 Hi, everyone. My name is Timur Yunusov. I'm the part of Payment Village organizers and My talk today will be what happens when businesses decide to enroll cryptocurrency cards so this is an overview of modern cryptocurrency card security and It's in addition to the white paper that we published as well On paymentvillage.org so go there and look at the white paper if you're looking for technical details This is just a 20-minute overview So payment cards have a long history Different forms of payments like card not present or max-tripe are definitely the oldest ones and We have a video from a last year of payment village chapter how ancient form of forms of payments work So go there Check these videos. There are some lab tasks and Nowadays we have chip and contactless payments the most modern forms of them and My talk today is an overview of insecurities of these forms of payments related on on cryptocurrency cards But for the beginning let let's look at the differences between high-street banks and crypto startups So high-street bank is a big organization thousands of stuff highly regulated and Normally have all infrastructure in house also because of regulation Then fintech companies are slightly smaller like up to hundred people and Because that they are thin and tech They really like to have some sort of hybrid infrastructure Store a lot of things in cloud. They may not even have banking license at the beginnings and Finally crypto startups are the smallest ones here. So we all have Like up to 10 people stuff and normally crypto startup is essentially a mobile app Which delivers the original service just do payment exchange currency exchange and so on and so on they probably will be cloud based Don't even have Premises. Yeah, and they will like would like to buy additional services as a service and They just simply don't have enough resources to build everything from scratch. They don't have people. They don't have money And this why they probably will not make payments card payments By themselves from scratch So not only they don't have resources for creating their own payments You also cannot just simply invent your own card scheme that will start to be widely adopted Next year. Yeah, so instead of that, they all will have to choose like visa or mastercard burger, Kino McDonald's and Vice once once they've chosen They need to go and find the service provider that will work as a white label and provide all the card transactions and Enrolling the cards and all other Features so the rules of game have been completely changed in the last decade You now can enroll a new card for as little as four pounds and You can create virtual cards immediately Use this white label companies for example like wire card or stripe that will do everything for you All you need to come up is like a mobile application as a front for the customer and some business model Yeah, and The problem is wire card that was that in 2020 began into administration because of money laundering However, there are still a lot of competitors and this market is extremely hot And that approach really works This is why we now have so many cryptocurrency cards on the market These are announced just in July Their customers spend more than one billion dollars in the first half of 2021 just on cards linked on cryptocurrency Startup I myself opened like dozens of these cards in the last one or two years Trying to find the answer on a very simple question Can vulnerabilities and flaws that War that are 50 years old could actually affect modern cryptocurrency cards so what I've done I did ten crypto cards and Cryptocurrency cards and started looking at common Insecurities of these cards different fraud possibilities. Everyone is familiar with some of these issues are like 50 years old and As the outcome of that we created a checklist of must-have Security features and checks for businesses who really decide to enroll these cards So as I said, the white paper is available on payment village org website and today I will just briefly skim through some of these checks All issues and all security checks will be grouped by the Form of payments and we will start with card not present So card not present is a form of payment when you only need digits from your card So merchant actually don't have a physical access to your card and this is basically why it's called card not present So card not present has only a few security features to make a successful card not present payment You need card number 16 digits expiry date for digits and card security code CVV or CVC Which is only 999 possibilities not very secure, right? This is why for a while ago Hacker started brute-forcing card numbers security codes expiry dates and they still do this. It's quite common attack called Distributed guessing attack or been master attack and this was also why Cards now have additional security feature that is called 3d secure. So 3d secure is a code Will be sent on your mobile device to confirm that you have to write the payment So from 10 cryptocurrency cards that we check only two of them allowed brute-forcing of card security codes, which is still more than we expected also Two mobile apps really allowed stealing card details due to different vulnerabilities in mobile app It's quite strange because as I said crypto startup is essentially a mobile app Yeah, so you should put a lot of emphasis in the upsec field and All of these cards had 3d secure feature just because I opened all the all the cards I opened are in the UK and UK and EU all cards here now must have 3d secure, but you should understand that It's still possible to make payments with these cars without 3d secure on the websites that do not support them For example like Amazon or you simply will be able to buy plane tickets Without 3d secure using these cards Moving on next form of payment is max stripe also quite old and vulnerable form of payment Main problem of max stripe is that max stripe had no additional Authentication of payment no card hold the verification That is very easy to clone and very easy to pay Without any proof of ownership So nowadays max stripe is outdated and should not be used in stores simply because almost all max stripe cards now have chip that should be used for purchases and But what happens is that in many regions still if you will if you can't use chip card You will be offered to use max stripe. So if you will enter card upside down three times post terminal would allow you to swipe Cart and basically to use max stripe It is prohibited now in Europe Because of the current Regulation, which is good, but in the US you still have a lot of places a lot of malls where this Feature will be enabled So terminal has a card reader chip reader and the original card had working chip However hackers still could clone max stripe from the original card and use it to pay in stores Which is quite insane Another attack that we described last year is when hackers Steal data would steal data from EMV and put this data on the max stripe to create a functional clone of The chip card that had max stripe and these transactions will go But now statistics to cards to cryptocurrency cards allowed using this fallback feature and no cards really allowed us to clone cards Using data for me in V, which is good moving on to the last forms of payments chip or in V or NFC or contactless payments so Chip is a micro computer with a Java application on it that implements three main security mechanisms of in because so first is the transaction afterization That is done with a unique cryptogram for each transaction. So Each cryptogram is unique depending on the input of the cryptogram date amount currency and so on and so on and These cryptogram will be checked on the issue in bank Next the outindication of the card for sort of offline risk assessment to ensure Terminal actually can ensure that the card was genuinely issued by your bank and genuinely belong to you not a clone nothing like that is made with the asymmetrical cryptography and Using RSA to ensure that the card is genuine Yeah, if you don't know when you go on the metro and use your contactless card Yeah, you are not authorized immediately. There is no online authorization just to speed the process up Yeah, you go you using Terminals are using offline data authentication to ensure that the card was not counterfeit and Only after after minutes later you the terminal will try to Authorize the transaction online. So offline authentication is still quite essential feature It also helps to protect the card Where it's not a feature to protect the card holder verification and Card holder verification is the third feature of e.v That Well by its names Helps to ensure that the card holder actually is genuine that he hasn't stolen the card from someone else There are different card holder verification Methods, but the it's like could be signature could be no card holder verification offline pin online pin, but the most secure will be online pin Basically you enter your pin on the pin pack and It the pin has been encrypted on a pin pack and send all across to the issue in bank In encrypted form where it will be decrypted and checked Only in a very secure space which is called HSM and You will get the result whether the pin was correct or not Other forms of payments like offline pin signature on no no card holder verification, obviously Are considered less secure you can tamper offline pin verification Obviously bank just doesn't know whether it was correct or not. There are security steps to help with that, but not many banks actually actually check it and chip and signature scheme is Obviously less secure you can just steal the card leave leave a signature and move on There are many well-known issues and misconfigurations in e.m.v and NFC But we will focus on two most popular and well known So the first is outindication authorization bypass with the Cryptogrammer play when hackers could create environment where input for the cryptogram will be would be the same and they would be able to predict all the cryptograms for the next purchases and use them Reuse them many times in the future and eight nine out of ten banks Nine out of ten cards were actually vulnerable to this attack one bank were vulnerable at the beginning, but by the By now they fix this vulnerability. So I would consider them invulnerable and the second problem is at the Bypassing of card holder verification and the thing is that you can bypass card holder Verification only by bypassing offline authentication step so There is a very popular attack very famous attack that is called pin. Okay Basically Cart will say hey pin that I checked offline is okay. Yeah, and you can generate transaction and move on and Bank does not check these fields correctly and for many many cards offline pin verification is not the most priority on the top of priority of Cart holder verification methods and this is why hackers also need to tamper these data and This also only possible because of lack of offline authentication features and Also nine out of ten cards different nine More vulnerable to this attack one bank. I was happily I was really proud when I found that one bank out of ten Was not vulnerable. She's good, but it's still extremely bad especially thinking that being VNFC is the More secure form of payments and everyone It's pushing to use it So if you look at the whole picture, you see that cryptocurrency card holders and cryptocurrency startups actually have So little power over this well established Payment industry so issues I talked about today Yeah, and in our white paper a lot of startups have bug bounty programs. I reported about these issues there then startup come back and realizes that they actually Then they can't they they don't do these Card checks the other outsource at the service provider And they go to service provider to ask, okay, this is the issue We got report about what should we do provider says? Hey, I've been certified I've I've done everything as Lisa and master card told me to do. Yeah, I have a PCI compliance Assessments and so on and so on and here we go. We are in a situation where customers with vulnerable cards and No one can do anything Because guys on top say Everything is fine. Yeah, and and and you as a card holder or as a crypto startup Have to bear with some of issues which are 50 years old, right? So this is really really bad Thanks so much find us on discord channel or online Twitter email and Our video will be published on payment village org Thank you. Have a nice day