Because all of American right-wing politics is about seething hatred for criminals and other people who are considered lesser. It's not about collecting ticket revenue to Americans, it's about punishing people who don't pay.

@tin2001 7 місяців тому

@@DedmenMiller I think you dramatically underestimate how much ticket gates are worth. They have moving parts that are actuated up to about 30 times per minute, and and some stations, do that for about 10 hours per day. They have to withstand angry customers, vandals, etc. And still be safe for idiot members of the public to interact with. So there's loads of stainless steel, big motors, oversize gears, and dozens of sensors. Even the plastic parts are thick. All that ends up costing extra money. And then they're also low volume sales, so that boosts the prices. Then they're also mainly bought by government, so boost the price again. A set of 4 gates could be as much as the wages for a ticket inspector for a whole year. A larger station with 20 gates could potentially pay for 5+ inspectors. And then when you consider that the companies making these systems usually fool the operators into accepting long contracts in exchange for free hardware in exchange for a teeny tiny slice of each ticket sale, you realise that the ongoing costs of these systems are far greater than human inspectors would be anyway, and still come out of the annual budget.

@RandomUser2401 7 місяців тому

@@DedmenMiller wow, you couldn't be more off. First, cost of those gates for each and every station is insane. You could pay a _lot_ of people to do the random checking. In addition, those gates are a huge pain in the butt as you cannot just run to the platform to fetch a train, and still many people jump them. Then, getting caught might be rare, but the fine is hefty enough that few take the risk. Worst, on repeated offenses, the fine goes up and you can actually get jailed for it. Finally: Want to get know who's moving from where to where? Just _ask_ the riders during those random checks. It serves exactly the same purpose without infringing everyones privacy by essentially creating a full digital, personalized mobility profile.

@marcellkovacs5452 7 місяців тому

I've never had my ticket checked in Berlin. Technically it would've been much cheaper for me to never buy a ticket and risk the potential fine.

@mog068 7 місяців тому

Codered redux, almost

@nomad_wizard6865 7 місяців тому

Scripts is a good, but without active vulnerabilities, its useless. 😅 By the way, thanks you for the research and the presentation.

@ZephyrCubic 7 місяців тому

I think you've completely missed the point. DEFCON is about preventing cyberattacks not encouraging their use en masse.

@thewhitefalcon8539 7 місяців тому

@@ZephyrCubic officially

@25_26 7 місяців тому

@@ZephyrCubicyeah thats why it is being funded and supported widely. A blackhat 0-day researcher never exposes his/her identity or reveal his/her work to the public. They just keep the vulnerabilities and the exploits to themselves and never ever sell them unless they are totallly done with it

@bmbiz 6 місяців тому

wooosh