Ever wondered what makes your payment cards tick?
Who's lurking in the shadows, ready to wreak havoc on your transactions?
Let's dive into the fascinating world of payment card technology, exposing both its inner workings, secrets, and how some gentlemen are trying to mess with these systems (and you).
This speech was delivered at Tallinn BSides 2023 by Stefano Amorelli
https://tallinn.bsides.ee/2023/
Stefano Amorelli, cybersecurity advocate and technology leader, brings his expertise to develop resilient large-scale systems and lead security-conscious teams.
Stefano is also a fond supporter of communities: he has founded and is leading OWASP Tallinn, the first OWASP chapter in Estonia, and the DEFCON Tallinn Group (DCG113722).
Decarbonising Commercial Real Estate: The Role of Operational Performance
Credit Cards Tech and Threats: How Hackers Pay With Your Money [Stefano Amorelli - Tallinn BSides 2023]
1. S T E F A N O A M O R E L L I
Author
2 1 S E P T 2 0 2 3
Date
Credit Cards Tech and Threats
How Hackers Pay With Your Money
2. C R E D I T C A R D S T E C H A N D T H R E A T S
3. C R E D I T C A R D S T E C H A N D T H R E A T S
4. How hackers pay with
your money?
… S T A Y T U N E D F O R T H E A N S W E R A T T H E E N D …
What is the most efficient way for those gentlemen to
commit card fraud?
C R E D I T C A R D S T E C H A N D T H R E A T S
5. Mastercard Certified Professional in
Cybersec. & Intelligence
Founder and Leader of the first
OWASP chapter and DEFCON group
in Estonia
Member of the new team of OWASP
TOP 10 for LLM AI
Engineering & CyberSec Lead
for Startups
6. What the tech!?
Magstripe, EMV, CNP, PCI-DSS
1.
Cashing in
How hackers actually
commit card fraud
2.
Case-study
Implementing a compliant
solution from scratch
3.
C R E D I T C A R D S T E C H A N D T H R E A T S
8. One card, many ways to pay
1. What the tech!?
•
•
•
M A G S T R I P E ( S W I P E )
E M V T R A N S A C T I O N S ( D I P / T A P - N F C )
C N P ( C A R D - N O T - P R E S E N T )
C R E D I T C A R D S T E C H A N D T H R E A T S
E U R O C A R D , M A S T E R C A R D , V I S A
9. 1. What the tech!?
What is MAGSTRIPE?
The magstripe on the back of the card contains static data about the payment card in plain text
T H R E A T S
• C A N E A S I L Y B E C L O N E D W I T H S K I M M E R S
C R E D I T C A R D S T E C H A N D T H R E A T S
10. 1. What the tech!?
What is EMV?
EMV (Europay, Mastercard, Visa) is the newest global standard for payment cards based on chip
The idea behind EMV is to create a unique transaction cryptogram
DUKPT (derived unique key per
transaction) is one of the most common
key management scheme used in EMV
C R E D I T C A R D S T E C H A N D T H R E A T S
11. 1. What the tech!?
Magstripe vs EMV
I M A G E F R O M : S T A N F O R D . E D U C S 1 0 1
C R E D I T C A R D S T E C H A N D T H R E A T S
12. 1. What the tech!?
I M A G E F R O M : S T A N F O R D . E D U C S 1 0 1
C R E D I T C A R D S T E C H A N D T H R E A T S
Magstripe vs EMV
13. 1. What the tech!?
What is EMV?
EMV is considered the safest option for physical card transactions
•
•
P H Y S I C A L T A M P E R R E S I S T A N C E
C O M M A N D - R E S P O N S E P R O T O C O L ( I E . D Y N A M I C D A T A G E N E R A T I O N )
T H R E A T S
•
•
P O S C A N B E T R I C K E D I N T O F A L L I N G B A C K T O U N S A F E M E T H O D S
T H E L I N K B E T W E E N P O S A N D C A R D B E C O M E S T H E W E A K E S T
S E G M E N T
C R E D I T C A R D S T E C H A N D T H R E A T S
14. 1. What the tech!?
..and Card-Not-Present?
T H R E A T S
•
•
•
•
S O C I A L E N G I N E E R I N G
M I T M ( C A P T U R I N G O R A L T E R I N G T R A N S A C T I O N D A T A )
S I M S W A P
N O T A L L M E R C H A N T S H A V E I M P L E M E N T E D S C A
C R E D I T C A R D S T E C H A N D T H R E A T S
T E C H
• S T R O N G C U S T O M E R A U T H E N T I C A T I O N ( S C A )
• 3 D S E C U R E ( V E R I F I E D B Y V I S A , M A S T E R C A R D S E C U R E C O D E )
15. 1. What the tech!?
Any organization, regardless of its size or transaction volume, that accepts,
transmits, or stores any cardholder data must comply with PCI-DSS.
This includes merchants, payment gateways, processors, and service providers.
Regulation: PCI-DSS
P A Y M E N T C A R D I N D U S T R Y
D A T A S E C U R I T Y S T A N D A R D
C R E D I T C A R D S T E C H A N D T H R E A T S
16. 1. What the tech!?
What is PCI-DSS?
•
•
•
S E T O F S E C U R I T Y S T A N D A R D S
D E F I N E D B Y M A J O R C C C O M P A N I E S
1 2 R E Q U I R E M E N T S ( + 3 0 0 S U B R E Q 🥵)
P C I C E R T I F I C A T I O N I S N O T A L E G A L B U T A
C O N T R A C T U A L R E Q U I R E M E N T
C R E D I T C A R D S T E C H A N D T H R E A T S
17. 1. What the tech!?
Main areas of PCI-compliance
•
•
•
P R O T E C T C A R D H O L D E R D A T A
B U I L D A N D M A I N T A I N A S E C U R E N E T W O R K
M A I N T A I N A V U L N E R A B I L I T Y
M A N A G E M E N T P R O G R A M
C R E D I T C A R D S T E C H A N D T H R E A T S
18. Cashing in
H O W H A C K E R S
A C T U A L L Y C O M M I T
P A Y M E N T C A R D F R A U D
2
C R E D I T C A R D S T E C H A N D T H R E A T S
19. 2. Cashing in
S O U R C E : E U R O P E A N C E N T R A L B A N K
The vast majority
(84%) of PC fraud is
for CNP transactions
C R E D I T C A R D S T E C H A N D T H R E A T S
20. Where are the most victims
of card fraud?
1. US
2. France
3. Nigeria
2. Cashing in
4. Swiss
5. Italy (Sicily)
6. China
W H E R E D O E S M O S T C A R D F R A U D H A P P E N S ? ( I N % )
C R E D I T C A R D S T E C H A N D T H R E A T S
Who's winning this Olympics?
21. 2. Cashing in
S O U R C E : N I L S O N R E P O R T
C R E D I T C A R D S T E C H A N D T H R E A T S
Where are the most victims
of card fraud?
Who's winning this Olympics?
1. US
2. France
3. Nigeria
4. Swiss
5. Italy (Sicily)
6. China
22. Swiping is popular in the US
2. Cashing in
•
•
•
M A S T E R C A R D I S D R O P P I N G M A G S T R I P E :
I N E U F R O M 2 0 2 4 ;
I N U S F R O M 2 0 2 7 ;
B Y 2 0 2 9 , N O M C W I L L H A V E A M A G S T R I P E .
C R E D I T C A R D S T E C H A N D T H R E A T S
23. 1. Step
2. Cashing in
S T E A L C A R D D A T A
C R E D I T C A R D S T E C H A N D T H R E A T S
24. 1. Step
2. Cashing in
S T E A L C A R D D A T A
• P H I S H I N G
C R E D I T C A R D S T E C H A N D T H R E A T S
25. 1. Step
2. Cashing in
S T E A L C A R D D A T A
• P H I S H I N G
• M A L W A R E
C R E D I T C A R D S T E C H A N D T H R E A T S
26. 1. Step
2. Cashing in
S T E A L C A R D D A T A
• P H I S H I N G
• M A L W A R E
• D A T A B R E A C H E S
C R E D I T C A R D S T E C H A N D T H R E A T S
27. 1. Step
2. Cashing in
S T E A L C A R D D A T A
• P H I S H I N G
• M A L W A R E
• D A T A B R E A C H E S
• C A R D S K I M M I N G
C R E D I T C A R D S T E C H A N D T H R E A T S
28. 2. Step
2. Cashing in
S E L L C A R D D A T A
The price of a fullz +
card for a US victim is
in average 25.36$ on
the dark web
C R E D I T C A R D S T E C H A N D T H R E A T S
S O U R C E : C O M P A R I T E C H 2 0 2 2
Criminals pay 0.003$
for 1$ of credit limit,
on average
29. 3. Step
2. Cashing in
B U Y S T U F F
Criminals who buy stolen card data can clone
it on physical cards or buying online.
C R E D I T C A R D S T E C H A N D T H R E A T S
N O N - T R A C E A B L E G O O D S A R E P R E F E R R E D , S U C H A S G I F T C A R D S A N D C R Y P T O
30. 2. Cashing in
More than
59.4mln stolen
cards' data was
on sale on the
dark web last year
S O U R C E : N I L S O N R E P O R T
F I G U R E : S C R E E N S H O T F O R A F A M O U S D A R K - W E B F O R U M
S P E C I A L I Z E D I N C A R D I N G , C A L L E D " R U S S I A N M A R K E T "
C R E D I T C A R D S T E C H A N D T H R E A T S
31. Case study
I M P L E M E N T I N G A P C I - D S S
C O M P L I A N T S O L U T I O N F R O M
S C R A T C H : L E S S O N S L E A R N E D
3
C R E D I T C A R D S T E C H A N D T H R E A T S
32. Implementing a large-scale
PCI-compliant card app onboard airplanes
3. Case-study
L E S S O N S L E A R N E D
C A S E S T U D Y
C R E D I T C A R D S T E C H A N D T H R E A T S
33. "Divide et impera the PCI-way"
P R I N C I P L E : M O D U L A R I Z A T I O N , T O P - D O W N D E S I G N
A P P R O A C H
L E S S O N # 1
3. Case-study
C R E D I T C A R D S T E C H A N D T H R E A T S
34. Why?
•
•
•
N O T E V E R Y T H I N G N E E D S T O B E
C O M P L I A N T
F A S T E R C O M P L I A N C E P R O C E S S
E A S I E R T O P R O T E C T
"Divide et impera the PCI-way"
3. Case-study
C R E D I T C A R D S T E C H A N D T H R E A T S
35. How?
•
•
•
•
•
I S O L A T E E N V I R O N M E N T S ( P C I , C D E )
B L A C K - B O X A P P S A N D S Y S T E M S
I M P L E M E N T S T R O N G R B A C A N D I A M
D A T A M I N I M I Z A T I O N
E N C R Y P T D A T A A T R E S T A N D I N
T R A N S I T ( E 2 E , D I S K , K E Y
M A N A G E M E N T )
"Divide et impera the PCI-way"
3. Case-study
C R E D I T C A R D S T E C H A N D T H R E A T S
36. "The best code written is the
one you don't write."
P R I N C I P L E : Y A G N I ( Y O U A I N ' T G O N N A N E E D I T )
L E S S O N # 2
3. Case-study
C R E D I T C A R D S T E C H A N D T H R E A T S
37. Why?
•
•
•
•
E A S I E R T O M A I N T A I N
E A S I E R T O P R O T E C T
E A S I E R T O S C A L E
E A S I E R T O C O M P L Y
KISS (Keep it simple, stupid!)
"The best code written is the one you don't write."
3. Case-study
C R E D I T C A R D S T E C H A N D T H R E A T S
38. Which backend would
you prefer to protect?
1. Cobol Monolith
2. Go + Serverless
3. .NET + K8s
3. Case-study
C R E D I T C A R D S T E C H A N D T H R E A T S
39. How?
•
•
•
S E R V E R L E S S ( A W S , F I R E B A S E )
C R O S S - P L A T F O R M ( F L U T T E R , R N )
R E D U C E D E P E N D E N C I E S
"The best code written is the one you don't write."
3. Case-study
C R E D I T C A R D S T E C H A N D T H R E A T S
40. "Ticking boxes is both
compliant and dangerous"
P R I N C I P L E : D O N ' T J U S T C O M P L Y B U T E M B R A C E
S T A N D A R D S
L E S S O N # 3
3. Case-study
C R E D I T C A R D S T E C H A N D T H R E A T S
41. Why?
S T A N D A R D S C A N B E G O O D A S
G U I D E L I N E S , B U T G E T T I N G
C E R T I F I E D I S O N L Y T H E F I R S T S T E P
"Ticking boxes is compliant and dangerous."
3. Case-study
C R E D I T C A R D S T E C H A N D T H R E A T S
42. What to do?
•
•
S E C U R I T Y - F I R S T C U L T U R E
T R A I N E N G I N E E R S & S T A K E H O L D .
Having a SoC can be very helpful in establishing and
maintaining a good cybersec. posture
"Ticking boxes is both compliant and dangerous"
3. Case-study
C R E D I T C A R D S T E C H A N D T H R E A T S
43. LESSONS
3. Case-study
1. "Divide et impera the PCI-way"
2. "The best code written is the one you don't write."
3. "Ticking boxes is both compliant and dangerous"
C R E D I T C A R D S T E C H A N D T H R E A T S
44. The 10y forecast
for card fraud just in
the US is more than
175$bln S O U R C E : N I L S O N R E P O R T
C R E D I T C A R D S T E C H A N D T H R E A T S
4. Conclusion
45. "Hackers are breaking the systems for profit.
Before, it was about intellectual curiosity […]
Now hacking is big business."
K E V I N M I T N I C K ( 1 9 6 3 - 2 0 2 3 )
C R E D I T C A R D S T E C H A N D T H R E A T S
4. Conclusion
46. How hackers pay with
your money?
C R E D I T C A R D S T E C H A N D T H R E A T S
4. Conclusion
47. How hackers pay with
your money can steal
the most card data?
C R E D I T C A R D S T E C H A N D T H R E A T S
4. Conclusion
48. How hackers pay with
your money can steal
the most card data?
D A T A B R E A C H E S
C R E D I T C A R D S T E C H A N D T H R E A T S
4. Conclusion
49. The 2019 data breach of Capital One
(very PCI-compliant bank) exposed +100mln
of fullz and card data.
C R E D I T C A R D S T E C H A N D T H R E A T S
4. Conclusion
50. "In data we guard, in
awareness we lead"
S E C U R I N G U S E R S ' D A T A A N D S P R E A D I N G A W A R E N E S S I S O U R
P L E D G E A S C Y B E R S E C U R I T Y P R O F E S S I O N A L S
C R E D I T C A R D S T E C H A N D T H R E A T S
4. Conclusion
51. Thank you!
"In data we guard, in awareness we lead"
S T E F A N O A M O R E L L I
Find these slides, resources, and
more information on this repo:
Q&A
Connect with me on LinkedIn