securing pos terminal - a technical guideline on securing pos system from hackers
TRANSCRIPT
TECHNICAL GUIDELINES ON
How to Secure a POS System from Hackers
By:
Syed Ubaid Ali JafriInformation Security ProfessionalLinkedIn: https://pk.linkedin.com/in/ubaidjafri
ContentsBackground............................................................................................................................................................................................................................. 4
1
Objective................................................................................................................................................................................................................................. 4
Testing Type............................................................................................................................................................................................................................ 4
TOP 15 Controls Checklist.......................................................................................................................................................................................................5
POS Checklist.......................................................................................................................................................................................................................... 8
References.............................................................................................................................................................................................................................. 9
2
BackgroundThe payment terminals we are talking about are tamper proof. They usually have Ethernet connectivity, and a serial line. The interface open to normal user is the card slot and PIN pad, and in some occasions contactless reader. The actual configuration does vary between models and vendors, but the basic idea is that the terminal initiates all the connections and doesn't listen to anything incoming.
ObjectiveOur objective for publishing this document is to ensure technically that the initial security up to a level where POS should be secure from basic attacks.
Testing TypeThis testing involves the Physical layer to Presentation Layer testing which includes the following controls but not limited to
S.No Control Name1 Insecure Physical Connectivity 2 IP/MAC Address Spoofing3 Weak or Default credentials on Device4 Insecure Communication Protocol
5 Unencrypted Data Travelling6 Insecure Data Storage7 Sensitive Information Disclosure8 Shared File Enumeration9 Stress testing of PoS Machine
10 Inadequate Transaction Handling
11 Un-necessary services/Ports open12 Absence of Audit Logging13 Missing Patches14 SNMP public community string15 SSL/TLS Configuration Weaknesses
3
TOP 15 Controls Checklist Summary Sheet of Controls
S. No Control Name Control Description Severity Impact
1 Physical Connectivity of PoS
The Network connectivity of of PoS device whether the device is connected with Wireless Router or with LAN Switch. Ensure that no other user is able to connect to the same Wifi or LAN Network
High
An attacker or malicious user with local network access is able to plug their infected machine with the network connected to a PoS system, An attacker would be able to sniff or capture the data on the network. An attacker can easily perform a MiTM attack against this connectivity,
2 IP/MAC Address Spoofing
A network attacker can use a protocol analyzer to know a valid MAC address, By examining the MAC Address, An Attacker is able to spoofed the IP/MAC Address of the POS Machine
High
An attacker can easily steal the identity of the device, an attacker can perform the malicious activity by showing the legitimate device identity which doesn’t belong to them.
3 Weak or Default credentials on Device Device is using the default username or password for hardware administration High
An attacker or malicious user is able to perform modification by using the default credentials on device, an attacker is able to change or modify the hardware configurations on device.
4 Insecure Communication Protocol
Device is using the weak protocols (FTP, Telnet, VNC, RDP) for remote administration which could lead towards confidentiality, intigrity , availability attack
High
An attacker or malicious user, with local network access, is able to perform a Man-in-the-Middle attack (MITM) and can see all communication between the POS and the FTP server on the. Using a username and password obtained by passively sniffing traffic on the network, the attacker can connect to the FTP server, download, modify, and then upload arbitrary files
5 Unencrypted Data Travelling Device is able to send data unencrypted on Wifi/LAN channel High
An Attacker or malicious user, with local network access, is able to perform a sniffing attack on Wi-Fi/LAN Network. Capturing the unencrypted traffic contains the sensitive information of (Usernames, Password, accounts information)
4
6 Insecure Data Storage Device is able to store the data on Memory card or in the device itself High
An attacker is able to copy all the stored data on the machine or in the memory card, which could help an attacker to generate the fake card of original values stored in the device or memory card, by using different strip card reader writer machines.
7
Sensitive Information DisclosureDevice is capable to exposing the sensitive data which contains (Track 1 record, Track 2 record and CVV Number of customer
High
An attacker is able to read or sniff the Track-1, Track-2 Data of customer which could impact towards fake card generation or online sale purchasing of goods.
8 Shared File EnumerationDevice has multiple open folders that are shared and has access to the root directory directly
HighThis may directly lead to system compromise by allowing modification of system files.
9 Stress Testing of Pos Terminal
The device is not capable for handling huge load on the network, the devices is able to randomly shut down and restart ports on the network switches/routers that connect the servers (via SNMP commands for example), double the baseline number for concurrent users/HTTP connections
HighAn attacker using less skills can perform the attacker on the system which could lead towards availability attack.
10 Inadequate Transaction Handling
An attacker is able to retrieve the configuration information from the Server, the authentication takes place in plaintext over the local network, and all the transactions are shown in plaintext in the text file.
HighAn attacker can perform the Man-in-the-Middle attack and can change the price value, modify the items and their date.
11 Un-necessary services/Ports open There are multiple ports that are open and not being used on the device Medium
By using unused port an attacker can perform a brute force attack or sending the SYN request to the terminal machine which could lead towards availability attack.
5
12 Absence of Audit LoggingDevice is not able to record the logs of (Logged in, Transactions, Network Connectivity)
MediumDue to absence of Audit Logging, An attacker can easily perform malicious activities and hide their tracks.
13 Missing Patches
Critical Microsoft security patches were not installed on the PoS Sytem. The missing patches address vulnerabilities which may allow unauthenticated remote code execution, privilege escalation, denial of service, and confidential information disclosure
Medium
An attacker or malicious user with network access may be able to view sensitive information, cause Denial-of-Service, or execute arbitrary code. An attacker with local access to the hosts may be able to escalate their privileges up to the administrator level.
14 SNMP public community string
Simple Network Management Protocol (SNMP) community string ‘public’ is used on the PoS Machine, granting READ-ONLY access to information on remote hosts. SNMP is generally used for system and network monitoring purposes. Typically, a remote network management server queries a remote SNMP agent (residing on the target system) for system status, by supplying a community string for authentication.
Medium
An attacker or malicious user is able to use the default SNMP community string to discover detailed device metadata and network configuration details, which can assist in other attacks. The information disclosed includes the operating system version, a list of users on the system, a list of installed software, any enabled network interfaces, routing information, as well as any open TCP connections.
15 SSL/TLS Configuration Weaknesses
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are used in the POS environment to protect the confidentiality and integrity of connections to database servers, and to the administrative web interface of the site router. We identified the following misconfigurations with the implementation of SSL/TLS.
Medium
An attacker or malicious user with network access is able to impersonate SSL/TLS-protected services, or carry out Man-in-The-Middle attacks, compromising the confidentiality and integrity of encrypted network communications. These communications may include sensitive business information such as transactions and payment data, as well as technical information such as credentials or configuration files
6
POS ChecklistA point of sales (POS) systems needs assessment is essential for planning the selection and deployment of point of sales system. This checklist will assist in defining system requirements and will also provide the foundation for Vulnerability which could be found in the control, the risk associated with the vulnerability, its impact analysis, and its technical recommendations which includes (Configurational changes, Procedural changes, Software/Services changes etc.)
PoS (Point of Sale ) Information Security Checklist S. No Control Name Control Presence Risk Description Impact Severity Recommendation
1 2 3 4 5
7
References1 http://www.internetsociety.org/doc/addressing-challenge-ip-spoofing 2 http://www.guru99.com/testing-for-retail-pos-point-of-sale-system.html 3 https://community.hpe.com/t5/Security-Research/Hacking-POS-Terminal-for-Fun-and-Non-profit/ba-p/6540620#.WEfkGNV97IU 4 http://www.pcworld.com/article/259882/vulnerabilities_in_payment_terminals_demonstrated_at_black_hat.html 5 https://pen-testing.sans.org/blog/2014/06/12/pen-testing-payment-terminals-a-step-by-step-how-to-guide 6 http://www.slideshare.net/evilhackerz/penetration-testing-guidancemarch2015
8