Plastic Money Plastic Trust - PowerPoint PPT Presentation

1 / 45
About This Presentation
Title:

Plastic Money Plastic Trust

Description:

Digital limpet mines. Bored quasi-geek employees. Back office ... Someone might use a digital limpet mine. Oops old news. Databases might be compromised... – PowerPoint PPT presentation

Number of Views:2873
Avg rating:3.0/5.0
Slides: 46
Provided by: seattle4
Category:
Tags: limpet | money | plastic | trust

less

Transcript and Presenter's Notes

Title: Plastic Money Plastic Trust


1
Plastic Money Plastic Trust
  • Why you should never trust a merchant with your
    credit card

2
About this talk
  • Work in progress
  • Agenda
  • Credit card backgrounder (hacker style)
  • PCI Overview Defenses
  • PCI Flaws
  • Ongoing project, to be updated

3
Who do you trust?
4
A California Drivers License
5
CA License Spec
6
PAN Tester (Front)
7
Commerce without Trust
  • Cash Commerce
  • You visit a merchant
  • You give them (money)
  • They give you (goods or services)

8
Commerce with Trust
  • Diners Club starts in the 50s
  • A customer is as good as their name
  • Merchant (via a Bank) extends credit
  • Customer carries (paper) credit card
  • Merchant trusts customer to pay
  • Customer extends no extra trust to merchant

9
And the joke is
  • Credit cards are clonable
  • Trusting the merchant was a bad idea

10
PCI
11
The Players
  • Customers
  • Merchants
  • Acquirers
  • Banks
  • Credit Card Associations
  • The bad guys

12
Payment Card Industry
  • Industry association
  • Agenda
  • defend the brand
  • Make the customers feel safe
  • Protect profits
  • Standards issued
  • Created auditor/expert role
  • Advocate of PCI Security

13
Credit Cards
  • ISO Standard
  • Machine readable (partially)
  • Clonable
  • Purely data

14
CC Process Assumptions
  • (CC means credit card)
  • The customer will defend the CC
  • The merchant will defend the CC
  • Its hard to steal the CC
  • If the CC is stolen, revocation will minimize
    damage

15
PCI Standard
  • Requirement 1 Install and maintain a firewall
    configuration to protect cardholder data
  • Requirement 2 Do not use vendor-supplied
    defaults for system passwords and other
  • security parameters
  • Requirement 3 Protect stored cardholder data
  • Requirement 4 Encrypt transmission of cardholder
    data across open, public networks
  • Requirement 5 Use and regularly update
    anti-virus software
  • Requirement 6 Develop and maintain secure
    systems and applications
  • Requirement 7 Restrict access to cardholder data
    by business need-to-know
  • Requirement 8 Assign a unique ID to each person
    with computer access
  • Requirement 9 Restrict physical access to
    cardholder data
  • Requirement 10 Track and monitor all access to
    network resources and cardholder data
  • Requirement 11 Regularly test security systems
    and processes
  • Requirement 12 Maintain a policy that addresses
    information security

16
Interpretations
  • There are many (at least one per auditor)
  • Not generally as good as current best practice
  • Implicitly hides merchants who dont use best
    practice
  • Advisory they wont really fine us

17
PCI Defense
18
PAN Sample (Front)
19
PAN Sample (Back)
20
PCI Defenses
  • The standard
  • The audit process
  • Technical upgrades and workarounds
  • Payment process improvements
  • Best Practices for a modern enterprise

21
Defenses the standard
  • The usual best-practices motherhood and hacker
    pie platitudes about computer security.
  • Intuitively obvious requirements
  • Never save the CVV
  • PAN should be encrypted when at rest
  • PAN should be defended while in motion

22
PCI Defenses - Crypto
  • Pre-Internet crypto use
  • Vaguely bank-like crypto
  • (Some) symmetric algorithms
  • (Some) key hygiene
  • (Some) use of encrypted data
  • (Some) use of encryption in the network

23
PCI Defenses - Audit
  • Country club auditors
  • Non-technical
  • Paid by merchant
  • Interpreter of requirements
  • Interpreter of solutions
  • anonymous

24
PCI Security Research
25
PCI Security Research
  • Targets
  • PAN
  • End nodes
  • Data
  • At rest
  • In motion
  • Processes
  • Merchant
  • Back-end
  • Contractual

26
PAN Research
  • PAN Tester
  • Credit card
  • Gift Card
  • Captive cards

27
PAN Tester (Front)
28
PAN Tester (Back)
29
Faux Credit Cards
30
Target Sample
31
Targets
  • Decrepit POS terminals are mainstream
  • Win2k is considered modern
  • Very low horsepower
  • Not patched
  • Not encrypted
  • On undefended network

32
Other Targets
  • POS networks
  • 2000 stores across the US talking to a central
    site is not a private network
  • Substandard defenses by conventional enterprise
    standards
  • Comingled with corporate networks
  • Minimally funded security efforts

33
Other Targets
  • Acquirer connection
  • Out of bounds for merchant audits
  • Not clear anyone checks them
  • Defense of acquirer not discussed

34
Recon
  • Physical security of end systems
  • Process recon
  • Web access
  • PAN Processing flaws

35
PCI Violation
36
PCI Crypto
37
Crypto Vulnerabilities
  • No key management
  • Weak keys
  • Poor key management
  • Poor key hygiene
  • Home-grown crypto
  • Ignorance of crypto work in the last 5 years

38
Potential Crypto flaws
  • SQL Injection to find keys in the database
  • Format glitches
  • Information leakage (first 6 plus last 4 6
    decimal digits in namespace)
  • Key generation
  • Algorithm implementations

39
Boring Attacks
  • Porous perimiter
  • Web site
  • include ltweb_site_attack.hgt
  • Storefront
  • Digital limpet mines
  • Bored quasi-geek employees
  • Back office
  • include ltfrugal_dp_management.hgt
  • Corporate office
  • include ltsimple_enterprise_attacks.hgt

40
Boring Targets
  • Windows 2000 is current for POS terminals
  • Databases contain keys, leaked information
  • Effectively unsecured networks
  • 40 bit WEP at best
  • Genuinely unsecured networks
  • Cleartext internal networks

41
Boring Exploits
  • Anything in The Idiots Guide to Attacking with
    Metasploit
  • All your (Cisco) passwords are belong to us
  • Logs? We dont need no steenkin logs
  • Klingon logins (authentication is for the weak
    and timid)
  • Passwords last changed when Reagan was President
  • Passwords based on employee id/name

42
Conclusions
  • A TJX-class incident might happen
  • Oops old news.
  • Someone might get caught using 40 bit WEP
  • Oops old news.
  • Someone might use a digital limpet mine
  • Oops old news.
  • Databases might be compromised

43
Conclusions (Seriously)
  • Major compromises are possible
  • Litigation is possible
  • Paypal on a bad day might be better than Visa
  • People will start to question the use of
    pre-Internet legacy payment networks
  • Merchants should use 21st century network defense
    technologies
  • Merchants are enterprises handling money and
    should act accordingly

44
Credits
  • Conference venue by Toorcon
  • Three Stooges Drivers License found at
    http//www.imhimports.com
  • Drivers License Spec http//www.aamva.org/NR/rdo
    nlyres/66260AD6-64B9-45E9-A253-B8AA32241BE0/0/2005
    DLIDCardSpecV2FINAL.pdf
  • PAN Sample photographs by Operations
  • PCI Standard https//www.pcisecuritystandards.org
    /pdfs/pci_dss_v1-1.pdf
  • Visa Gift Card from Visa International Service
    Association http//www.visa.com issued by Wells
    Fargo Bank
  • Presentation software Office 2003 Excel by
    Microsoft
  • Disclaimer
  • No actual PANs were harmed in the production of
    this presentation.

45

Rodney Thayer rodney_at_thesecurityconsortium.net www
.thesecurityconsortium.net
Write a Comment
User Comments (0)
About PowerShow.com