No description available.
Plastic Money == Plastic Trust :Plastic Money == Plastic Trust Why you should never trust a merchant with your credit card About this talk… :TSC LABS Plastic Money - Plastic Trust 2 About this talk… Work in progress Agenda Credit card backgrounder (hacker style) PCI Overview & Defenses PCI Flaws Ongoing project, to be updated Who do you trust? :TSC LABS Plastic Money - Plastic Trust 3 Who do you trust? A California Driver’s License :TSC LABS Plastic Money - Plastic Trust 4 A California Driver’s License CA License Spec :TSC LABS Plastic Money - Plastic Trust 5 CA License Spec PAN Tester (Front) :TSC LABS Plastic Money - Plastic Trust 6 PAN Tester (Front) Commerce without Trust :TSC LABS Plastic Money - Plastic Trust 7 Commerce without Trust Cash Commerce You visit a merchant You give them (money) They give you (goods or services) Commerce with Trust :TSC LABS Plastic Money - Plastic Trust 8 Commerce with Trust Diner’s Club starts in the 50’s “A customer is as good as their name” Merchant (via a Bank) extends ‘credit’ Customer carries (paper) ‘credit card’ Merchant trusts customer to pay Customer extends no extra trust to merchant And the joke is… :TSC LABS Plastic Money - Plastic Trust 9 And the joke is… Credit cards are clonable Trusting the merchant was a bad idea PCI :TSC LABS Plastic Money - Plastic Trust 10 PCI The Players… :TSC LABS Plastic Money - Plastic Trust 11 The Players… Customers Merchants Acquirers Banks Credit Card ‘Associations’ The bad guys Payment Card Industry :TSC LABS Plastic Money - Plastic Trust 12 Payment Card Industry Industry association Agenda: defend the brand Make the customers feel safe Protect profits “Standards” issued Created auditor/expert role Advocate of “PCI Security” Credit Cards :TSC LABS Plastic Money - Plastic Trust 13 Credit Cards ISO Standard Machine readable (“partially”) Clonable Purely data CC Process Assumptions :TSC LABS Plastic Money - Plastic Trust 14 CC Process Assumptions (“CC” means credit card) The customer will defend the CC The merchant will defend the CC It’s hard to steal the CC If the CC is stolen, revocation will minimize damage PCI “Standard” :TSC LABS Plastic Money - Plastic Trust 15 PCI “Standard” Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Requirement 12: Maintain a policy that addresses information security Interpretations :TSC LABS Plastic Money - Plastic Trust 16 Interpretations There are many (at least one per auditor) Not generally as good as current ‘best practice’ Implicitly hides merchants who don’t use ‘best practice’ Advisory – “they won’t really fine us” PCI Defense :TSC LABS Plastic Money - Plastic Trust 17 PCI Defense PAN Sample (Front) :TSC LABS Plastic Money - Plastic Trust 18 PAN Sample (Front) PAN Sample (Back) :TSC LABS Plastic Money - Plastic Trust 19 PAN Sample (Back) PCI Defenses :TSC LABS Plastic Money - Plastic Trust 20 PCI Defenses The standard The audit process Technical upgrades and workarounds Payment process improvements Best Practices for a modern enterprise Defenses – the standard :TSC LABS Plastic Money - Plastic Trust 21 Defenses – the standard “The usual best-practices motherhood and hacker pie platitudes about computer security.” Intuitively obvious ‘requirements’ Never save the CVV PAN should be encrypted when at rest PAN should be defended while in motion PCI Defenses - Crypto :TSC LABS Plastic Money - Plastic Trust 22 PCI Defenses - Crypto Pre-Internet crypto use Vaguely bank-like crypto (Some) symmetric algorithms (Some) key hygiene (Some) use of encrypted data (Some) use of encryption in the network PCI Defenses - Audit :TSC LABS Plastic Money - Plastic Trust 23 PCI Defenses - Audit Country club auditors Non-technical Paid by merchant Interpreter of requirements Interpreter of solutions anonymous PCI Security Research :TSC LABS Plastic Money - Plastic Trust 24 PCI Security Research PCI Security Research :TSC LABS Plastic Money - Plastic Trust 25 PCI Security Research Targets PAN End nodes Data At rest In motion Processes Merchant Back-end Contractual PAN Research :TSC LABS Plastic Money - Plastic Trust 26 PAN Research PAN Tester Credit card Gift Card Captive cards PAN Tester (Front) :TSC LABS Plastic Money - Plastic Trust 27 PAN Tester (Front) PAN Tester (Back) :TSC LABS Plastic Money - Plastic Trust 28 PAN Tester (Back) Faux Credit Cards :TSC LABS Plastic Money - Plastic Trust 29 Faux Credit Cards Target Sample :TSC LABS Plastic Money - Plastic Trust 30 Target Sample Targets :TSC LABS Plastic Money - Plastic Trust 31 Targets Decrepit POS terminals are mainstream Win2k is considered modern Very low horsepower Not patched Not encrypted On undefended network Other Targets :TSC LABS Plastic Money - Plastic Trust 32 Other Targets POS networks 2000 stores across the US talking to a central site is not a “private” network Substandard defenses by conventional enterprise standards Comingled with corporate networks Minimally funded security efforts Other Targets :TSC LABS Plastic Money - Plastic Trust 33 Other Targets Acquirer connection Out of bounds for merchant audits Not clear anyone checks them Defense of acquirer not discussed Recon :TSC LABS Plastic Money - Plastic Trust 34 Recon Physical security of end systems Process recon Web access PAN Processing flaws PCI Violation :TSC LABS Plastic Money - Plastic Trust 35 PCI Violation PCI “Crypto” :TSC LABS Plastic Money - Plastic Trust 36 PCI “Crypto” Crypto Vulnerabilities :TSC LABS Plastic Money - Plastic Trust 37 Crypto Vulnerabilities No key management Weak keys Poor key management Poor key hygiene Home-grown crypto Ignorance of crypto work in the last 5 years Potential Crypto flaws :TSC LABS Plastic Money - Plastic Trust 38 Potential Crypto flaws SQL Injection to find keys in the database Format glitches Information leakage (first 6 plus last 4 == 6 decimal digits in namespace…) Key generation Algorithm implementations Boring Attacks :TSC LABS Plastic Money - Plastic Trust 39 Boring Attacks Porous perimiter Web site #include <web_site_attack.h> Storefront Digital limpet mines Bored quasi-geek employees Back office #include <frugal_dp_management.h> Corporate office #include <simple_enterprise_attacks.h> Boring Targets :TSC LABS Plastic Money - Plastic Trust 40 Boring Targets Windows 2000 is “current” for POS terminals Databases contain keys, leaked information Effectively unsecured networks 40 bit WEP at best Genuinely unsecured networks Cleartext internal networks Boring Exploits :TSC LABS Plastic Money - Plastic Trust 41 Boring Exploits Anything in “The Idiot’s Guide to Attacking with Metasploit” All your (Cisco) passwords are belong to us Logs? We don’t need no steenkin’ logs Klingon logins (“authentication is for the weak and timid”) Passwords last changed when Reagan was President Passwords based on employee id/name Conclusions :TSC LABS Plastic Money - Plastic Trust 42 Conclusions A TJX-class incident might happen Oops old news. Someone might get caught using 40 bit WEP Oops old news. Someone might use a digital limpet mine Oops old news. Databases might be compromised… Conclusions (Seriously) :TSC LABS Plastic Money - Plastic Trust 43 Conclusions (Seriously) Major compromises are possible Litigation is possible Paypal on a bad day might be better than Visa People will start to question the use of pre-Internet legacy payment networks Merchants should use 21st century network defense technologies Merchants are enterprises handling money and should act accordingly Credits :TSC LABS Plastic Money - Plastic Trust 44 Credits Conference venue by Toorcon Three Stooges Driver’s License found at http://www.imhimports.com Driver’s License Spec: http://www.aamva.org/NR/rdonlyres/66260AD6-64B9-45E9-A253-B8AA32241BE0/0/2005DLIDCardSpecV2FINAL.pdf PAN Sample photographs by Operations PCI Standard: https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf Visa® Gift Card from Visa International Service Association http://www.visa.com issued by Wells Fargo® Bank Presentation software Office 2003™ Excel™ by Microsoft® Disclaimer No actual PANs were harmed in the production of this presentation. :TSC LABS Plastic Money - Plastic Trust 45 Rodney Thayer rodney@thesecurityconsortium.net www.thesecurityconsortium.net
Birmingham Pl..
By: aSGuest7..
Plastic bags ..
By: claryrau..
POWERPOINT PL..
By: LuisDama..
space kids mo..
By: Dario
Behavior and ..
By: Manuele
terrorism
By: Vilfrid
Acquisitions ..
By: Vittoria
Say No To Pla..
By: McHow2
Center Island..
How to Use ww..
By: katrinah..
logging in or signing up