Hacking Point of Sale: How Everyone Can Learn from the Compromise of Mega Retailers

WITH SLAVA GOMZIN, SECURITY AND PAYMENTS TECH., HP

AND KEN WESTIN, PRODUCT MARKETING MANAGER, TRIPWIRE

How Everyone Can Learn from the Compromise of Mega Retailers

Slava Gomzin, CISSP. PCIP, ECSP, Security+

Security and Payments Technologist, HP

What’s happened at Target

How PCI failed to protect them

What can be done to avoid the breach

Q&A

Network IDS/IPS (Intrusion Detection/Prevention System)?

Antivirus?

Security/IT personnel?

Credit Card Security Pattern Recognition System?

FBI cyber crime division?

Payment Processor?

File Integrity Monitor?

Brian Krebs

Journalist, blogger,KrebsOnSecurity.com

40 million – The number of credit and

debit cards thieves stole from Target

between Nov. 27 and Dec. 15, 2013.

70 million – The number of records

stolen that included the name, address,

email address and phone number of

Target shoppers.

46 – The percentage drop in profits at

Target in the fourth quarter of 2013,

compared with the year before.

200 million – Estimated dollar cost to

credit unions and community banks

for reissuing 21.8 million cards — about

half of the total stolen in the Target

breach.

100 million – The number of dollars

Target says it will spend upgrading their

payment terminals to support Chip-and-

PIN enabled cards.

The attackers were able to infect Target’s point-of-sale registers with a

malware strain that stole credit and debit card data. The intruders also set up a

control server within Target’s internal network that served as a central

repository for data hovered up from all of the infected registers.

POS/PA must “touch” the memory and the hard drive of hosting POS machine

in order to process transaction data

POS must communicate with outside world to get authorizations

and process settlements

PCI DSSPCI Data Security Standard

PTSPIN Data Security

PCI P2PEPCI Point-to-Point Encryption

PA-DSSPayment Application Data Security Standard

11.1

1.2 1.2.1

2.0

3

2005 2006 2007 2008 2009 2010 2011 2012 2013

0

10

20

30

40

50

60

70

80

90

2005 2006 2007 2008 2009 2010 2011 2012

Source: Privacy Rights Clearinghouse

There is no reliable software technology today that would easily

resolve Memory Scraping problem without investing in new systems

which introduce new protection methods such as encrypting the data

end to end. Therefore, payment software vendors are currently not

obligated by PCI standards to protect the memory of their

applications.

Instead, the merchants—users of the software—are obligated to protect

the memory of their computers running such applications by

implementing different types of compensating mechanisms, such as

physical and network controls listed in PCI DSS requirements.

Server

HSM

POS/Payment

application

PED/MSR with

TRSM

Internet

Server Database

LMK

BDK

IPEK

SSL

SSL

By the end of 2015, 70% of U.S. credit cards and 41% of U.S. debit cards will be EMV enabled -according to Aite Group report

PCI Audit Relief PCI audit relief is applicable if 75 percent or more of the merchant transactions are captured at

hybrid EMV terminals (supporting both contact and contactless interfaces). Even if the majority of transactions are from magnetic stripe-only cards, if they are performed at hybrid EMV terminals the relief is applicable

PCI Audit Relief Dates: Visa, Amex: October 2013

MC: October 2012

Liability Shift The party, either the issuer or merchant, who does not support EMV, assumes liability for

counterfeit card transactions.

Liability Shift Dates: Visa, MC, Amex, Discover: October 2015

October 2017 – for automated fuel dispensers (gas stations)

EMV does not provide security for online transactions

EMV card number should be keyed for Internet purchase

EMV does not require data encryption

Data is still transferred in clear text between POS and Payment Processor

P2PE is still recommended to protect the data

EMV cards still have mag stripe for fallback processing

Card data can be stolen

EMV vulnerabilities will be exploited once US adopts EMV Cards

Currently, there is no need to hack EMV because there is mag stripe in the US

There are EMV Contactless vulnerabilities already demonstrated on security conferences

LOG

INTELLIGENCE

SECURITY

CONFIGURATION

MANAGEMENT

VULNERABILITY

MANAGEMENT

Unified

Security

Intelligence

VULNERABILITY DATA

HOSTS & SERVER

DATABASE ACTIVITY

USER ACTIVITY

CONFIGURATION DATA

SECURITY DEVICES

(IDS – FIREWALLS)

ACTIVE DIRECTORY

APP ACTIVITY

PHYSICAL ACCESS

ACTIONABLE INTELLIGENCE

ANALYTICS, FORENSICS & COMPLIANCE

Breach caught before exfiltration

of any credit card data!