Hacking Point of Sale
Download as PPTX, PDF4 likes1,609 views
The document discusses the Target data breach, detailing how attackers infiltrated point-of-sale systems to steal 40 million credit and debit card numbers and 70 million personal records. It examines the shortcomings of PCI standards in preventing such breaches and emphasizes the need for improved security measures, such as end-to-end data encryption. The need for merchants to adopt new payment technologies like EMV cards is highlighted, along with the implications of liability shifts in case of fraud.
Hacking Point of Sale
- 1. Hacking Point of Sale: How Everyone Can Learn from the Compromise of Mega Retailers WITH SLAVA GOMZIN, SECURITYAND PAYMENTS TECH., HP AND KEN WESTIN, PRODUCT MARKETING MANAGER, TRIPWIRE
- 2. How Everyone Can Learn from the Compromise of Mega Retailers Slava Gomzin, CISSP. PCIP, ECSP, Security+ Security and Payments Technologist, HP
- 3. What’s happened at Target How PCI failed to protect them What can be done to avoid the breach Q&A
- 5. Network IDS/IPS (Intrusion Detection/Prevention System)? Antivirus? Security/IT personnel? Credit Card Security Pattern Recognition System? FBI cyber crime division? Payment Processor? File Integrity Monitor? Brian Krebs Journalist, blogger, KrebsOnSecurity.com
- 6. 40 million – The number of credit and debit cards thieves stole from Target between Nov. 27 and Dec. 15, 2013. 70 million – The number of records stolen that included the name, address, email address and phone number of Target shoppers. 46 – The percentage drop in profits at Target in the fourth quarter of 2013, compared with the year before. 200 million – Estimated dollar cost to credit unions and community banks for reissuing 21.8 million cards — about half of the total stolen in the Target breach. 100 million – The number of dollars Target says it will spend upgrading their payment terminals to support Chip-and- PIN enabled cards.
- 7. The attackers were able to infect Target’s point-of-sale registers with a malware strain that stole credit and debit card data. The intruders also set up a control server within Target’s internal network that served as a central repository for data hovered up from all of the infected registers.
- 8. POS/PA must “touch” the memory and the hard drive of hosting POS machine in order to process transaction data
- 9. POS must communicate with outside world to get authorizations and process settlements
- 15. PCI DSS PCI Data Security Standard PTS PIN Data Security PCI P2PE PCI Point-to-Point Encryption PA-DSS Payment Application Data Security Standard
- 17. 1 1.1 1.2 1.2.1 2.0 3 2005 2006 2007 2008 2009 2010 2011 2012 2013
- 18. 0 10 20 30 40 50 60 70 80 90 2005 2006 2007 2008 2009 2010 2011 2012 Source: Privacy Rights Clearinghouse
- 22. There is no reliable software technology today that would easily resolve Memory Scraping problem without investing in new systems which introduce new protection methods such as encrypting the data end to end. Therefore, payment software vendors are currently not obligated by PCI standards to protect the memory of their applications. Instead, the merchants—users of the software—are obligated to protect the memory of their computers running such applications by implementing different types of compensating mechanisms, such as physical and network controls listed in PCI DSS requirements.
- 28. Server HSM POS/Payment application PED/MSR with TRSM Internet Server Database LMK BDK IPEK SSL SSL
- 30. By the end of 2015, 70% of U.S. credit cards and 41% of U.S. debit cards will be EMV enabled - according to Aite Group report PCI Audit Relief PCI audit relief is applicable if 75 percent or more of the merchant transactions are captured at hybrid EMV terminals (supporting both contact and contactless interfaces). Even if the majority of transactions are from magnetic stripe-only cards, if they are performed at hybrid EMV terminals the relief is applicable PCI Audit Relief Dates: Visa, Amex: October 2013 MC: October 2012 Liability Shift The party, either the issuer or merchant, who does not support EMV, assumes liability for counterfeit card transactions. Liability Shift Dates: Visa, MC, Amex, Discover: October 2015 October 2017 – for automated fuel dispensers (gas stations)
- 31. EMV does not provide security for online transactions EMV card number should be keyed for Internet purchase EMV does not require data encryption Data is still transferred in clear text between POS and Payment Processor P2PE is still recommended to protect the data EMV cards still have mag stripe for fallback processing Card data can be stolen EMV vulnerabilities will be exploited once US adopts EMV Cards Currently, there is no need to hack EMV because there is mag stripe in the US There are EMV Contactless vulnerabilities already demonstrated on security conferences
- 35. VULNERABILITY DATA HOSTS & SERVER DATABASE ACTIVITY USER ACTIVITY CONFIGURATION DATA SECURITY DEVICES (IDS – FIREWALLS) ACTIVE DIRECTORY APP ACTIVITY PHYSICAL ACCESS ACTIONABLE INTELLIGENCE ANALYTICS, FORENSICS & COMPLIANCE
- 40. Breach caught before exfiltration of any credit card data!
- 43.
Editor's Notes
- #13: WinHex Forensic Utility
- #14: WireShark Network Sniffer
- #35: Combining log intelligence, vulnerability data and security configuration information, we are then able to answer key security questions important to the business, for true security intelligence. Instead of simply providing reports we are able to answer specific questions with confidence, such as what systems are vulnerable, what systems are being attacked, which have already been compromised, which should we fix first, have we seen this before, when was it in a trusted state.
- #36: The basic idea of log intelligence is to make sense of the seemingly disparate events that are happening in your environment. <change slide> Usually this consists of log data from user systems, security devices, applications and other sources <change slide> In addition to this data, Tripwire also brings in additional layers of information including data from our Vulnerability Management solution as well as Security Configuration data. We are able then to correlate events, vulnerabilities and system state which provides higher resolution and business context around what is happening in your environment. <change> Through our powerful integrated correlation engine we provide actionable real-time intelligence which can trigger alerts, or actions such as automated remediation, or work with additional tools such as our certified integration with ArcSight, or a number of our other Technology Alliance Partners and other systems. <change> Tripwire also provides secure archives of this data paired with powerful security analytics and forensics tools for security and compliance.
- #37: The fact they did not have the network their vendors had access separated from their POS is troubling. Additionally they should have had logging in place to monitor and keep track of vendor activitiy on their network. With Tripwire Log Center we have rules out of the box that helps organizations monitor user activity closely on the network and correlate events across the network. Tripwire IP360 is our vulnerability management solution that is used by organizations to monitor and track where their systems are weak.
- #38: Hypothetical Target Attack – post on our blog in December before the breach was discovered. Important to cathc attackers in the act. When can you catch them and where is your best chance. Recon, enumeration. In this case they found an HVAC vendor with access to target. Small chance to detect at the recon phase. Exploitation and entrechment: 2 weeks they could exfiltrate data, greater and greater chance of catching them Then they will cover their tracksif they are a good attacker
- #40: Loaded a piece of malware onto a patch server, distributed to 1,800 stores across north america, 30 POS Malware pulled the credit card data out of memory, but it was updating a file share 40 million credit cards Online Retailer: Plagued by outages on their webservers Security story: SQL injection at department store, batch file. Automated cyber-security intelligence, including: Security gap analysis Proof of compliance Executive reports for risk and compliance trending. Sharing the techniques to: Eliminate security gaps Become compliant Improve risk ratings Automated Remediation: Fix compliance issues with the push of a button Approval workflows Device Support: “You can go big with TW” – think enterprise with us.
- #41: 50K devices being changed n black Friday. A lot of file integrity monitoring solutions simply run a scan at a set interval, some even a month apart. Continuous monitoring is critical in retail given the velocity and change Everytime a cards was swiped they could have detected. Configured to no create fileshares the data could not have been exfiltrated. It took 7 days for them to send this infomation, they could have caught it in 6 days and would have avoided the breach. We would have caught it in the first credit card swipe. Online Retailer: Plagued by outages on their webservers Security story: SQL injection at department store, batch file. Automated cyber-security intelligence, including: Security gap analysis Proof of compliance Executive reports for risk and compliance trending. Sharing the techniques to: Eliminate security gaps Become compliant Improve risk ratings Automated Remediation: Fix compliance issues with the push of a button Approval workflows Device Support: “You can go big with TW” – think enterprise with us.
- #43: Thank you for your questions Thanks again to Charles Kolodgy from IDC for joining us today and sharing his thoughts on Vulnerability Management, and thanks to all of you for attending. We hope that you found the presentation informative and interesting. Remember to rate and comment on this webcast, in the Ratings section. And be on the lookout for an email from me with the on-demand link to this event. Have a great week!