Plastic Money == Plastic Trust

Why you should never trust a

merchant with your credit card
 About this talk…
• Work in progress
• Agenda
– Credit card backgrounder (hacker style)
– PCI Overview & Defenses
– PCI Flaws

Ongoing project, to be updated

TSC LABS Plastic Money - Plastic Trust 2

 Who do you trust?

TSC LABS Plastic Money - Plastic Trust 3

 A California Driver’s License

TSC LABS Plastic Money - Plastic Trust 4

 CA License Spec

TSC LABS Plastic Money - Plastic Trust 5

 PAN Tester (Front)

TSC LABS Plastic Money - Plastic Trust 6

 Commerce without Trust
• Cash Commerce
– You visit a merchant
– You give them (money)
– They give you (goods or services)

TSC LABS Plastic Money - Plastic Trust 7

 Commerce with Trust
• Diner’s Club starts in the 50’s
– “A customer is as good as their name”
– Merchant (via a Bank) extends ‘credit’
– Customer carries (paper) ‘credit card’
– Merchant trusts customer to pay
– Customer extends no extra trust to merchant

TSC LABS Plastic Money - Plastic Trust 8

 And the joke is…
• Credit cards are clonable
• Trusting the merchant was a bad idea

TSC LABS Plastic Money - Plastic Trust 9

 PCI

TSC LABS Plastic Money - Plastic Trust 10

 The Players…
• Customers
• Merchants
• Acquirers
• Banks
• Credit Card ‘Associations’
• The bad guys

TSC LABS Plastic Money - Plastic Trust 11

 Payment Card Industry
• Industry association
– Agenda:
• defend the brand
• Make the customers feel safe
• Protect profits
– “Standards” issued
– Created auditor/expert role
– Advocate of “PCI Security”

TSC LABS Plastic Money - Plastic Trust 12

 Credit Cards
• ISO Standard
• Machine readable (“partially”)
• Clonable
• Purely data

TSC LABS Plastic Money - Plastic Trust 13

 CC Process Assumptions
• (“CC” means credit card)
• The customer will defend the CC
• The merchant will defend the CC
• It’s hard to steal the CC
• If the CC is stolen, revocation will minimize
damage

TSC LABS Plastic Money - Plastic Trust 14

 PCI “Standard”
• Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• Requirement 2: Do not use vendor-supplied defaults for system passwords and other
• security parameters
• Requirement 3: Protect stored cardholder data
• Requirement 4: Encrypt transmission of cardholder data across open, public networks
• Requirement 5: Use and regularly update anti-virus software
• Requirement 6: Develop and maintain secure systems and applications
• Requirement 7: Restrict access to cardholder data by business need-to-know
• Requirement 8: Assign a unique ID to each person with computer access
• Requirement 9: Restrict physical access to cardholder data
• Requirement 10: Track and monitor all access to network resources and cardholder
data
• Requirement 11: Regularly test security systems and processes
• Requirement 12: Maintain a policy that addresses information security

TSC LABS Plastic Money - Plastic Trust 15

 Interpretations
• There are many (at least one per auditor)
• Not generally as good as current ‘best
practice’
• Implicitly hides merchants who don’t use
‘best practice’
• Advisory – “they won’t really fine us”

TSC LABS Plastic Money - Plastic Trust 16

 PCI Defense

TSC LABS Plastic Money - Plastic Trust 17

 PAN Sample (Front)

TSC LABS Plastic Money - Plastic Trust 18

 PAN Sample (Back)

TSC LABS Plastic Money - Plastic Trust 19

 PCI Defenses
• The standard
• The audit process
• Technical upgrades and workarounds
• Payment process improvements
• Best Practices for a modern enterprise

TSC LABS Plastic Money - Plastic Trust 20

 Defenses – the standard
• “The usual best-practices motherhood and
hacker pie platitudes about computer
security.”
• Intuitively obvious ‘requirements’
– Never save the CVV
– PAN should be encrypted when at rest
– PAN should be defended while in motion

TSC LABS Plastic Money - Plastic Trust 21

 PCI Defenses - Crypto
• Pre-Internet crypto use
• Vaguely bank-like crypto
• (Some) symmetric algorithms
• (Some) key hygiene
• (Some) use of encrypted data
• (Some) use of encryption in the network

TSC LABS Plastic Money - Plastic Trust 22

 PCI Defenses - Audit
• Country club auditors
• Non-technical
• Paid by merchant
• Interpreter of requirements
• Interpreter of solutions
• anonymous

TSC LABS Plastic Money - Plastic Trust 23

 PCI Security Research

TSC LABS Plastic Money - Plastic Trust 24

 PCI Security Research
• Targets
– PAN
– End nodes
• Data
– At rest
– In motion
• Processes
– Merchant
– Back-end
– Contractual

TSC LABS Plastic Money - Plastic Trust 25

 PAN Research
• PAN Tester
– Credit card
– Gift Card
– Captive cards

TSC LABS Plastic Money - Plastic Trust 26

 PAN Tester (Front)

TSC LABS Plastic Money - Plastic Trust 27

 PAN Tester (Back)

TSC LABS Plastic Money - Plastic Trust 28

 Faux Credit Cards

TSC LABS Plastic Money - Plastic Trust 29

 Target Sample

TSC LABS Plastic Money - Plastic Trust 30

 Targets
• Decrepit POS terminals are mainstream
– Win2k is considered modern
– Very low horsepower
– Not patched
– Not encrypted
– On undefended network

TSC LABS Plastic Money - Plastic Trust 31

 Other Targets
• POS networks
– 2000 stores across the US talking to a central
site is not a “private” network
– Substandard defenses by conventional
enterprise standards
– Comingled with corporate networks
– Minimally funded security efforts

TSC LABS Plastic Money - Plastic Trust 32

 Other Targets
• Acquirer connection
• Out of bounds for merchant audits
• Not clear anyone checks them
• Defense of acquirer not discussed

TSC LABS Plastic Money - Plastic Trust 33

 Recon
• Physical security of end systems
• Process recon
• Web access
• PAN Processing flaws

TSC LABS Plastic Money - Plastic Trust 34

 PCI Violation

TSC LABS Plastic Money - Plastic Trust 35

 PCI “Crypto”

TSC LABS Plastic Money - Plastic Trust 36

 Crypto Vulnerabilities
• No key management
• Weak keys
• Poor key management
• Poor key hygiene
• Home-grown crypto
• Ignorance of crypto work in the last 5
years

TSC LABS Plastic Money - Plastic Trust 37

 Potential Crypto flaws
• SQL Injection to find keys in the database
• Format glitches
• Information leakage (first 6 plus last 4 == 6
decimal digits in namespace…)
• Key generation
• Algorithm implementations

TSC LABS Plastic Money - Plastic Trust 38

 Boring Attacks
• Porous perimiter
– Web site
• #include <web_site_attack.h>
– Storefront
• Digital limpet mines
• Bored quasi-geek employees
– Back office
• #include <frugal_dp_management.h>
– Corporate office
• #include <simple_enterprise_attacks.h>
TSC LABS Plastic Money - Plastic Trust 39
 Boring Targets
• Windows 2000 is “current” for POS
terminals
• Databases contain keys, leaked
information
• Effectively unsecured networks
– 40 bit WEP at best
• Genuinely unsecured networks
– Cleartext internal networks
TSC LABS Plastic Money - Plastic Trust 40
 Boring Exploits
• Anything in “The Idiot’s Guide to Attacking with
Metasploit”
• All your (Cisco) passwords are belong to us
• Logs? We don’t need no steenkin’ logs
• Klingon logins (“authentication is for the weak
and timid”)
• Passwords last changed when Reagan was
President
• Passwords based on employee id/name
TSC LABS Plastic Money - Plastic Trust 41
 Conclusions
• A TJX-class incident might happen
– Oops old news.
• Someone might get caught using 40 bit
WEP
– Oops old news.
• Someone might use a digital limpet mine
– Oops old news.
• Databases might be compromised…
TSC LABS Plastic Money - Plastic Trust 42
 Conclusions (Seriously)
• Major compromises are possible
• Litigation is possible
• Paypal on a bad day might be better than Visa
• People will start to question the use of pre-
Internet legacy payment networks
• Merchants should use 21st century network
defense technologies
• Merchants are enterprises handling money and
should act accordingly
TSC LABS Plastic Money - Plastic Trust 43
 Credits
• Conference venue by Toorcon
• Three Stooges Driver’s License found at http://www.imhimports.com
• Driver’s License Spec:
http://www.aamva.org/NR/rdonlyres/66260AD6-64B9-45E9-A253-B8AA32241BE0/0/
2005DLIDCardSpecV2FINAL.pdf
• PAN Sample photographs by Operations
• PCI Standard: https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf
• Visa® Gift Card from Visa International Service Association http://www.visa.com
issued by Wells Fargo® Bank
• Presentation software Office 2003™ Excel™ by Microsoft®

Disclaimer
No actual PANs were harmed in the production of this presentation.

TSC LABS Plastic Money - Plastic Trust 44

 Rodney Thayer
rodney@thesecurityconsortium.net
www.thesecurityconsortium.net

TSC LABS Plastic Money - Plastic Trust 45