1. Recent Payment Card Industry Hacks
Techniques used; & possible Defense
Muhammad Faisal Naqvi
CISSP, CISA, ISO27K LA & MI, ISO20K I, AMBCI
ACMA inter, MS E-Commerce (Gold)
2. Agenda
• MOM Analysis (Motives, Opportunities & Means)
• International Incidents
• Regional Incidents
• Statistics about Payment Card Industry Hacks
• Who are the Culprits?
• What are the Motives?
• What are the Means?
• Which Assets are under Attack?
• What could be Possible Defense?
4. Banking data stolen from Millions
• News Date: 04 April 2012
• Country: UK
• Means: Trojans e.g. Zeus & Spyeye to collect personal
details
• Opportunity: Social Engineering
• Motive: Fun, curiosity, or pride ($3,800 in 20 Months)
• Source: www.theregister.co.uk
5. Attack on one-time-passwords on mobile
• News Date: 15 March 2012
• Country: USA
• Means:
1. Used Gozi Trojan to steal IMEI # of Account Holder
2. Report about lost/ stolen device & new SIM request
3. All one-time-passwords will come on new SIM
• Opportunity: partner’s weak processes
• Source: www.computerworld.com
6. Millions customers of famous Bank at
risk NFC attack
• News Date: 23 March 2012
• Country: UK
• Means: Contactless readers in mobile phones
to extract card data even through wallets or bags
• Opportunity:
• Excessive card details
• Weak merchant process
• Motive: Online Shopping
• Source: www.channel4.com
7. Gang of 50 steals at least $7 million
• News Date: 11 May 2012
• Country: Canada
• Means: Installing Skimmers on stolen POS Machines in
< 1 Hr.
• Opportunity:
• Physical Security
• Lack of Monitoring
• Motive: $7 million
• Source: www.wired.com
8. 111 Arrested In Identity Theft Probe
• News Date: 10 October 2011
• Country: USA
• Means: bank tellers, retail workers, waiters
• Opportunity: Weak processes
• Motive: $13m in 16 Months
• Source: www.bbc.co.uk
Thermal Image showing
sequence of keys
pressed
9. Hackers Skim Customers’ Credit Cards
via Self-Checkout
• News Date: 7 December 2011
• Country: USA
• Means: Skimmers
• Opportunity: Physical Security
• Motive: Financial gain
• Source: news.cnet.com
10. Gang Used 3D Printers for Skimmers
• News Date: 20 September 2011
• Country: USA
• Means: 3D Printed Skimmers
• Opportunity: Physical Security
• Motive: $400,000
• Source: krebsonsecurity.com
11. Adult web site breached 40,000 Cards
data
• News Date: 12 March 2012
• Country: USA
• Means: Server Hack
• Opportunity: ?
• Motive: 40,000 CC numbers, expiry dates, security
codes along with user IDs, email addresses, passwords.
• Source: www.scmagazine.com
12. More than 10 million cards may have
been compromised
• News Date: 30 March 2012
• Country: USA
• Means: Servers Hacked
• Opportunity: ?
• Motive: Track 2 data (card's primary account number,
expiration date, service code, PIN and CVV number)
• Source: www.bbc.com
13. Gang stole $13 million in a day
• News Date: 26 August 2011
• Country: USA, Greece, Russia, Spain, Sweden,
Ukraine, UK
• Means: Remote Access to prepaid cards database
update cards set bal = 10000 where ccno=12345678910
• Opportunity: Stolen credentials
• Motive: $13 million
• Source: www.msnbc.msn.com
14. Simple URL manipulation affected over
360,000 cards & $2.7M
• News Date: 27 June 2011
• Country: USA
• Means: script
• Opportunity: Insecure Direct Object References
https://www.onlinebank.com/user?acct=6065
• Motive: $2.7M
• Source: www.informationweek.com
17. Saudi (claimed) Hackers Expose 15,000
Israelis' Credit Cards
• News Date: 01 January 2012
• Country: Israel
• Means: Sports Web Site
• Opportunity: ?
• Motive: Hacktivism
• Source: www.israelnationalnews.com
• Hacker died just after 2 days of getting Govt. Job
• www.emirates247.com
18. Two hospital employees arrested on
credit card fraud charges
• News Date: April 10, 2012
• Country: UAE
• Means: Online Shopping
• Opportunity: Visible Credit Card Information
• Motive: Dh9,300
• Source: gulfnews.com
19. Police arrest suspect for credit card
forgery
• News Date: 26 April 2011
• Country: UAE
• Means: Expired cards, card copier, card data from web
• Opportunity:
• Motive: Financial
• Source: gulfnews.com