Recent PCI Hacks

1,293 views

Published on

Recent Payment Card Industry Hacks

Published in: Economy & Finance, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,293
On SlideShare
0
From Embeds
0
Number of Embeds
36
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Recent PCI Hacks

  1. 1. Recent Payment Card Industry HacksTechniques used; & possible Defense Muhammad Faisal Naqvi CISSP, CISA, ISO27K LA & MI, ISO20K I, AMBCI ACMA inter, MS E-Commerce (Gold)
  2. 2. Agenda• MOM Analysis (Motives, Opportunities & Means) • International Incidents • Regional Incidents• Statistics about Payment Card Industry Hacks • Who are the Culprits? • What are the Motives? • What are the Means? • Which Assets are under Attack?• What could be Possible Defense?
  3. 3. International Incidents
  4. 4. Banking data stolen from Millions• News Date: 04 April 2012• Country: UK• Means: Trojans e.g. Zeus & Spyeye to collect personal details• Opportunity: Social Engineering• Motive: Fun, curiosity, or pride ($3,800 in 20 Months)• Source: www.theregister.co.uk
  5. 5. Attack on one-time-passwords on mobile• News Date: 15 March 2012• Country: USA• Means: 1. Used Gozi Trojan to steal IMEI # of Account Holder 2. Report about lost/ stolen device & new SIM request 3. All one-time-passwords will come on new SIM• Opportunity: partner’s weak processes• Source: www.computerworld.com
  6. 6. Millions customers of famous Bank at risk NFC attack• News Date: 23 March 2012• Country: UK• Means: Contactless readers in mobile phones to extract card data even through wallets or bags• Opportunity: • Excessive card details • Weak merchant process• Motive: Online Shopping• Source: www.channel4.com
  7. 7. Gang of 50 steals at least $7 million• News Date: 11 May 2012• Country: Canada• Means: Installing Skimmers on stolen POS Machines in < 1 Hr.• Opportunity: • Physical Security • Lack of Monitoring• Motive: $7 million• Source: www.wired.com
  8. 8. 111 Arrested In Identity Theft Probe• News Date: 10 October 2011• Country: USA• Means: bank tellers, retail workers, waiters• Opportunity: Weak processes• Motive: $13m in 16 Months• Source: www.bbc.co.uk Thermal Image showing sequence of keys pressed
  9. 9. Hackers Skim Customers’ Credit Cards via Self-Checkout• News Date: 7 December 2011• Country: USA• Means: Skimmers• Opportunity: Physical Security• Motive: Financial gain• Source: news.cnet.com
  10. 10. Gang Used 3D Printers for Skimmers• News Date: 20 September 2011• Country: USA• Means: 3D Printed Skimmers• Opportunity: Physical Security• Motive: $400,000• Source: krebsonsecurity.com
  11. 11. Adult web site breached 40,000 Cards data• News Date: 12 March 2012• Country: USA• Means: Server Hack• Opportunity: ?• Motive: 40,000 CC numbers, expiry dates, security codes along with user IDs, email addresses, passwords.• Source: www.scmagazine.com
  12. 12. More than 10 million cards may have been compromised• News Date: 30 March 2012• Country: USA• Means: Servers Hacked• Opportunity: ?• Motive: Track 2 data (cards primary account number, expiration date, service code, PIN and CVV number)• Source: www.bbc.com
  13. 13. Gang stole $13 million in a day• News Date: 26 August 2011• Country: USA, Greece, Russia, Spain, Sweden, Ukraine, UK• Means: Remote Access to prepaid cards database update cards set bal = 10000 where ccno=12345678910• Opportunity: Stolen credentials• Motive: $13 million• Source: www.msnbc.msn.com
  14. 14. Simple URL manipulation affected over 360,000 cards & $2.7M• News Date: 27 June 2011• Country: USA• Means: script• Opportunity: Insecure Direct Object References https://www.onlinebank.com/user?acct=6065• Motive: $2.7M• Source: www.informationweek.com
  15. 15. Regional Incidents
  16. 16. Saudi (claimed) Hackers Expose 15,000 Israelis Credit Cards• News Date: 01 January 2012• Country: Israel• Means: Sports Web Site• Opportunity: ?• Motive: Hacktivism• Source: www.israelnationalnews.com• Hacker died just after 2 days of getting Govt. Job• www.emirates247.com
  17. 17. Two hospital employees arrested on credit card fraud charges• News Date: April 10, 2012• Country: UAE• Means: Online Shopping• Opportunity: Visible Credit Card Information• Motive: Dh9,300• Source: gulfnews.com
  18. 18. Police arrest suspect for credit card forgery• News Date: 26 April 2011• Country: UAE• Means: Expired cards, card copier, card data from web• Opportunity:• Motive: Financial• Source: gulfnews.com
  19. 19. Statistics about Payment Card Industry Hacks Source: 2012 Data Breach Investigation Report
  20. 20. Culprits Source: 2012 Data Breach Investigation Report
  21. 21. External Culprits Source: 2012 Data Breach Investigation Report
  22. 22. Internal Culprits Source: 2012 Data Breach Investigation Report
  23. 23. Motives Source: 2012 Data Breach Investigation Report
  24. 24. Means Source: 2012 Data Breach Investigation Report
  25. 25. Assets Source: 2012 Data Breach Investigation Report
  26. 26. Hacks Possible Defense• Social engineering • Automated social pen testing• Fake Online Transactions • Balance between Business & Security• POS Skimming • Disconnection logs Bar-coded tamper evident seals• ATM Skimming • Anti skimming solutions• Servers/Applications/DBs • Information Security, Pen testing & Audits
  27. 27. Questionsfaisal.naqvi@msn.comhttp://ae.linkedin.com/in/mfaisalnaqvi
  28. 28. Thank You

×