hacking point of sale
TRANSCRIPT
Hacking Point of Sale: How Everyone Can Learn from the Compromise of Mega Retailers
WITH SLAVA GOMZIN, SECURITY AND PAYMENTS TECH., HP
AND KEN WESTIN, PRODUCT MARKETING MANAGER, TRIPWIRE
How Everyone Can Learn from the Compromise of Mega Retailers
Slava Gomzin, CISSP. PCIP, ECSP, Security+
Security and Payments Technologist, HP
What’s happened at Target
How PCI failed to protect them
What can be done to avoid the breach
Q&A
Network IDS/IPS (Intrusion Detection/Prevention System)?
Antivirus?
Security/IT personnel?
Credit Card Security Pattern Recognition System?
FBI cyber crime division?
Payment Processor?
File Integrity Monitor?
Brian Krebs
Journalist, blogger,KrebsOnSecurity.com
40 million – The number of credit and
debit cards thieves stole from Target
between Nov. 27 and Dec. 15, 2013.
70 million – The number of records
stolen that included the name, address,
email address and phone number of
Target shoppers.
46 – The percentage drop in profits at
Target in the fourth quarter of 2013,
compared with the year before.
200 million – Estimated dollar cost to
credit unions and community banks
for reissuing 21.8 million cards — about
half of the total stolen in the Target
breach.
100 million – The number of dollars
Target says it will spend upgrading their
payment terminals to support Chip-and-
PIN enabled cards.
The attackers were able to infect Target’s point-of-sale registers with a
malware strain that stole credit and debit card data. The intruders also set up a
control server within Target’s internal network that served as a central
repository for data hovered up from all of the infected registers.
POS/PA must “touch” the memory and the hard drive of hosting POS machine
in order to process transaction data
POS must communicate with outside world to get authorizations
and process settlements
PCI DSSPCI Data Security Standard
PTSPIN Data Security
PCI P2PEPCI Point-to-Point Encryption
PA-DSSPayment Application Data Security Standard
11.1
1.2 1.2.1
2.0
3
2005 2006 2007 2008 2009 2010 2011 2012 2013
0
10
20
30
40
50
60
70
80
90
2005 2006 2007 2008 2009 2010 2011 2012
Source: Privacy Rights Clearinghouse
There is no reliable software technology today that would easily
resolve Memory Scraping problem without investing in new systems
which introduce new protection methods such as encrypting the data
end to end. Therefore, payment software vendors are currently not
obligated by PCI standards to protect the memory of their
applications.
Instead, the merchants—users of the software—are obligated to protect
the memory of their computers running such applications by
implementing different types of compensating mechanisms, such as
physical and network controls listed in PCI DSS requirements.
Server
HSM
POS/Payment
application
PED/MSR with
TRSM
Internet
Server Database
LMK
BDK
IPEK
SSL
SSL
By the end of 2015, 70% of U.S. credit cards and 41% of U.S. debit cards will be EMV enabled -according to Aite Group report
PCI Audit Relief PCI audit relief is applicable if 75 percent or more of the merchant transactions are captured at
hybrid EMV terminals (supporting both contact and contactless interfaces). Even if the majority of transactions are from magnetic stripe-only cards, if they are performed at hybrid EMV terminals the relief is applicable
PCI Audit Relief Dates: Visa, Amex: October 2013
MC: October 2012
Liability Shift The party, either the issuer or merchant, who does not support EMV, assumes liability for
counterfeit card transactions.
Liability Shift Dates: Visa, MC, Amex, Discover: October 2015
October 2017 – for automated fuel dispensers (gas stations)
EMV does not provide security for online transactions
EMV card number should be keyed for Internet purchase
EMV does not require data encryption
Data is still transferred in clear text between POS and Payment Processor
P2PE is still recommended to protect the data
EMV cards still have mag stripe for fallback processing
Card data can be stolen
EMV vulnerabilities will be exploited once US adopts EMV Cards
Currently, there is no need to hack EMV because there is mag stripe in the US
There are EMV Contactless vulnerabilities already demonstrated on security conferences
LOG
INTELLIGENCE
SECURITY
CONFIGURATION
MANAGEMENT
VULNERABILITY
MANAGEMENT
Unified
Security
Intelligence
VULNERABILITY DATA
HOSTS & SERVER
DATABASE ACTIVITY
USER ACTIVITY
CONFIGURATION DATA
SECURITY DEVICES
(IDS – FIREWALLS)
ACTIVE DIRECTORY
APP ACTIVITY
PHYSICAL ACCESS
ACTIONABLE INTELLIGENCE
ANALYTICS, FORENSICS & COMPLIANCE
Breach caught before exfiltration
of any credit card data!