A Journey To Protect Points Of Sale

Nir Valtman, CISSP

W : www.valtman.org

. : @ValtmaNir

Introduction

2

Photo by Bill Fraser

3

03/09/2014 4

I’m an architect

5

6

7

Zombies!!!

8

Defacement

9

AntiDef

OPEN SOURCE

Memory Scraper

Secure TDD

10

Why Points Of Sale Targeted?

11

12

13

Deployment

14

15

16

17

18

Payment ApplicationPoint Of Sale

IS NOT

V

20

RAMDB

POS Payment Processing

Host

PA Server

Store Payment Processor’s Data Center

PA Client

RAM

DB

RAMDB

POS Payment Processing

Host

PA Server

Store Payment Processor’s Data Center

PA Client

RAM

DB

Rest Transit Memory

Where Are My Credit Cards?

Mobile App Presentation Server Application & Payment Server Payment Processor’s Data Center

Rest Transit Memory

Where Are My Credit Cards?

Mobile App Presentation Server Application & Payment Server Payment Processor’s Data Center

Token

Server

Credit

Cards

Retail

Environment

Assumptions

100% PCI Compliant

Retail

Environment

Assumptions

Retail

Environment

Assumptions

Retail

Environment

Assumptions

Notvulnerable

Retail

Environment

Assumptions

Retail

Environment

Assumptions

Cashier ≠ hacker

Retail

Environment

Assumptions

Big Brother

RATs

RemoteAdministrationTools

Routing

Threats

37

38

READ&WRITE

39

I AM BOB

ME TOO

Payment Stages - Authorization

40

PA

Processor

IssuerGateway

Acquirer

Route Track1/2 Transmit Track1/2

POI

Transmit Track1/2

Difficult

Exploitation

Payment Stages - Authorization

41

Payment Stages - Settlement

42Processor

IssuerGateway

Acquirer

Transmit SettlementStore & Send PANs

PA Server

Credit Merchant’s Account

Difficult

Exploitation

Payment Stages - Settlement

43

44

Memory Scraping

Demo by Idan Geula

http://securitytools.github.io/MemoryScraper/

45

46

47

OfflineOnline VS

Bypassed Solutions

49

50

SecureString Class

Demo

51

Next NextNextNext Next Generation Firewall

52

ANTI

*

53

54

Whitelist

MD5 SHA256

Correct Solutions

55

56

Cyber

Intelligence

57

I have access to POS terminals in the US,

what is the best malware I should use?

58

You need to infect the firmware of the terminal.

By doing that, you can get full track 1 + 2,

but the PIN will be hashed.

59

Selling malicious firmware for Verifone’s POS terminals.

Leaks dumps + PINs through GPRS.

Price: Only 700$

60

Business Development Offer

Owner of a fake POS sells his terminal.

Price: 50% from revenue sharing.

61

RFI: Change terminal configuration to require PIN for all cards.

Cause: Get only 101 data, but wants PINs

Proposed Solution:

Thermal Imager

62

Sandbox

63

Network-based

Anomaly Detection

64

Operating System

Anomaly Detection

65

Runtime Obfuscation

Not only products required

66

67

68

Performance Security

69

Assembly Signing

70

Assembly Obfuscation

PROCESS ISOLATION

What Next

72

?

? ?

?

??

?

?

??

??

? ?

?

What Would You Steal?

BIP BIP

74

Memory

Scraping

75

Memory

Scraping

Cashier = hacker

76

Memory

Scraping

Summary

77

78

Memory

Scraping

Security by Obscurity

79

Memory

Scraping

Simple Exploitation

80

Memory

Scraping

Hard to Protect

81

Memory

Scraping

You’re Insured

Nir Valtman

W : www.valtman.org

. : @ValtmaNir