Returning to the Payment Village
When I first encountered the payment village at defcon last year, I was absolutely blown away by the creativity and level of play - particularly around deeply technical and serious subject matter. It felt like I was in some kind of hands-on museum / science lab / lecture hall / art installation / hackerspace that somehow intersected multiple interests including payments, security, and hardware. One moment I was learning about the history of credit cards and how the EMV standard was created, the next moment I was learning how to read a magstripe with ferrofluid.
I’ve worked in payments for years, and I learned so much that day, while barely scratching the surface of the material that was covered. I went home full of inspiration to learn more. There was also a fantastic CTF I took part in and wrote about here: 2023 DEFCON Payment Village
Leigh-Anne Galloway and Timur Yunosov have built something truly wonderful!
DEFCON 32
So I felt very lucky I was given the opportunity to volunteer this year, and help however I could. I had no idea how much work went into making this village into a reality. I worked alongside a bunch of very talented and hard-working volunteers who were passionate about making this thing happen, and worked through all kinds of roadblocks - like lack of internet or electrical outlets, right up until opening.
Payment Village Badge
One of the highlights this year was the payment village badge. They designed an open-source tool for working with NFC payments, allowing you to intercept/log/modify the communication between the card and the terminal. They provide the design to make your own, which I tried at home. I highly recommend you get the payment village badge with its beautifully printed PCB and pressure pins instead :) Still, the fact they make the design of the hardware and all the software freely available, no secrets, is a testament to their mission.
This is a really great learning tool, to see all the conversation that takes place between the card and terminal during the course of a transaction. In addition to providing a way to explore gaps in the EMV standard, learning about NFC, and solving the CTF, it can be worn as a beautiful accessory w/ the accompanying lanyard.
CTF and Prizes
This year had another, even bigger CTF than last year. It included another card-hacking challenge, which you could use the payment village badge to solve - but were not required to. The card hacking challenge could also be solved by borrowing some equipment at the village, or running a virtual point-of-sale right in your browser.
There were many other challenges around the village, including a cash wind machine and a point of sale terminal w/ cash drawer. My favorite, however, was the chorus of re-purposed point-of-sale terminals with receipt printers, which would sing you a song if you could solve their riddle.
All the flags for the CTF challenge were worth different points, which you could exchange for prizes. Like a carnival, except you don’t pay for any of the games, and you’re learning about payments and security while you’re at it.
Each day, the top winner of the CTF was also awarded one of the aforementioned payment village badges, which had quickly sold out.
Talks and Workshops
There were a number really great talks and workshops. One of the most fascinating to me though, was a workshop put on by Leigh-Anne Galloway herself, on emulating credit card magstripe w/ Arduino. First, she took everyone through the background of how the magstripe on a credit card works and how the data is encoded. Then she took everyone through actually building the magstripe emulation project, while openly providing the designs, and necessary hardware for the workshop. It was built primarily using an Arduino, a chip meant for driving DC motors, and a coil meant for wireless charging. This was such a creative and memorable way to explore how magstripes work, and resulted in a usable tool.
Final Thoughts
Working as a volunteer this year, the village was no less fantastic than as a first-time visitor. Partly because, there are no parlor tricks. Everything you see and experience is the result of honest and creative work shared openly. This is an expression of their mission to make knowledge of payments accessible to everyone.
It’s not an easy thing to pull off, and the result is magical.
>> Home