Loading Seminars

« All Seminars

Attacking the Buyers and the Sellers: A Tale of Offline Readers and Payees’ Authentication

February 28 (2024) @ 3:00 pm - 4:00 pm

First, we will  look at security  analyses we performed against the Square Terminal (https://squareup.com/gb/en/hardware/terminal ), a well-sold PoS (point of sale), when set in offline mode (i.e., not connected to the Internet/payments networks when transactions occur).  We show that we can make the PoS work contrary to its EU/UK specifications (with relatively little technical effort), and –in so doing– we are able to bypass customer authentication (PIN, fingerprint, etc.), and make illicit transactions. In this case of *offline* PoS, the victims are merchants, as well as plastic-cards’ holders. The attacks affect both Visa and Mastercard. Via responsible disclosure, we liaised with all stakeholders, and SquareUp is receptive.  Then, we will also look, in more detail than before, at how EU vs UK specification work. All these aspects were also supported by formal verification , which we discuss as well.

This is a joint seminar with FM-SEC.

Attendance via Zoom (ID: 967 1945 3131, Passcode: 281527)
Livestream via Youtube


February 28 (2024)
3:00 pm - 4:00 pm


Ioana Boureanu (University of Surrey)

Ioana is a Professor in Secure Systems at University of Surrey. She is primarily interested in provable security, formal methods for security and privacy, and applied cryptography. She is the head of Surrey Centre for Cyber Security. More on her work can be found at people.itcarlson.com/ioana

View Presenter Website