Scribd
Upload
186 views43 pages

Hackingpointofsale 140715151838 Phpapp01

Hacking Point of Sale systems remains a serious risk, as demonstrated by the Target breach that compromised over 40 million credit cards. The Payment Card Industry Data Security Standard has failed to protect large retailers, and memory scraping malware can still access sensitive data from point of sale systems. Upgrading systems to support EMV or chip-and-PIN cards can help address these risks, but vulnerabilities will remain until encryption is implemented from end-to-end to protect consumer payment data.

Uploaded by

Thuy Vu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
186 views43 pages

Hackingpointofsale 140715151838 Phpapp01

Hacking Point of Sale systems remains a serious risk, as demonstrated by the Target breach that compromised over 40 million credit cards. The Payment Card Industry Data Security Standard has failed to protect large retailers, and memory scraping malware can still access sensitive data from point of sale systems. Upgrading systems to support EMV or chip-and-PIN cards can help address these risks, but vulnerabilities will remain until encryption is implemented from end-to-end to protect consumer payment data.

Uploaded by

Thuy Vu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 43

Hacking Point of Sale:

How Everyone Can Learn from the Compromise of Mega Retailers

WITH SLAVA GOMZIN, SECURITY AND PAYMENTS TECH., HP


AND KEN WESTIN, PRODUCT MARKETING MANAGER, TRIPWIRE
How Everyone Can Learn from the Compromise of Mega Retailers

Slava Gomzin, CISSP. PCIP, ECSP, Security+


Security and Payments Technologist, HP
 What’s happened at Target
 How PCI failed to protect them
 What can be done to avoid the breach
 Q&A
Antivirus?

File Integrity Monitor?

Network IDS/IPS (Intrusion


Detection/Prevention System)?

Security/IT personnel?

Payment Processor?

Credit Card Security Pattern Brian Krebs


Recognition System?
Journalist, blogger,
FBI cyber crime division? KrebsOnSecurity.com
40 million – The number of credit and
debit cards thieves stole from Target
between Nov. 27 and Dec. 15, 2013. 200 million – Estimated dollar cost to
credit unions and community banks
70 million – The number of records for reissuing 21.8 million cards — about
stolen that included the name, address, half of the total stolen in the Target
email address and phone number of breach.
Target shoppers. 100 million – The number of dollars
Target says it will spend upgrading their
46 – The percentage drop in profits at payment terminals to support Chip-and-
Target in the fourth quarter of 2013, PIN enabled cards.
compared with the year before.
The attackers were able to infect Target’s point-of-sale registers with a
malware strain that stole credit and debit card data. The intruders also set up a
control server within Target’s internal network that served as a central
repository for data hovered up from all of the infected registers.
POS/PA must “touch” the memory and the hard drive of hosting POS machine
in order to process transaction data
POS must communicate with outside world to get authorizations
and process settlements
PCI DSS PTS
PCI Data Security
Standard PIN Data Security

PA-DSS PCI P2PE


Payment Application PCI Point-to-Point
Data Security Encryption
Standard
3

2.0

1.2 1.2.1
1.1
1

2005 2006 2007 2008 2009 2010 2011 2012 2013


90

80

70

60

50

40

30

20

10

0
2005 2006 2007 2008 2009 2010 2011 2012

Source: Privacy Rights Clearinghouse


 There is no reliable software technology today that would easily
resolve Memory Scraping problem without investing in new systems
which introduce new protection methods such as encrypting the data
end to end. Therefore, payment software vendors are currently not
obligated by PCI standards to protect the memory of their
applications.

 Instead, the merchants—users of the software—are obligated to protect


the memory of their computers running such applications by
implementing different types of compensating mechanisms, such as
physical and network controls listed in PCI DSS requirements.
Server
Server Database
POS/Payment
application
Internet
SSL

BDK

SSL

PED/MSR with
TRSM HSM

IPEK
LMK
By the end of 2015, 70% of U.S. credit cards and 41% of U.S. debit cards will be EMV enabled -
according to Aite Group report
 PCI Audit Relief
 PCI audit relief is applicable if 75 percent or more of the merchant transactions are captured at
hybrid EMV terminals (supporting both contact and contactless interfaces). Even if the majority
of transactions are from magnetic stripe-only cards, if they are performed at hybrid EMV
terminals the relief is applicable
 PCI Audit Relief Dates:
 Visa, Amex: October 2013
 MC: October 2012

 Liability Shift
 The party, either the issuer or merchant, who does not support EMV, assumes liability for
counterfeit card transactions.
 Liability Shift Dates:
 Visa, MC, Amex, Discover: October 2015
 October 2017 – for automated fuel dispensers (gas stations)
 EMV does not provide security for online transactions
 EMV card number should be keyed for Internet purchase

 EMV does not require data encryption


 Data is still transferred in clear text between POS and Payment Processor
 P2PE is still recommended to protect the data

 EMV cards still have mag stripe for fallback processing


 Card data can be stolen

 EMV vulnerabilities will be exploited once US adopts EMV Cards


 Currently, there is no need to hack EMV because there is mag stripe in the US
 There are EMV Contactless vulnerabilities already demonstrated on security conferences
LOG
INTELLIGENCE

VULNERABILITY
MANAGEMENT

Unified
Security
Intelligence

SECURITY
CONFIGURATION
MANAGEMENT
PHYSICAL ACCESS
VULNERABILITY DATA

HOSTS & SERVER

ACTIONABLE INTELLIGENCE

DATABASE ACTIVITY

ANALYTICS, FORENSICS & COMPLIANCE


USER ACTIVITY
APP ACTIVITY

CONFIGURATION DATA ACTIVE DIRECTORY

SECURITY DEVICES
(IDS – FIREWALLS)
Breach caught before exfiltration
of any credit card data!

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy