The recent batch of mega retailers that have been compromised, including Target, Neiman Marcus and Michaels, has revealed just how vulnerable payment systems are. Even with sophisticated tools, strong security policies, updated regulatory requirements such as PCI v3 and other measures to mitigate these attacks, hackers are still able to compromise the systems by taking advantage of inherent vulnerabilities in payment systems.
In this webcast, payment systems expert Slava Gomzin, author of Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions, will show us how retailers such as Target were compromised, what went wrong, failures in PCI to address all vulnerabilities and how these types of breaches can be prevented in the future.
Webcast participants will also receive a free sample chapter of Slava’s book on “Payment Application Architecture,” which provides a detailed overview of how payment systems work, protocols and their weaknesses.
1. Hacking Point of Sale:
How Everyone Can Learn from the Compromise of Mega Retailers
WITH SLAVA GOMZIN, SECURITYAND PAYMENTS TECH., HP
AND KEN WESTIN, PRODUCT MARKETING MANAGER, TRIPWIRE
2. How Everyone Can Learn from the Compromise of Mega Retailers
Slava Gomzin, CISSP. PCIP, ECSP, Security+
Security and Payments Technologist, HP
3. What’s happened at Target
How PCI failed to protect them
What can be done to avoid the breach
Q&A
6. 40 million – The number of credit and
debit cards thieves stole from Target
between Nov. 27 and Dec. 15, 2013.
70 million – The number of records
stolen that included the name, address,
email address and phone number of
Target shoppers.
46 – The percentage drop in profits at
Target in the fourth quarter of 2013,
compared with the year before.
200 million – Estimated dollar cost to
credit unions and community banks
for reissuing 21.8 million cards — about
half of the total stolen in the Target
breach.
100 million – The number of dollars
Target says it will spend upgrading their
payment terminals to support Chip-and-
PIN enabled cards.
7. The attackers were able to infect Target’s point-of-sale registers with a
malware strain that stole credit and debit card data. The intruders also set up a
control server within Target’s internal network that served as a central
repository for data hovered up from all of the infected registers.
8. POS/PA must “touch” the memory and the hard drive of hosting POS machine
in order to process transaction data
9. POS must communicate with outside world to get authorizations
and process settlements
10.
11.
12.
13.
14.
15. PCI DSS
PCI Data Security
Standard
PTS
PIN Data Security
PCI P2PE
PCI Point-to-Point
Encryption
PA-DSS
Payment Application
Data Security
Standard
22. There is no reliable software technology today that would easily
resolve Memory Scraping problem without investing in new systems
which introduce new protection methods such as encrypting the data
end to end. Therefore, payment software vendors are currently not
obligated by PCI standards to protect the memory of their
applications.
Instead, the merchants—users of the software—are obligated to protect
the memory of their computers running such applications by
implementing different types of compensating mechanisms, such as
physical and network controls listed in PCI DSS requirements.
30. By the end of 2015, 70% of U.S. credit cards and 41% of U.S. debit cards will be EMV enabled -
according to Aite Group report
PCI Audit Relief
PCI audit relief is applicable if 75 percent or more of the merchant transactions are captured at
hybrid EMV terminals (supporting both contact and contactless interfaces). Even if the majority
of transactions are from magnetic stripe-only cards, if they are performed at hybrid EMV
terminals the relief is applicable
PCI Audit Relief Dates:
Visa, Amex: October 2013
MC: October 2012
Liability Shift
The party, either the issuer or merchant, who does not support EMV, assumes liability for
counterfeit card transactions.
Liability Shift Dates:
Visa, MC, Amex, Discover: October 2015
October 2017 – for automated fuel dispensers (gas stations)
31. EMV does not provide security for online transactions
EMV card number should be keyed for Internet purchase
EMV does not require data encryption
Data is still transferred in clear text between POS and Payment Processor
P2PE is still recommended to protect the data
EMV cards still have mag stripe for fallback processing
Card data can be stolen
EMV vulnerabilities will be exploited once US adopts EMV Cards
Currently, there is no need to hack EMV because there is mag stripe in the US
There are EMV Contactless vulnerabilities already demonstrated on security conferences
Combining log intelligence, vulnerability data and security configuration information, we are then able to answer key security questions important to the business, for true security intelligence. Instead of simply providing reports we are able to answer specific questions with confidence, such as what systems are vulnerable, what systems are being attacked, which have already been compromised, which should we fix first, have we seen this before, when was it in a trusted state.
The basic idea of log intelligence is to make sense of the seemingly disparate events that are happening in your environment.
<change slide>
Usually this consists of log data from user systems, security devices, applications and other sources
<change slide>
In addition to this data, Tripwire also brings in additional layers of information including data from our Vulnerability Management solution as well as Security Configuration data. We are able then to correlate events, vulnerabilities and system state which provides higher resolution and business context around what is happening in your environment.
<change>
Through our powerful integrated correlation engine we provide actionable real-time intelligence which can trigger alerts, or actions such as automated remediation, or work with additional tools such as our certified integration with ArcSight, or a number of our other Technology Alliance Partners and other systems.
<change>
Tripwire also provides secure archives of this data paired with powerful security analytics and forensics tools for security and compliance.
The fact they did not have the network their vendors had access separated from their POS is troubling. Additionally they should have had logging in place to monitor and keep track of vendor activitiy on their network. With Tripwire Log Center we have rules out of the box that helps organizations monitor user activity closely on the network and correlate events across the network. Tripwire IP360 is our vulnerability management solution that is used by organizations to monitor and track where their systems are weak.
Hypothetical Target Attack – post on our blog in December before the breach was discovered.
Important to cathc attackers in the act. When can you catch them and where is your best chance.
Recon, enumeration. In this case they found an HVAC vendor with access to target. Small chance to detect at the recon phase.
Exploitation and entrechment: 2 weeks they could exfiltrate data, greater and greater chance of catching them
Then they will cover their tracksif they are a good attacker
Loaded a piece of malware onto a patch server, distributed to 1,800 stores across north america, 30 POS
Malware pulled the credit card data out of memory, but it was updating a file share
40 million credit cards
Online Retailer:
Plagued by outages on their webservers
Security story: SQL injection at department store, batch file.
Automated cyber-security intelligence, including:
Security gap analysis
Proof of compliance
Executive reports for risk and compliance trending.
Sharing the techniques to:
Eliminate security gaps
Become compliant
Improve risk ratings
Automated Remediation:
Fix compliance issues with the push of a button
Approval workflows
Device Support: “You can go big with TW” – think enterprise with us.
50K devices being changed n black Friday.
A lot of file integrity monitoring solutions simply run a scan at a set interval, some even a month apart. Continuous monitoring is critical in retail given the velocity and change
Everytime a cards was swiped they could have detected.
Configured to no create fileshares the data could not have been exfiltrated.
It took 7 days for them to send this infomation, they could have caught it in 6 days and would have avoided the breach.
We would have caught it in the first credit card swipe.
Online Retailer:
Plagued by outages on their webservers
Security story: SQL injection at department store, batch file.
Automated cyber-security intelligence, including:
Security gap analysis
Proof of compliance
Executive reports for risk and compliance trending.
Sharing the techniques to:
Eliminate security gaps
Become compliant
Improve risk ratings
Automated Remediation:
Fix compliance issues with the push of a button
Approval workflows
Device Support: “You can go big with TW” – think enterprise with us.
Thank you for your questions
Thanks again to Charles Kolodgy from IDC for joining us today and sharing his thoughts on Vulnerability Management, and thanks to all of you for attending.
We hope that you found the presentation informative and interesting. Remember to rate and comment on this webcast, in the Ratings section. And be on the lookout for an email from me with the on-demand link to this event. Have a great week!