Credit Cards Tech and Threats: How Hackers Pay With Your Money [Stefano Amorelli - Tallinn BSides 2023]

S T E F A N O A M O R E L L I
Author
2 1 S E P T 2 0 2 3
Date
Credit Cards Tech and Threats
How Hackers Pay With Your Money

C R E D I T C A R D S T E C H A N D T H R E A T S

How hackers pay with
your money?
… S T A Y T U N E D F O R T H E A N S W E R A T T H E E N D …
What is the most efficient way for those gentlemen to
commit card fraud?

Mastercard Certified Professional in
Cybersec. & Intelligence
Founder and Leader of the first
OWASP chapter and DEFCON group
in Estonia

Member of the new team of OWASP
TOP 10 for LLM AI
Engineering & CyberSec Lead
for Startups

What the tech!?
Magstripe, EMV, CNP, PCI-DSS
1.
Cashing in
How hackers actually
commit card fraud
2.
Case-study
Implementing a compliant
solution from scratch
3.

How card
authorizations work
1. What the tech!?

One card, many ways to pay
1. What the tech!?
•
•
•
M A G S T R I P E ( S W I P E )
E M V T R A N S A C T I O N S ( D I P / T A P - N F C )
C N P ( C A R D - N O T - P R E S E N T )
E U R O C A R D , M A S T E R C A R D , V I S A

1. What the tech!?
What is MAGSTRIPE?
The magstripe on the back of the card contains static data about the payment card in plain text
T H R E A T S
• C A N E A S I L Y B E C L O N E D W I T H S K I M M E R S

1. What the tech!?
What is EMV?
EMV (Europay, Mastercard, Visa) is the newest global standard for payment cards based on chip
The idea behind EMV is to create a unique transaction cryptogram
DUKPT (derived unique key per
transaction) is one of the most common
key management scheme used in EMV

1. What the tech!?
Magstripe vs EMV
I M A G E F R O M : S T A N F O R D . E D U C S 1 0 1

1. What the tech!?
I M A G E F R O M : S T A N F O R D . E D U C S 1 0 1
Magstripe vs EMV

1. What the tech!?
What is EMV?
EMV is considered the safest option for physical card transactions
•
•
P H Y S I C A L T A M P E R R E S I S T A N C E
C O M M A N D - R E S P O N S E P R O T O C O L ( I E . D Y N A M I C D A T A G E N E R A T I O N )
T H R E A T S
•
•
P O S C A N B E T R I C K E D I N T O F A L L I N G B A C K T O U N S A F E M E T H O D S
T H E L I N K B E T W E E N P O S A N D C A R D B E C O M E S T H E W E A K E S T
S E G M E N T

1. What the tech!?
..and Card-Not-Present?
T H R E A T S
•
•
•
•
S O C I A L E N G I N E E R I N G
M I T M ( C A P T U R I N G O R A L T E R I N G T R A N S A C T I O N D A T A )
S I M S W A P
N O T A L L M E R C H A N T S H A V E I M P L E M E N T E D S C A
T E C H
• S T R O N G C U S T O M E R A U T H E N T I C A T I O N ( S C A )
• 3 D S E C U R E ( V E R I F I E D B Y V I S A , M A S T E R C A R D S E C U R E C O D E )

1. What the tech!?
Any organization, regardless of its size or transaction volume, that accepts,
transmits, or stores any cardholder data must comply with PCI-DSS.
This includes merchants, payment gateways, processors, and service providers.
Regulation: PCI-DSS
P A Y M E N T C A R D I N D U S T R Y
D A T A S E C U R I T Y S T A N D A R D

1. What the tech!?
What is PCI-DSS?
•
•
•
S E T O F S E C U R I T Y S T A N D A R D S
D E F I N E D B Y M A J O R C C C O M P A N I E S
1 2 R E Q U I R E M E N T S ( + 3 0 0 S U B R E Q 🥵)
P C I C E R T I F I C A T I O N I S N O T A L E G A L B U T A
C O N T R A C T U A L R E Q U I R E M E N T

1. What the tech!?
Main areas of PCI-compliance
•
•
•
P R O T E C T C A R D H O L D E R D A T A
B U I L D A N D M A I N T A I N A S E C U R E N E T W O R K
M A I N T A I N A V U L N E R A B I L I T Y
M A N A G E M E N T P R O G R A M

Cashing in
H O W H A C K E R S
A C T U A L L Y C O M M I T
P A Y M E N T C A R D F R A U D
2

2. Cashing in
S O U R C E : E U R O P E A N C E N T R A L B A N K
The vast majority
(84%) of PC fraud is
for CNP transactions

Where are the most victims
of card fraud?
1. US
2. France
3. Nigeria
2. Cashing in
4. Swiss
5. Italy (Sicily)
6. China
W H E R E D O E S M O S T C A R D F R A U D H A P P E N S ? ( I N % )
Who's winning this Olympics?

2. Cashing in
S O U R C E : N I L S O N R E P O R T
Where are the most victims
of card fraud?
Who's winning this Olympics?
1. US
2. France
3. Nigeria
4. Swiss
5. Italy (Sicily)
6. China

Swiping is popular in the US
2. Cashing in
•
•
•
M A S T E R C A R D I S D R O P P I N G M A G S T R I P E :
I N E U F R O M 2 0 2 4 ;
I N U S F R O M 2 0 2 7 ;
B Y 2 0 2 9 , N O M C W I L L H A V E A M A G S T R I P E .

1. Step
2. Cashing in
S T E A L C A R D D A T A

1. Step
2. Cashing in
• P H I S H I N G

1. Step
2. Cashing in
• P H I S H I N G
• M A L W A R E

1. Step
2. Cashing in
• P H I S H I N G
• M A L W A R E
• D A T A B R E A C H E S

1. Step
2. Cashing in
• P H I S H I N G
• M A L W A R E
• D A T A B R E A C H E S
• C A R D S K I M M I N G

2. Step
2. Cashing in
S E L L C A R D D A T A
The price of a fullz +
card for a US victim is
in average 25.36$ on
the dark web
S O U R C E : C O M P A R I T E C H 2 0 2 2
Criminals pay 0.003$
for 1$ of credit limit,
on average

3. Step
2. Cashing in
B U Y S T U F F
Criminals who buy stolen card data can clone
it on physical cards or buying online.
N O N - T R A C E A B L E G O O D S A R E P R E F E R R E D , S U C H A S G I F T C A R D S A N D C R Y P T O

2. Cashing in
More than
59.4mln stolen
cards' data was
on sale on the
dark web last year
S O U R C E : N I L S O N R E P O R T
F I G U R E : S C R E E N S H O T F O R A F A M O U S D A R K - W E B F O R U M
S P E C I A L I Z E D I N C A R D I N G , C A L L E D " R U S S I A N M A R K E T "

Case study
I M P L E M E N T I N G A P C I - D S S
C O M P L I A N T S O L U T I O N F R O M
S C R A T C H : L E S S O N S L E A R N E D
3

Implementing a large-scale
PCI-compliant card app onboard airplanes
3. Case-study
L E S S O N S L E A R N E D
C A S E S T U D Y

"Divide et impera the PCI-way"
P R I N C I P L E : M O D U L A R I Z A T I O N , T O P - D O W N D E S I G N
A P P R O A C H
L E S S O N # 1
3. Case-study

Why?
•
•
•
N O T E V E R Y T H I N G N E E D S T O B E
C O M P L I A N T
F A S T E R C O M P L I A N C E P R O C E S S
E A S I E R T O P R O T E C T
3. Case-study

How?
•
•
•
•
•
I S O L A T E E N V I R O N M E N T S ( P C I , C D E )
B L A C K - B O X A P P S A N D S Y S T E M S
I M P L E M E N T S T R O N G R B A C A N D I A M
D A T A M I N I M I Z A T I O N
E N C R Y P T D A T A A T R E S T A N D I N
T R A N S I T ( E 2 E , D I S K , K E Y
M A N A G E M E N T )
3. Case-study

"The best code written is the
one you don't write."
P R I N C I P L E : Y A G N I ( Y O U A I N ' T G O N N A N E E D I T )
L E S S O N # 2
3. Case-study

Why?
•
•
•
•
E A S I E R T O M A I N T A I N
E A S I E R T O P R O T E C T
E A S I E R T O S C A L E
E A S I E R T O C O M P L Y
KISS (Keep it simple, stupid!)
"The best code written is the one you don't write."
3. Case-study

Which backend would
you prefer to protect?
1. Cobol Monolith
2. Go + Serverless
3. .NET + K8s
3. Case-study

How?
•
•
•
S E R V E R L E S S ( A W S , F I R E B A S E )
C R O S S - P L A T F O R M ( F L U T T E R , R N )
R E D U C E D E P E N D E N C I E S
"The best code written is the one you don't write."
3. Case-study

"Ticking boxes is both
compliant and dangerous"
P R I N C I P L E : D O N ' T J U S T C O M P L Y B U T E M B R A C E
S T A N D A R D S
L E S S O N # 3
3. Case-study

Why?
S T A N D A R D S C A N B E G O O D A S
G U I D E L I N E S , B U T G E T T I N G
C E R T I F I E D I S O N L Y T H E F I R S T S T E P
"Ticking boxes is compliant and dangerous."
3. Case-study

What to do?
•
•
S E C U R I T Y - F I R S T C U L T U R E
T R A I N E N G I N E E R S & S T A K E H O L D .
Having a SoC can be very helpful in establishing and
maintaining a good cybersec. posture
"Ticking boxes is both compliant and dangerous"
3. Case-study

LESSONS
3. Case-study
1. "Divide et impera the PCI-way"
2. "The best code written is the one you don't write."
3. "Ticking boxes is both compliant and dangerous"

The 10y forecast
for card fraud just in
the US is more than
175$bln S O U R C E : N I L S O N R E P O R T
4. Conclusion

"Hackers are breaking the systems for profit.
Before, it was about intellectual curiosity […]
Now hacking is big business."
K E V I N M I T N I C K ( 1 9 6 3 - 2 0 2 3 )
4. Conclusion

your money?
4. Conclusion

your money can steal
the most card data?
4. Conclusion

your money can steal
the most card data?
D A T A B R E A C H E S
4. Conclusion

The 2019 data breach of Capital One
(very PCI-compliant bank) exposed +100mln
of fullz and card data.
4. Conclusion

"In data we guard, in
awareness we lead"
S E C U R I N G U S E R S ' D A T A A N D S P R E A D I N G A W A R E N E S S I S O U R
P L E D G E A S C Y B E R S E C U R I T Y P R O F E S S I O N A L S
4. Conclusion

Thank you!
"In data we guard, in awareness we lead"
S T E F A N O A M O R E L L I
Find these slides, resources, and
more information on this repo:
Q&A
Connect with me on LinkedIn

Credit Cards Tech and Threats: How Hackers Pay With Your Money [Stefano Amorelli - Tallinn BSides 2023]

Recommended

Recommended

More Related Content

Similar to Credit Cards Tech and Threats: How Hackers Pay With Your Money [Stefano Amorelli - Tallinn BSides 2023]

Similar to Credit Cards Tech and Threats: How Hackers Pay With Your Money [Stefano Amorelli - Tallinn BSides 2023] (20)

Recently uploaded

Recently uploaded (20)

Credit Cards Tech and Threats: How Hackers Pay With Your Money [Stefano Amorelli - Tallinn BSides 2023]