0
Recent Payment Card Industry HacksTechniques used; & possible Defense         Muhammad Faisal Naqvi         CISSP, CISA, I...
Agenda• MOM Analysis (Motives, Opportunities & Means)   • International Incidents   • Regional Incidents• Statistics about...
International Incidents
Banking data stolen from Millions• News Date: 04 April 2012• Country: UK• Means: Trojans e.g. Zeus & Spyeye to collect per...
Attack on one-time-passwords on mobile•   News Date: 15 March 2012•   Country: USA•   Means:    1. Used Gozi Trojan to ste...
Millions customers of famous Bank at             risk NFC attack• News Date: 23 March 2012• Country: UK• Means: Contactles...
Gang of 50 steals at least $7 million• News Date: 11 May 2012• Country: Canada• Means: Installing Skimmers on stolen POS M...
111 Arrested In Identity Theft Probe•   News Date: 10 October 2011•   Country: USA•   Means: bank tellers, retail workers,...
Hackers Skim Customers’ Credit Cards             via Self-Checkout•   News Date: 7 December 2011•   Country: USA•   Means:...
Gang Used 3D Printers for Skimmers•   News Date: 20 September 2011•   Country: USA•   Means: 3D Printed Skimmers•   Opport...
Adult web site breached 40,000 Cards                     data• News Date: 12 March 2012• Country: USA• Means: Server Hack•...
More than 10 million cards may have            been compromised• News Date: 30 March 2012• Country: USA• Means: Servers Ha...
Gang stole $13 million in a day• News Date: 26 August 2011• Country: USA, Greece, Russia, Spain, Sweden,  Ukraine, UK• Mea...
Simple URL manipulation affected over            360,000 cards & $2.7M• News Date: 27 June 2011• Country: USA• Means: scri...
Regional Incidents
Saudi (claimed) Hackers Expose 15,000             Israelis Credit Cards•   News Date: 01 January 2012•   Country: Israel• ...
Two hospital employees arrested on          credit card fraud charges•   News Date: April 10, 2012•   Country: UAE•   Mean...
Police arrest suspect for credit card                    forgery•   News Date: 26 April 2011•   Country: UAE•   Means: Exp...
Statistics about Payment Card Industry Hacks Source: 2012 Data Breach Investigation Report
Culprits     Source: 2012 Data Breach Investigation Report
External Culprits         Source: 2012 Data Breach Investigation Report
Internal Culprits         Source: 2012 Data Breach Investigation Report
Motives    Source: 2012 Data Breach Investigation Report
Means   Source: 2012 Data Breach Investigation Report
Assets    Source: 2012 Data Breach Investigation Report
Hacks                  Possible Defense• Social engineering         • Automated social pen                               t...
Questionsfaisal.naqvi@msn.comhttp://ae.linkedin.com/in/mfaisalnaqvi
Thank You
Recent PCI Hacks
Upcoming SlideShare
Loading in...5
×

Recent PCI Hacks

913

Published on

Recent Payment Card Industry Hacks

Published in: Economy & Finance, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
913
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Recent PCI Hacks"

  1. 1. Recent Payment Card Industry HacksTechniques used; & possible Defense Muhammad Faisal Naqvi CISSP, CISA, ISO27K LA & MI, ISO20K I, AMBCI ACMA inter, MS E-Commerce (Gold)
  2. 2. Agenda• MOM Analysis (Motives, Opportunities & Means) • International Incidents • Regional Incidents• Statistics about Payment Card Industry Hacks • Who are the Culprits? • What are the Motives? • What are the Means? • Which Assets are under Attack?• What could be Possible Defense?
  3. 3. International Incidents
  4. 4. Banking data stolen from Millions• News Date: 04 April 2012• Country: UK• Means: Trojans e.g. Zeus & Spyeye to collect personal details• Opportunity: Social Engineering• Motive: Fun, curiosity, or pride ($3,800 in 20 Months)• Source: www.theregister.co.uk
  5. 5. Attack on one-time-passwords on mobile• News Date: 15 March 2012• Country: USA• Means: 1. Used Gozi Trojan to steal IMEI # of Account Holder 2. Report about lost/ stolen device & new SIM request 3. All one-time-passwords will come on new SIM• Opportunity: partner’s weak processes• Source: www.computerworld.com
  6. 6. Millions customers of famous Bank at risk NFC attack• News Date: 23 March 2012• Country: UK• Means: Contactless readers in mobile phones to extract card data even through wallets or bags• Opportunity: • Excessive card details • Weak merchant process• Motive: Online Shopping• Source: www.channel4.com
  7. 7. Gang of 50 steals at least $7 million• News Date: 11 May 2012• Country: Canada• Means: Installing Skimmers on stolen POS Machines in < 1 Hr.• Opportunity: • Physical Security • Lack of Monitoring• Motive: $7 million• Source: www.wired.com
  8. 8. 111 Arrested In Identity Theft Probe• News Date: 10 October 2011• Country: USA• Means: bank tellers, retail workers, waiters• Opportunity: Weak processes• Motive: $13m in 16 Months• Source: www.bbc.co.uk Thermal Image showing sequence of keys pressed
  9. 9. Hackers Skim Customers’ Credit Cards via Self-Checkout• News Date: 7 December 2011• Country: USA• Means: Skimmers• Opportunity: Physical Security• Motive: Financial gain• Source: news.cnet.com
  10. 10. Gang Used 3D Printers for Skimmers• News Date: 20 September 2011• Country: USA• Means: 3D Printed Skimmers• Opportunity: Physical Security• Motive: $400,000• Source: krebsonsecurity.com
  11. 11. Adult web site breached 40,000 Cards data• News Date: 12 March 2012• Country: USA• Means: Server Hack• Opportunity: ?• Motive: 40,000 CC numbers, expiry dates, security codes along with user IDs, email addresses, passwords.• Source: www.scmagazine.com
  12. 12. More than 10 million cards may have been compromised• News Date: 30 March 2012• Country: USA• Means: Servers Hacked• Opportunity: ?• Motive: Track 2 data (cards primary account number, expiration date, service code, PIN and CVV number)• Source: www.bbc.com
  13. 13. Gang stole $13 million in a day• News Date: 26 August 2011• Country: USA, Greece, Russia, Spain, Sweden, Ukraine, UK• Means: Remote Access to prepaid cards database update cards set bal = 10000 where ccno=12345678910• Opportunity: Stolen credentials• Motive: $13 million• Source: www.msnbc.msn.com
  14. 14. Simple URL manipulation affected over 360,000 cards & $2.7M• News Date: 27 June 2011• Country: USA• Means: script• Opportunity: Insecure Direct Object References https://www.onlinebank.com/user?acct=6065• Motive: $2.7M• Source: www.informationweek.com
  15. 15. Regional Incidents
  16. 16. Saudi (claimed) Hackers Expose 15,000 Israelis Credit Cards• News Date: 01 January 2012• Country: Israel• Means: Sports Web Site• Opportunity: ?• Motive: Hacktivism• Source: www.israelnationalnews.com• Hacker died just after 2 days of getting Govt. Job• www.emirates247.com
  17. 17. Two hospital employees arrested on credit card fraud charges• News Date: April 10, 2012• Country: UAE• Means: Online Shopping• Opportunity: Visible Credit Card Information• Motive: Dh9,300• Source: gulfnews.com
  18. 18. Police arrest suspect for credit card forgery• News Date: 26 April 2011• Country: UAE• Means: Expired cards, card copier, card data from web• Opportunity:• Motive: Financial• Source: gulfnews.com
  19. 19. Statistics about Payment Card Industry Hacks Source: 2012 Data Breach Investigation Report
  20. 20. Culprits Source: 2012 Data Breach Investigation Report
  21. 21. External Culprits Source: 2012 Data Breach Investigation Report
  22. 22. Internal Culprits Source: 2012 Data Breach Investigation Report
  23. 23. Motives Source: 2012 Data Breach Investigation Report
  24. 24. Means Source: 2012 Data Breach Investigation Report
  25. 25. Assets Source: 2012 Data Breach Investigation Report
  26. 26. Hacks Possible Defense• Social engineering • Automated social pen testing• Fake Online Transactions • Balance between Business & Security• POS Skimming • Disconnection logs Bar-coded tamper evident seals• ATM Skimming • Anti skimming solutions• Servers/Applications/DBs • Information Security, Pen testing & Audits
  27. 27. Questionsfaisal.naqvi@msn.comhttp://ae.linkedin.com/in/mfaisalnaqvi
  28. 28. Thank You
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×