a journey to protect points of sale - black hat | home€¦ · ram db pos payment processing host...
TRANSCRIPT
A Journey To Protect Points Of Sale
Nir Valtman, CISSP
W : www.valtman.org
. : @ValtmaNir
Introduction
2
Photo by Bill Fraser
01/07/2014 3
01/07/2014 4
I’m an architect
5
01/07/2014 6
7
Zombies!!!
8
Defacement
9
AntiDef
OPEN SOURCE
Memory Scraper
Secure TDD
10
Why Points Of Sale Targeted?
11
12
13
Deployment
14
15
16
17
18
Payment ApplicationPoint Of Sale
IS NOT
V
20
RAMDB
POS Payment Processing
Host
PA Server
Store Payment Processor’s Data Center
PA Client
RAM
DB
RAMDB
POS Payment Processing
Host
PA Server
Store Payment Processor’s Data Center
PA Client
RAM
DB
Rest Transit Memory
Where Are My Credit Cards?
Mobile App Presentation Server Application & Payment Server Payment Processor’s Data Center
Rest Transit Memory
Where Are My Credit Cards?
Mobile App Presentation Server Application & Payment Server Payment Processor’s Data Center
Token
Server
Credit
Cards
Retail
Environment
Assumptions
100% PCI Compliant
Retail
Environment
Assumptions
Retail
Environment
Assumptions
Retail
Environment
Assumptions
Notvulnerable
Retail
Environment
Assumptions
Retail
Environment
Assumptions
Cashier ≠ hacker
Retail
Environment
Assumptions
Big Brother
RATs
RemoteAdministrationTools
Routing
Threats
37
38
READ&WRITE
39
I AM BOB
ME TOO
Payment Stages - Authorization
40
PA
Processor
IssuerGateway
Acquirer
Route Track1/2 Transmit Track1/2
POI
Transmit Track1/2
Difficult
Exploitation
Payment Stages - Authorization
41
Payment Stages - Settlement
42Processor
IssuerGateway
Acquirer
Transmit SettlementStore & Send PANs
PA Server
Credit Merchant’s Account
Difficult
Exploitation
Payment Stages - Settlement
43
44
Memory Scraping
Demo
45
46
47
OfflineOnline VS
Bypassed Solutions
49
50
SecureString Class
Demo
51
Next NextNextNext Next Generation Firewall
52
ANTI
*
53
54
Whitelist
MD5 SHA256
Correct Solutions
55
56
Cyber
Intelligence
57
I have access to POS terminals in the US,
what is the best malware I should use?
58
You need to infect the firmware of the terminal.
By doing that, you can get full track 1 + 2,
but the PIN will be hashed.
59
Selling malicious firmware for Verifone’s POS terminals.
Leaks dumps + PINs through GPRS.
Price: Only 700$
60
Business Development Offer
Owner of a fake POS sells his terminal.
Price: 50% from revenue sharing.
61
RFI: Change terminal configuration to require PIN for all cards.
Cause: Get only 101 data, but wants PINs
Proposed Solution:
Thermal Imager
62
Sandbox
63
Network-based
Anomaly Detection
64
Operating System
Anomaly Detection
65
Runtime Obfuscation
Not only products required
66
67
68
Performance Security
69
Assembly Signing
70
Assembly Obfuscation
PROCESS ISOLATION
What Next
72
?
? ?
?
??
?
?
??
??
? ?
?
What Would You Steal?
BIP BIP
74
Memory
Scraping
75
Memory
Scraping
Cashier = hacker
76
Memory
Scraping
Summary
77
78
Memory
Scraping
Security by Obscurity
79
Memory
Scraping
Simple Exploitation
80
Memory
Scraping
Hard to Protect
81
Memory
Scraping
You’re Insured
Nir Valtman
W : www.valtman.org
. : @ValtmaNir