Your SlideShare is downloading. ×
Recent PCI Hacks
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Recent PCI Hacks


Published on

Recent Payment Card Industry Hacks

Recent Payment Card Industry Hacks

Published in: Economy & Finance, Business

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Recent Payment Card Industry HacksTechniques used; & possible Defense Muhammad Faisal Naqvi CISSP, CISA, ISO27K LA & MI, ISO20K I, AMBCI ACMA inter, MS E-Commerce (Gold)
  • 2. Agenda• MOM Analysis (Motives, Opportunities & Means) • International Incidents • Regional Incidents• Statistics about Payment Card Industry Hacks • Who are the Culprits? • What are the Motives? • What are the Means? • Which Assets are under Attack?• What could be Possible Defense?
  • 3. International Incidents
  • 4. Banking data stolen from Millions• News Date: 04 April 2012• Country: UK• Means: Trojans e.g. Zeus & Spyeye to collect personal details• Opportunity: Social Engineering• Motive: Fun, curiosity, or pride ($3,800 in 20 Months)• Source:
  • 5. Attack on one-time-passwords on mobile• News Date: 15 March 2012• Country: USA• Means: 1. Used Gozi Trojan to steal IMEI # of Account Holder 2. Report about lost/ stolen device & new SIM request 3. All one-time-passwords will come on new SIM• Opportunity: partner’s weak processes• Source:
  • 6. Millions customers of famous Bank at risk NFC attack• News Date: 23 March 2012• Country: UK• Means: Contactless readers in mobile phones to extract card data even through wallets or bags• Opportunity: • Excessive card details • Weak merchant process• Motive: Online Shopping• Source:
  • 7. Gang of 50 steals at least $7 million• News Date: 11 May 2012• Country: Canada• Means: Installing Skimmers on stolen POS Machines in < 1 Hr.• Opportunity: • Physical Security • Lack of Monitoring• Motive: $7 million• Source:
  • 8. 111 Arrested In Identity Theft Probe• News Date: 10 October 2011• Country: USA• Means: bank tellers, retail workers, waiters• Opportunity: Weak processes• Motive: $13m in 16 Months• Source: Thermal Image showing sequence of keys pressed
  • 9. Hackers Skim Customers’ Credit Cards via Self-Checkout• News Date: 7 December 2011• Country: USA• Means: Skimmers• Opportunity: Physical Security• Motive: Financial gain• Source:
  • 10. Gang Used 3D Printers for Skimmers• News Date: 20 September 2011• Country: USA• Means: 3D Printed Skimmers• Opportunity: Physical Security• Motive: $400,000• Source:
  • 11. Adult web site breached 40,000 Cards data• News Date: 12 March 2012• Country: USA• Means: Server Hack• Opportunity: ?• Motive: 40,000 CC numbers, expiry dates, security codes along with user IDs, email addresses, passwords.• Source:
  • 12. More than 10 million cards may have been compromised• News Date: 30 March 2012• Country: USA• Means: Servers Hacked• Opportunity: ?• Motive: Track 2 data (cards primary account number, expiration date, service code, PIN and CVV number)• Source:
  • 13. Gang stole $13 million in a day• News Date: 26 August 2011• Country: USA, Greece, Russia, Spain, Sweden, Ukraine, UK• Means: Remote Access to prepaid cards database update cards set bal = 10000 where ccno=12345678910• Opportunity: Stolen credentials• Motive: $13 million• Source:
  • 14. Simple URL manipulation affected over 360,000 cards & $2.7M• News Date: 27 June 2011• Country: USA• Means: script• Opportunity: Insecure Direct Object References• Motive: $2.7M• Source:
  • 15. Regional Incidents
  • 16. Saudi (claimed) Hackers Expose 15,000 Israelis Credit Cards• News Date: 01 January 2012• Country: Israel• Means: Sports Web Site• Opportunity: ?• Motive: Hacktivism• Source:• Hacker died just after 2 days of getting Govt. Job•
  • 17. Two hospital employees arrested on credit card fraud charges• News Date: April 10, 2012• Country: UAE• Means: Online Shopping• Opportunity: Visible Credit Card Information• Motive: Dh9,300• Source:
  • 18. Police arrest suspect for credit card forgery• News Date: 26 April 2011• Country: UAE• Means: Expired cards, card copier, card data from web• Opportunity:• Motive: Financial• Source:
  • 19. Statistics about Payment Card Industry Hacks Source: 2012 Data Breach Investigation Report
  • 20. Culprits Source: 2012 Data Breach Investigation Report
  • 21. External Culprits Source: 2012 Data Breach Investigation Report
  • 22. Internal Culprits Source: 2012 Data Breach Investigation Report
  • 23. Motives Source: 2012 Data Breach Investigation Report
  • 24. Means Source: 2012 Data Breach Investigation Report
  • 25. Assets Source: 2012 Data Breach Investigation Report
  • 26. Hacks Possible Defense• Social engineering • Automated social pen testing• Fake Online Transactions • Balance between Business & Security• POS Skimming • Disconnection logs Bar-coded tamper evident seals• ATM Skimming • Anti skimming solutions• Servers/Applications/DBs • Information Security, Pen testing & Audits
  • 27. Questionsfaisal.naqvi@msn.com
  • 28. Thank You