Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Point-Of-Sale Hacking - 2600Thailand#20

1,100 views

Published on

POS Hacking at 2600TH

Published in: Education
  • Be the first to comment

Point-Of-Sale Hacking - 2600Thailand#20

  1. 1. Point-of-Sale (POS)
  2. 2. Areas of Vulnerability Data in Memory Data at Rest Data inTransit Application Code and Configuration 1 2 3 4
  3. 3. Security Risk  Data in Memory Security concerns remain the same as those for device interfaces there are no standard security mechanisms. Specific issues depend on the type of connectivity. If POS and PA run under the same OS process, the memory of the process can be scanned using RAM scraping in order to retrieve sensitive data.
  4. 4. Security Risk
  5. 5. Security Risk  Data at Rest “data at rest,” a term used to describe any form of hard-drive storage such as database, fl at-data file, or log file.
  6. 6. Security Risk  Data in Transit There are different ways to “tap into the wire.” One of various sniffing attack scenarios would be a hidden network tap device plugged into the store network. The tap device will catch the payment application traffic and mirror it to the remote control center.
  7. 7. Security Risk  Data in Transit
  8. 8. Security Risk  Application Code and Configuration Another key vulnerability area is payment Application Code itself and its Configuration (config). The code or config don’t contain any cardholder information by themselves, but can be tampered by attacker or malicious software in order to gain unauthorized access to the data in other key vulnerability areas.
  9. 9. Exposure Area Retail Store – POS Machine POI Device Payment Application Storage Memory POS App Payment Processor Data Center Payment Processing Host 1 2 3 3 4 2 1 3 4 Data in memory Data at rest Data in Transit App Code and Configuration
  10. 10. Pros and Cons Some of the security pros and cons of this model are:  Pro  There’s no central location in the store that accumulates all the Sensitive data in memory, disk storage, or network traffic. It is easier (and less expensive!) to protect a single machine and application instance; however, once it is broken, all the store data is gone.  The communication between POS and PA doesn’t carry sensitive data because PA handles all the aspects of any payment transaction and only returns the masked results to the POS at the end without exposing the details of the magnetic stripe.  Con  All POS machines (memory, data storage) at the store are exposed to sensitive data as well as communication between the POS machine and the payment host.
  11. 11. The concept of EPS  EPS stands for Electronic Payment System  The main purpose of EPS is isolating the electronic payment processing application from the rest of the point-of-sale functions.  A logical (and often physical) separation of the POS and payment system allows “removing POS from the scope” (security auditors terminology meaning that security standard requirements like PCI are not applicable to a particular application or machine).  Placing the POS application or machine “out of scope” saves a lot of Development and implementation work for both software manufacturers and consumers
  12. 12. Store EPS Deployment Model Retail Store POI Device Payment Application Storage Memory POS Payment Processing Host POS Machine Store Server Payment Processor Data Center 2 1 3 4 Data in memory Data at rest Data in Transit App Code and Configuration 1 2 4 3 3
  13. 13. Pros and Cons Some of the security pros and cons of this model are:  Pro  The POS machine isn’t exposed to sensitive data because it doesn’t communicate with POI devices.  Communication between the POS and the store server machines doesn’t contain sensitive data, so there’s no need to encrypt this traffic  Con  Communication between POI devices and the store server is implemented through the store LAN (usually TCP/IP packets), exposing sensitive cardholder information to the network.
  14. 14. Hybrid POS/Store Deployment Model Retail Store Payment Server App Storage Memory POS Payment Processor Data Center Payment Processing Host POS App Store Server Payment Client App POI Device Memory Storage 2 1 3 4 Data in memory Data at rest Data in Transit App Code and Configuration 11 22 44 3 3 3
  15. 15. Pros and Cons Some of the security pros and cons of this model are:  Pro  There are no security pros associated with this model.  Con  Both the POS and the store server machines and almost all their Components (memory, data storage, application code, and communication lines) are entirely vulnerable.
  16. 16. Case Study: Pentesting POS Retail Store Payment Processing Host Counter/ POS Area Back-Office Area Payment Processor Data Center Storing Room EPS
  17. 17. Case Study: Pentesting POS Retail Store Payment Processing Host Counter/ POS Area Back-Office Area Payment Processor Data Center Storing Room Physical & Host Assessment EPS
  18. 18. Case Study: Pentesting POS  Physical & Host Assessment  USB Drives, Keyboard and Mouse  Hot-Key Shortcuts  Randomly presses on touchscreen  BIOS Configuration  Reverse Engineering on Application [.Net]  Directory Traversal on Application
  19. 19. Case Study: Pentesting POS Retail Store Payment Processing Host Counter/ POS Area Back-Office Area Payment Processor Data Center Storing Room Network Segregation & Infrastructure Assessment EPS
  20. 20. Case Study: Pentesting POS  Network Segregation & Infrastructure Assessment  Excessive Port on Device and Server  Network Segmentation  Password Reuse Rampant  Pass-The-Hash  Dump clear text passwords stored by Windows authentication packages Really !?
  21. 21. Case Study: Pentesting POS Retail Store Payment Processing Host Counter/ POS Area Back-Office Area Payment Processor Data Center Storing Room Traffic Monitoring EPS
  22. 22. Case Study: Pentesting POS  Traffic Monitoring  Identify PAN over the network.  Sensitive information between SIT and EPS.
  23. 23. Protection  Data in Memory  Minimizing Data Exposure from the Application (.NET SecureString, Memory Buffer]  Point-to-Point Encryption (P2PE), encrypt the data before it even reaches the memory of the hosting machine, and decrypt it only after it has left the POS (in the Payment Gateway)  Data in Transit  Implementing Secure Socket Layer (SSL]  Encrypted Tunnels, IPSec  Data at Rest  Avoiding the storage of sensitive data at all.  Point-to-Point Encryption [P2PE]  Symmetric Key Encryption
  24. 24. Thank you  Recommended Book

×