Mining and Exploiting (Mobile) Payment Credential Leaks in the Wild
Over the past decade, an increasing number of mobile apps have integrated the third-party payment function from service providers or so-called Cashiers. Thus, end-users can perform the payment within the smartphone through these Cashiers readily. To secure their services, the Cashiers define various payment credentials, e.g., PKCS#12 certificates, and share them with mobile apps for authentication and authorization operations, such as refund. Despite the security-critical nature of these payment credentials, the existing works focus on the specific credential leaks from known sources, e.g., Android APKs or GitHub. In contrast, little effort has been spent to study the prevalence of payment credential leaks in the wild and their security impacts.In this talk, we begin by giving the background of the mobile payment service from four first-tier Cashiers that serve over 1 billion users globally. After that, we introduce the potential leaking sources of the payment credentials, including the new ones that have not been investigated on a large scale before.... By: Wing Cheong Lau, Shangcheng Shi & Xianbo Wang Full Abstract & Presentation Materials: https://www.blackhat.com/asia-21/briefings/schedule #mining-and-exploiting-mobile-payment-credential-leaks-in-the-wild-22257
Over the past decade, an increasing number of mobile apps have integrated the third-party payment function from service providers or so-called Cashiers. Thus, end-users can perform the payment within the smartphone through these Cashiers readily. To secure their services, the Cashiers define various payment credentials, e.g., PKCS#12 certificates, and share them with mobile apps for authentication and authorization operations, such as refund. Despite the security-critical nature of these payment credentials, the existing works focus on the specific credential leaks from known sources, e.g., Android APKs or GitHub. In contrast, little effort has been spent to study the prevalence of payment credential leaks in the wild and their security impacts.In this talk, we begin by giving the background of the mobile payment service from four first-tier Cashiers that serve over 1 billion users globally. After that, we introduce the potential leaking sources of the payment credentials, including the new ones that have not been investigated on a large scale before.... By: Wing Cheong Lau, Shangcheng Shi & Xianbo Wang Full Abstract & Presentation Materials: https://www.blackhat.com/asia-21/briefings/schedule #mining-and-exploiting-mobile-payment-credential-leaks-in-the-wild-22257