Embed Size (px)
Citation preview
Point-of-Sale (POS)
Areas of Vulnerability
Data in
MemoryData at Rest Data in Transit
Application
Code and
Configuration
1 2 3 4
Security Risk
Data in Memory
Security concerns remain the same as those for device interfaces there are no standard security mechanisms. Specific issues depend on the type of connectivity. If POS and PA run under the same OS process, the memory of the process can be scanned using RAM scraping in order to retrieve sensitive data.
Security Risk
Security Risk
Data at Rest
“data at rest,” a term used to describe any form of hard-drive storage such as database, fl at-data file, or log file.
Security Risk
Data in Transit
There are different ways to “tap into the wire.” One of various sniffing attack scenarios would be a hidden network tap device plugged into the store network. The tap device will catch the payment application traffic and mirror it to the remote control center.
Security Risk
Data in Transit
Security Risk
Application Code and Configuration
Another key vulnerability area is payment Application Code itself and its Configuration (config). The code or config don’t contain any cardholder information by themselves, but can be tampered by attacker or malicious software in order to gain unauthorized access to the data in other key vulnerability areas.
Exposure Area
Retail Store – POS Machine
POI Device
Payment
Application
Storage
Memory
POS App
Payment Processor Data Center
Payment
Processing Host
1
2
3
3
4
2
1
3
4
Data in memory
Data at rest
Data in Transit
App Code and Configuration
Pros and Cons
Some of the security pros and cons of this model are:
Pro
There’s no central location in the store that accumulates all the Sensitive data in memory, disk storage, or network traffic. It is easier (and less expensive!) to protect a single machine and application instance; however, once it is broken, all the store data is gone.
The communication between POS and PA doesn’t carry sensitive data because PA handles all the aspects of any payment transaction and only returns the masked results to the POS at the end without exposing the details of the magnetic stripe.
Con
All POS machines (memory, data storage) at the store are exposed to sensitive data as well as communication between the POS machine and the payment host.
The concept of EPS
EPS stands for Electronic Payment System
The main purpose of EPS is isolating the electronic payment processing application from the rest of the point-of-sale functions.
A logical (and often physical) separation of the POS and payment system allows “removing POS from the scope” (security auditors terminology meaning that security standard requirements like PCI are not applicable to a particular application or machine).
Placing the POS application or machine “out of scope” saves a lot of Development and implementation work for both software manufacturers and consumers
Store EPS Deployment Model
Retail Store
POI Device
Payment
Application
Storage
Memory
POS Payment
Processing Host
POS Machine Store Server
Payment Processor
Data Center
2
1
3
4
Data in memory
Data at rest
Data in Transit
App Code and Configuration
1
2
4
3
3
Pros and Cons
Some of the security pros and cons of this model are:
Pro
The POS machine isn’t exposed to sensitive data because it doesn’t communicate with POI devices.
Communication between the POS and the store server machines doesn’t contain sensitive data, so there’s no need to encrypt this traffic
Con
Communication between POI devices and the store server is implemented through the store LAN (usually TCP/IP packets), exposing sensitive cardholder information to the network.
Hybrid POS/Store Deployment Model
Retail Store
Payment Server App
Storage
Memory
POS
Payment Processor
Data Center
Payment
Processing Host
POS App Store Server
Payment Client App
POI Device
Memory
Storage
2
1
3
4
Data in memory
Data at rest
Data in Transit
App Code and Configuration
11
22
44
3
3
3
Pros and Cons
Some of the security pros and cons of this model are:
Pro
There are no security pros associated with this model.
Con
Both the POS and the store server machines and almost all their Components (memory, data storage, application code, and communication lines) are entirely vulnerable.
Case Study: Pentesting POS
Retail Store
Payment
Processing Host
Counter/ POS Area Back-Office Area
Payment Processor
Data Center
Storing Room
EPS
Case Study: Pentesting POS
Retail Store
Payment
Processing Host
Counter/ POS Area Back-Office Area
Payment Processor
Data Center
Storing Room
Physical & Host Assessment
EPS
Case Study: Pentesting POS
Physical & Host Assessment
USB Drives, Keyboard and Mouse
Hot-Key Shortcuts
Randomly presses on touchscreen
BIOS Configuration
Reverse Engineering on Application [.Net]
Directory Traversal on Application
Case Study: Pentesting POS
Retail Store
Payment
Processing Host
Counter/ POS Area Back-Office Area
Payment Processor
Data Center
Storing Room
Network Segregation
& Infrastructure Assessment
EPS
Case Study: Pentesting POS
Network Segregation & Infrastructure Assessment
Excessive Port on Device and Server
Network Segmentation
Password Reuse Rampant
Pass-The-Hash
Dump clear text passwords stored by
Windows authentication packages
Really !?
Case Study: Pentesting POS
Retail Store
Payment
Processing Host
Counter/ POS Area Back-Office Area
Payment Processor
Data Center
Storing Room
Traffic Monitoring
EPS
Case Study: Pentesting POS
Traffic Monitoring
Identify PAN over the network.
Sensitive information between SIT and EPS.
Protection
Data in Memory
Minimizing Data Exposure from the Application (.NET SecureString, Memory Buffer]
Point-to-Point Encryption (P2PE), encrypt the data before it even reaches the memory of the hosting machine, and decrypt it only after it has left the POS (in the Payment Gateway)
Data in Transit
Implementing Secure Socket Layer (SSL]
Encrypted Tunnels, IPSec
Data at Rest
Avoiding the storage of sensitive data at all.
Point-to-Point Encryption [P2PE]
Symmetric Key Encryption
Thank you
Recommended Book
