rodney thayer

8/7/2019 Rodney Thayer

http://slidepdf.com/reader/full/rodney-thayer 1/45

Plastic Money == Plastic Trust

Why you should never trust a

merchant with your credit card



TSC LABS Plastic Money - Plastic Trust 2

About this talk«

� Work in progress

� Agenda

± Credit card backgrounder (hacker style) ± PCI Overview & Defenses

± PCI Flaws

Ongoing project, to be updated




Who do you trust?




A California Driver¶s License




CA License Spec




PAN Tester (Front)




Commerce without Trust

� Cash Commerce

± You visit a merchant

± You give them (money) ± They give you (goods or services)




Commerce with Trust

� Diner¶s Club starts in the 50¶s

± ³A customer is as good as their name´

± Merchant (via a Bank) extends µcredit¶ ± Customer carries (paper) µcredit card¶

± Merchant trusts customer to pay

± Customer extends no extra trust to merchant




And the joke is«

� Credit cards are clonable

� Trusting the merchant was a bad idea




PCI




The Players«

� Customers

� Merchants

� Acquirers� Banks

� Credit Card µAssociations¶

� The bad guys




Payment Card Industry

� Industry association

± Agenda:

� defend the brand

� Make the customers feel safe

� Protect profits

± ³Standards´ issued

± Created auditor/expert role ± Advocate of ³PCI Security´




Credit Cards

� ISO Standard

� Machine readable (³partially´)

� Clonable� Purely data




CC Process Assumptions

� (³CC´ means credit card)

� The customer will defend the CC

� The merchant will defend the CC� It¶s hard to steal the CC

� If the CC is stolen, revocation will minimize

damage




PCI ³Standard´

� Requirement 1: Install and maintain a firewall configuration to protect cardholder data

� Requirement 2: Do not use vendor-supplied defaults for system passwords and other

� security parameters

� Requirement 3: Protect stored cardholder data

� Requirement 4: Encrypt transmission of cardholder data across open, publicnetworks

� Requirement 5: Use and regularly update anti-virus software� Requirement 6: Develop and maintain secure systems and applications

� Requirement 7: Restrict access to cardholder data by business need-to-know

� Requirement 8: Assign a unique ID to each person with computer access

� Requirement 9: Restrict physical access to cardholder data

� Requirement 10: Track and monitor all access to network resources and cardholder data

� Requirement 11: Regularly test security systems and processes� Requirement 12: Maintain a policy that addresses information security




Interpretations

� There are many (at least one per auditor)

� Not generally as good as current µbest

practice¶� Implicitly hides merchants who don¶t use

µbest practice¶

� Advisory ± ³they won¶t really fine us´




PCI Defense




PAN Sample (Front)




PAN Sample (Back)




PCI Defenses

� The standard

� The audit process

� Technical upgrades and workarounds� Payment process improvements

� Best Practices for a modern enterprise




Defenses ± the standard

� ³The usual best-practices motherhood and

hacker pie platitudes about computer

security.´

� Intuitively obvious µrequirements¶

± N ever save the CVV

± PAN should be encrypted when at rest

± PAN should be defended while in motion




PCI Defenses - Crypto

� Pre-Internet crypto use

� Vaguely bank-like crypto

� (Some) symmetric algorithms� (Some) key hygiene

� (Some) use of encrypted data

� (Some) use of encryption in the network




PCI Defenses - Audit

� Country club auditors

� Non-technical

� Paid by merchant� Interpreter of requirements

� Interpreter of solutions

� anonymous




PCI Security Research




PCI Security Research

� Targets ± PAN

± End nodes

� Data ± At rest

± In motion

� Processes

± Merchant ± Back-end

± Contractual




PAN Research

� PAN Tester

± Credit card

± Gift Card ± Captive cards




PAN Tester (Front)




PAN Tester (Back)




Faux Credit Cards




Target Sample




Targets

� Decrepit POS terminals are mainstream

± Win2k is considered modern

± Very low horsepower

± Not patched

± Not encrypted

± On undefended network




Other Targets

� Acquirer connection

� Out of bounds for merchant audits

� Not clear anyone checks them� Defense of acquirer not discussed




Recon

� Physical security of end systems

� Process recon

� Web access� PAN Processing flaws




PCI Violation




PCI ³Crypto´




Crypto Vulnerabilities

� No key management

� Weak keys

� Poor key management� Poor key hygiene

� Home-grown crypto

� Ignorance of crypto work in the last 5years




Potential Crypto flaws

� SQL Injection to find keys in the database

� Format glitches

� Information leakage (first 6 plus last 4 == 6decimal digits in namespace«)

� Key generation

� Algorithm implementations




Boring Attacks

� Porous perimiter

± Web site� #include <web_site_attack.h>

± Storefront� Digital limpet mines

� Bored quasi-geek employees

± Back office

� #include <frugal_dp_management.h>

± Corporate office� #include <simple_enterprise_attacks.h>




Boring Targets

� Windows 2000 is ³current´ for POS

terminals

� Databases contain keys, leakedinformation

� Effectively unsecured networks

± 40 bit WEP at best

� Genuinely unsecured networks

± Cleartext internal networks




Boring Exploits

� Anything in ³The Idiot¶s Guide to Attacking with

Metasploit´

� All your (Cisco) passwords are belong to us

� Logs? We don¶t need no steenkin¶ logs

� Klingon logins (³authentication is for the weak

and timid´)

� Passwords last changed when Reagan wasPresident

� Passwords based on employee id/name




Conclusions

� A TJX-class incident might happen

± Oops old news.

� Someone might get caught using 40 bitWEP

± Oops old news.

� Someone might use a digital limpet mine

± Oops old news.

� Databases might be compromised«




Conclusions (Seriously)

� Major compromises are possible

� Litigation is possible

� Paypal on a bad day might be better than Visa

� People will start to question the use of pre-

Internet legacy payment networks

� Merchants should use 21st century network

defense technologies� Merchants are enterprises handling money and

should act accordingly




Credits

� Conference venue by Toorcon

� Three Stooges Driver¶s License found at http://www.imhimports.com

� Driver¶s License Spec: http://www.aamva.org/NR/rdonlyres/66260AD6-64B9-45E9-

A253-B8AA32241BE0/0/2005DLIDCardSpecV2FINAL.pdf

� PAN Sample photographs by O perations

� PCI Standard: https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf � Visa® Gift Card from Visa International Service Association http://www.visa.com

issued by Wells Fargo® Bank

� Presentation software Office 2003� Excel� by Microsoft®

Disclaimer

No actual PANs were harmed in the production of this presentation.




Rodney Thayer

[email protected]

www.thesecurityconsortium.net

rodney thayer

Documents