SlideShare a Scribd company logo
Point-Of-Sale Hacking - 2600Thailand#20
Point-of-Sale (POS)
Areas of Vulnerability
Data in
Memory
Data at Rest Data inTransit
Application
Code and
Configuration
1 2 3 4
Security Risk
 Data in Memory
Security concerns remain the same as those for device interfaces there are no standard security
mechanisms. Specific issues depend on the type of connectivity. If POS and PA run under the same
OS process, the memory of the process can be scanned using RAM scraping in order to retrieve
sensitive data.
Security Risk
Security Risk
 Data at Rest
“data at rest,” a term used to describe any form of hard-drive storage such as database, fl at-data
file, or log file.
Security Risk
 Data in Transit
There are different ways to “tap into the wire.” One of various sniffing attack scenarios would be a
hidden network tap device plugged into the store network. The tap device will catch the payment
application traffic and mirror it to the remote control center.
Security Risk
 Data in Transit
Security Risk
 Application Code and Configuration
Another key vulnerability area is payment Application Code itself and its Configuration (config). The
code or config don’t contain any cardholder information by themselves, but can be tampered by
attacker or malicious software in order to gain unauthorized access to the data in other key
vulnerability areas.
Exposure Area
Retail Store – POS Machine
POI Device
Payment
Application
Storage
Memory
POS App
Payment Processor Data Center
Payment
Processing Host
1
2
3
3
4
2
1
3
4
Data in memory
Data at rest
Data in Transit
App Code and Configuration
Pros and Cons
Some of the security pros and cons of this model are:
 Pro
 There’s no central location in the store that accumulates all the Sensitive data in memory, disk
storage, or network traffic. It is easier (and less expensive!) to protect a single machine and
application instance; however, once it is broken, all the store data is gone.
 The communication between POS and PA doesn’t carry sensitive data because PA handles all
the aspects of any payment transaction and only returns the masked results to the POS at the
end without exposing the details of the magnetic stripe.
 Con
 All POS machines (memory, data storage) at the store are exposed to sensitive data as well as
communication between the POS machine and the payment host.
The concept of EPS
 EPS stands for Electronic Payment System
 The main purpose of EPS is isolating the electronic payment processing application from the rest of
the point-of-sale functions.
 A logical (and often physical) separation of the POS and payment system allows “removing POS from
the scope” (security auditors terminology meaning that security standard requirements like PCI are
not applicable to a particular application or machine).
 Placing the POS application or machine “out of scope” saves a lot of Development and
implementation work for both software manufacturers and consumers
Store EPS Deployment Model
Retail Store
POI Device
Payment
Application
Storage
Memory
POS Payment
Processing Host
POS Machine Store Server
Payment
Processor
Data Center
2
1
3
4
Data in memory
Data at rest
Data in Transit
App Code and Configuration
1
2
4
3
3
Pros and Cons
Some of the security pros and cons of this model are:
 Pro
 The POS machine isn’t exposed to sensitive data because it doesn’t communicate with POI
devices.
 Communication between the POS and the store server machines doesn’t contain sensitive
data, so there’s no need to encrypt this traffic
 Con
 Communication between POI devices and the store server is implemented through the store
LAN (usually TCP/IP packets), exposing sensitive cardholder information to the network.
Hybrid POS/Store Deployment Model
Retail Store
Payment
Server App
Storage
Memory
POS
Payment
Processor
Data Center
Payment
Processing Host
POS App Store Server
Payment
Client App
POI Device
Memory
Storage
2
1
3
4
Data in memory
Data at rest
Data in Transit
App Code and Configuration
11
22
44
3
3
3
Pros and Cons
Some of the security pros and cons of this model are:
 Pro
 There are no security pros associated with this model.
 Con
 Both the POS and the store server machines and almost all their Components (memory, data
storage, application code, and communication lines) are entirely vulnerable.
Case Study: Pentesting POS
Retail Store
Payment
Processing Host
Counter/ POS Area Back-Office Area
Payment
Processor
Data Center
Storing Room
EPS
Case Study: Pentesting POS
Retail Store
Payment
Processing Host
Counter/ POS Area Back-Office Area
Payment
Processor
Data Center
Storing Room
Physical & Host Assessment
EPS
Case Study: Pentesting POS
 Physical & Host Assessment
 USB Drives, Keyboard and Mouse
 Hot-Key Shortcuts
 Randomly presses on touchscreen
 BIOS Configuration
 Reverse Engineering on Application [.Net]
 Directory Traversal on Application
Case Study: Pentesting POS
Retail Store
Payment
Processing Host
Counter/ POS Area Back-Office Area
Payment
Processor
Data Center
Storing Room
Network Segregation
&
Infrastructure Assessment
EPS
Case Study: Pentesting POS
 Network Segregation & Infrastructure Assessment
 Excessive Port on Device and Server
 Network Segmentation
 Password Reuse Rampant
 Pass-The-Hash
 Dump clear text passwords stored by
Windows authentication packages
Really !?
Case Study: Pentesting POS
Retail Store
Payment
Processing Host
Counter/ POS Area Back-Office Area
Payment
Processor
Data Center
Storing Room
Traffic Monitoring
EPS
Case Study: Pentesting POS
 Traffic Monitoring
 Identify PAN over the network.
 Sensitive information between SIT and EPS.
Protection
 Data in Memory
 Minimizing Data Exposure from the Application (.NET SecureString, Memory Buffer]
 Point-to-Point Encryption (P2PE), encrypt the data before it even reaches the memory of the
hosting machine, and decrypt it only after it has left the POS (in the Payment Gateway)
 Data in Transit
 Implementing Secure Socket Layer (SSL]
 Encrypted Tunnels, IPSec
 Data at Rest
 Avoiding the storage of sensitive data at all.
 Point-to-Point Encryption [P2PE]
 Symmetric Key Encryption
Thank you
 Recommended Book

More Related Content

What's hot

OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
Lenur Dzhemiliev
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
Secure software development presentation
Secure software development presentationSecure software development presentation
Secure software development presentation
Mahdi Dolati
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Web application security & Testing
Web application security  & TestingWeb application security  & Testing
Web application security & Testing
Deepu S Nath
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
ShivamSharma909
 
Broken access controls
Broken access controlsBroken access controls
Broken access controls
Akansha Kesharwani
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment Presentation
Lionel Medina
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
Michael Gough
 
Physical Security.ppt
Physical Security.pptPhysical Security.ppt
Physical Security.ppt
BiggBoss4Unseen
 
Password Security
Password SecurityPassword Security
Password Security
Outlearn Training
 
Red team and blue team in ethical hacking
Red team and blue team in ethical hackingRed team and blue team in ethical hacking
Red team and blue team in ethical hacking
Vikram Khanna
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
Christian Heinrich
 
Broken access control
Broken access controlBroken access control
Broken access control
Priyanshu Gandhi
 
System Security-Chapter 1
System Security-Chapter 1System Security-Chapter 1
System Security-Chapter 1
Vamsee Krishna Kiran
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 

What's hot (20)

OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Secure software development presentation
Secure software development presentationSecure software development presentation
Secure software development presentation
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Web application security & Testing
Web application security  & TestingWeb application security  & Testing
Web application security & Testing
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 
Broken access controls
Broken access controlsBroken access controls
Broken access controls
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment Presentation
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 
Physical Security.ppt
Physical Security.pptPhysical Security.ppt
Physical Security.ppt
 
Password Security
Password SecurityPassword Security
Password Security
 
Red team and blue team in ethical hacking
Red team and blue team in ethical hackingRed team and blue team in ethical hacking
Red team and blue team in ethical hacking
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
Broken access control
Broken access controlBroken access control
Broken access control
 
System Security-Chapter 1
System Security-Chapter 1System Security-Chapter 1
System Security-Chapter 1
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 

Viewers also liked

Exploring Italy
Exploring ItalyExploring Italy
Exploring Italy
Leslie02537
 
ASA RA VPN with AD Authentication
ASA RA VPN with AD AuthenticationASA RA VPN with AD Authentication
ASA RA VPN with AD Authentication
dirflash
 
פרטיות ברשת האינטרנט א
פרטיות ברשת האינטרנט אפרטיות ברשת האינטרנט א
פרטיות ברשת האינטרנט א
haimkarel
 
Anexo ás normas, calendario previo (aprobado)
Anexo ás normas, calendario previo  (aprobado)Anexo ás normas, calendario previo  (aprobado)
Anexo ás normas, calendario previo (aprobado)
oscargaliza
 
2014 Stop slavery! Pocheon African Art musuem in South Korea
2014 Stop slavery! Pocheon African Art musuem in South Korea2014 Stop slavery! Pocheon African Art musuem in South Korea
2014 Stop slavery! Pocheon African Art musuem in South Korea
So-young Son
 
Eidea_SEMCOM
Eidea_SEMCOMEidea_SEMCOM
Eidea_SEMCOM
Ronak Thakkar
 
תכירו את שולה הישנה והחדשה
תכירו את שולה הישנה והחדשהתכירו את שולה הישנה והחדשה
תכירו את שולה הישנה והחדשה
haimkarel
 
Digit Roman
Digit RomanDigit Roman
Digit Roman
Bakai Magdolna
 
Liu Natural Scene Statistics At Stereo Fixations
Liu Natural Scene Statistics At Stereo FixationsLiu Natural Scene Statistics At Stereo Fixations
Liu Natural Scene Statistics At Stereo Fixations
Kalle
 
Integrate Your Message: tools to uniting your newsletter, blog, Twitter & Fac...
Integrate Your Message: tools to uniting your newsletter, blog, Twitter & Fac...Integrate Your Message: tools to uniting your newsletter, blog, Twitter & Fac...
Integrate Your Message: tools to uniting your newsletter, blog, Twitter & Fac...
Stephanie Lynch
 
Manual de intervenciones enfermeras protocolo de procedimientos enfermeros 2009
Manual de intervenciones enfermeras protocolo de procedimientos enfermeros 2009Manual de intervenciones enfermeras protocolo de procedimientos enfermeros 2009
Manual de intervenciones enfermeras protocolo de procedimientos enfermeros 2009
MANUEL RIVERA
 
C:\Fakepath\Sacchetti Di Plastica
C:\Fakepath\Sacchetti Di PlasticaC:\Fakepath\Sacchetti Di Plastica
C:\Fakepath\Sacchetti Di Plastica
tilapia69
 
Galerija Magicus Dnevnik Esencija Do 21 3 2010 Ciklus Cernik I Madonin Sv...
Galerija Magicus   Dnevnik Esencija Do 21 3 2010   Ciklus Cernik I Madonin Sv...Galerija Magicus   Dnevnik Esencija Do 21 3 2010   Ciklus Cernik I Madonin Sv...
Galerija Magicus Dnevnik Esencija Do 21 3 2010 Ciklus Cernik I Madonin Sv...
guestbe4094
 
Mission UID
Mission UIDMission UID
Mission UID
Ronak Thakkar
 
Rock'n Roll in Database S
Rock'n Roll in Database SRock'n Roll in Database S
Rock'n Roll in Database S
Prathan Phongthiproek
 
Hennessey An Open Source Eye Gaze Interface Expanding The Adoption Of Eye Gaz...
Hennessey An Open Source Eye Gaze Interface Expanding The Adoption Of Eye Gaz...Hennessey An Open Source Eye Gaze Interface Expanding The Adoption Of Eye Gaz...
Hennessey An Open Source Eye Gaze Interface Expanding The Adoption Of Eye Gaz...
Kalle
 

Viewers also liked (20)

Age
AgeAge
Age
 
Exploring Italy
Exploring ItalyExploring Italy
Exploring Italy
 
ASA RA VPN with AD Authentication
ASA RA VPN with AD AuthenticationASA RA VPN with AD Authentication
ASA RA VPN with AD Authentication
 
פרטיות ברשת האינטרנט א
פרטיות ברשת האינטרנט אפרטיות ברשת האינטרנט א
פרטיות ברשת האינטרנט א
 
Anexo ás normas, calendario previo (aprobado)
Anexo ás normas, calendario previo  (aprobado)Anexo ás normas, calendario previo  (aprobado)
Anexo ás normas, calendario previo (aprobado)
 
2014 Stop slavery! Pocheon African Art musuem in South Korea
2014 Stop slavery! Pocheon African Art musuem in South Korea2014 Stop slavery! Pocheon African Art musuem in South Korea
2014 Stop slavery! Pocheon African Art musuem in South Korea
 
เศรษฐศาสตร์เบื้องต้น
เศรษฐศาสตร์เบื้องต้นเศรษฐศาสตร์เบื้องต้น
เศรษฐศาสตร์เบื้องต้น
 
Eidea_SEMCOM
Eidea_SEMCOMEidea_SEMCOM
Eidea_SEMCOM
 
תכירו את שולה הישנה והחדשה
תכירו את שולה הישנה והחדשהתכירו את שולה הישנה והחדשה
תכירו את שולה הישנה והחדשה
 
Digit Roman
Digit RomanDigit Roman
Digit Roman
 
Liu Natural Scene Statistics At Stereo Fixations
Liu Natural Scene Statistics At Stereo FixationsLiu Natural Scene Statistics At Stereo Fixations
Liu Natural Scene Statistics At Stereo Fixations
 
Sarau
SarauSarau
Sarau
 
Integrate Your Message: tools to uniting your newsletter, blog, Twitter & Fac...
Integrate Your Message: tools to uniting your newsletter, blog, Twitter & Fac...Integrate Your Message: tools to uniting your newsletter, blog, Twitter & Fac...
Integrate Your Message: tools to uniting your newsletter, blog, Twitter & Fac...
 
Manual de intervenciones enfermeras protocolo de procedimientos enfermeros 2009
Manual de intervenciones enfermeras protocolo de procedimientos enfermeros 2009Manual de intervenciones enfermeras protocolo de procedimientos enfermeros 2009
Manual de intervenciones enfermeras protocolo de procedimientos enfermeros 2009
 
C:\Fakepath\Sacchetti Di Plastica
C:\Fakepath\Sacchetti Di PlasticaC:\Fakepath\Sacchetti Di Plastica
C:\Fakepath\Sacchetti Di Plastica
 
Galerija Magicus Dnevnik Esencija Do 21 3 2010 Ciklus Cernik I Madonin Sv...
Galerija Magicus   Dnevnik Esencija Do 21 3 2010   Ciklus Cernik I Madonin Sv...Galerija Magicus   Dnevnik Esencija Do 21 3 2010   Ciklus Cernik I Madonin Sv...
Galerija Magicus Dnevnik Esencija Do 21 3 2010 Ciklus Cernik I Madonin Sv...
 
Mission UID
Mission UIDMission UID
Mission UID
 
งานนำเสนอ1
งานนำเสนอ1งานนำเสนอ1
งานนำเสนอ1
 
Rock'n Roll in Database S
Rock'n Roll in Database SRock'n Roll in Database S
Rock'n Roll in Database S
 
Hennessey An Open Source Eye Gaze Interface Expanding The Adoption Of Eye Gaz...
Hennessey An Open Source Eye Gaze Interface Expanding The Adoption Of Eye Gaz...Hennessey An Open Source Eye Gaze Interface Expanding The Adoption Of Eye Gaz...
Hennessey An Open Source Eye Gaze Interface Expanding The Adoption Of Eye Gaz...
 

Similar to Point-Of-Sale Hacking - 2600Thailand#20

Demystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales SystemsDemystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales Systems
Symantec
 
IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...
IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...
IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...
IRJET Journal
 
Understanding the POS Malware
Understanding the POS MalwareUnderstanding the POS Malware
Understanding the POS Malware
vijay1926
 
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data ProtectionISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
Ulf Mattsson
 
Mamouth white paper
Mamouth white paperMamouth white paper
Mamouth white paper
W Fred Seigneur
 
E banking security
E banking securityE banking security
E banking security
Iman Rahmanian
 
Cdp Blog
Cdp BlogCdp Blog
Cdp Blog
iarthur
 
Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...
Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...
Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...
IJRTEMJOURNAL
 
Commercial Data Processing Intro
Commercial Data Processing IntroCommercial Data Processing Intro
Commercial Data Processing Intro
nS789
 
Commercial data processing
Commercial data processingCommercial data processing
Commercial data processing
vDrPepper
 
What is smart card on tam
What is smart card on tamWhat is smart card on tam
What is smart card on tam
崇倍 洪
 
Commercial Data Processing Intro
Commercial Data Processing IntroCommercial Data Processing Intro
Commercial Data Processing Intro
thomashendry14
 
Ecommerce Security
Ecommerce SecurityEcommerce Security
Ecommerce Security
Rebecca Jones
 
E-Business And Technology Essay
E-Business And Technology EssayE-Business And Technology Essay
E-Business And Technology Essay
Pamela Wright
 
50120130405028
5012013040502850120130405028
50120130405028
IAEME Publication
 
IGCSE ICT Theory
IGCSE ICT Theory IGCSE ICT Theory
IGCSE ICT Theory
Sarfaraz Mohammed
 
Paper Publication
Paper PublicationPaper Publication
Paper Publication
Priyanka Karpe
 
Hacking Point of Sale
Hacking Point of SaleHacking Point of Sale
Hacking Point of Sale
Tripwire
 
87559489 auth
87559489 auth87559489 auth
87559489 auth
homeworkping4
 
Embedded systems presentation power point.ppt
Embedded systems presentation power point.pptEmbedded systems presentation power point.ppt
Embedded systems presentation power point.ppt
ssuser1b4013
 

Similar to Point-Of-Sale Hacking - 2600Thailand#20 (20)

Demystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales SystemsDemystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales Systems
 
IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...
IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...
IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...
 
Understanding the POS Malware
Understanding the POS MalwareUnderstanding the POS Malware
Understanding the POS Malware
 
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data ProtectionISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
 
Mamouth white paper
Mamouth white paperMamouth white paper
Mamouth white paper
 
E banking security
E banking securityE banking security
E banking security
 
Cdp Blog
Cdp BlogCdp Blog
Cdp Blog
 
Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...
Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...
Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...
 
Commercial Data Processing Intro
Commercial Data Processing IntroCommercial Data Processing Intro
Commercial Data Processing Intro
 
Commercial data processing
Commercial data processingCommercial data processing
Commercial data processing
 
What is smart card on tam
What is smart card on tamWhat is smart card on tam
What is smart card on tam
 
Commercial Data Processing Intro
Commercial Data Processing IntroCommercial Data Processing Intro
Commercial Data Processing Intro
 
Ecommerce Security
Ecommerce SecurityEcommerce Security
Ecommerce Security
 
E-Business And Technology Essay
E-Business And Technology EssayE-Business And Technology Essay
E-Business And Technology Essay
 
50120130405028
5012013040502850120130405028
50120130405028
 
IGCSE ICT Theory
IGCSE ICT Theory IGCSE ICT Theory
IGCSE ICT Theory
 
Paper Publication
Paper PublicationPaper Publication
Paper Publication
 
Hacking Point of Sale
Hacking Point of SaleHacking Point of Sale
Hacking Point of Sale
 
87559489 auth
87559489 auth87559489 auth
87559489 auth
 
Embedded systems presentation power point.ppt
Embedded systems presentation power point.pptEmbedded systems presentation power point.ppt
Embedded systems presentation power point.ppt
 

More from Prathan Phongthiproek

Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
Prathan Phongthiproek
 
The CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team OperationThe CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team Operation
Prathan Phongthiproek
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application Exploitation
Prathan Phongthiproek
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
Prathan Phongthiproek
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVS
Prathan Phongthiproek
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
Prathan Phongthiproek
 
The Hookshot: Runtime Exploitation
The Hookshot: Runtime ExploitationThe Hookshot: Runtime Exploitation
The Hookshot: Runtime Exploitation
Prathan Phongthiproek
 
Understanding ransomware
Understanding ransomwareUnderstanding ransomware
Understanding ransomware
Prathan Phongthiproek
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
Prathan Phongthiproek
 
Don't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksDon't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application Attacks
Prathan Phongthiproek
 
Owasp Top 10 Mobile Risks
Owasp Top 10 Mobile RisksOwasp Top 10 Mobile Risks
Owasp Top 10 Mobile Risks
Prathan Phongthiproek
 
OWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingOWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration Testing
Prathan Phongthiproek
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
Prathan Phongthiproek
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure Coding
Prathan Phongthiproek
 
CDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopCDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest Workshop
Prathan Phongthiproek
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
Prathan Phongthiproek
 
Layer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetLayer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load Target
Prathan Phongthiproek
 
Advanced Malware Analysis
Advanced Malware AnalysisAdvanced Malware Analysis
Advanced Malware Analysis
Prathan Phongthiproek
 
Tisa mobile forensic
Tisa mobile forensicTisa mobile forensic
Tisa mobile forensic
Prathan Phongthiproek
 
Tisa-Social Network and Mobile Security
Tisa-Social Network and Mobile SecurityTisa-Social Network and Mobile Security
Tisa-Social Network and Mobile Security
Prathan Phongthiproek
 

More from Prathan Phongthiproek (20)

Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
 
The CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team OperationThe CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team Operation
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application Exploitation
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVS
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
 
The Hookshot: Runtime Exploitation
The Hookshot: Runtime ExploitationThe Hookshot: Runtime Exploitation
The Hookshot: Runtime Exploitation
 
Understanding ransomware
Understanding ransomwareUnderstanding ransomware
Understanding ransomware
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
 
Don't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksDon't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application Attacks
 
Owasp Top 10 Mobile Risks
Owasp Top 10 Mobile RisksOwasp Top 10 Mobile Risks
Owasp Top 10 Mobile Risks
 
OWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingOWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration Testing
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure Coding
 
CDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopCDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest Workshop
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
Layer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetLayer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load Target
 
Advanced Malware Analysis
Advanced Malware AnalysisAdvanced Malware Analysis
Advanced Malware Analysis
 
Tisa mobile forensic
Tisa mobile forensicTisa mobile forensic
Tisa mobile forensic
 
Tisa-Social Network and Mobile Security
Tisa-Social Network and Mobile SecurityTisa-Social Network and Mobile Security
Tisa-Social Network and Mobile Security
 

Recently uploaded

New Features in Odoo 17 Sign - Odoo 17 Slides
New Features in Odoo 17 Sign - Odoo 17 SlidesNew Features in Odoo 17 Sign - Odoo 17 Slides
New Features in Odoo 17 Sign - Odoo 17 Slides
Celine George
 
2 Post harvest Physiology of Horticulture produce.pptx
2 Post harvest Physiology of Horticulture  produce.pptx2 Post harvest Physiology of Horticulture  produce.pptx
2 Post harvest Physiology of Horticulture produce.pptx
UmeshTimilsina1
 
DepEd School Calendar 2024-2025 DO_s2024_008
DepEd School Calendar 2024-2025 DO_s2024_008DepEd School Calendar 2024-2025 DO_s2024_008
DepEd School Calendar 2024-2025 DO_s2024_008
Glenn Rivera
 
Allopathic M1 Srudent Orientation Powerpoint
Allopathic M1 Srudent Orientation PowerpointAllopathic M1 Srudent Orientation Powerpoint
Allopathic M1 Srudent Orientation Powerpoint
Julie Sarpy
 
How to Manage Line Discount in Odoo 17 POS
How to Manage Line Discount in Odoo 17 POSHow to Manage Line Discount in Odoo 17 POS
How to Manage Line Discount in Odoo 17 POS
Celine George
 
Genetics Teaching Plan: Dr.Kshirsagar R.V.
Genetics Teaching Plan: Dr.Kshirsagar R.V.Genetics Teaching Plan: Dr.Kshirsagar R.V.
Genetics Teaching Plan: Dr.Kshirsagar R.V.
DrRavindrakshirsagar1
 
10th Social Studies Enrichment Material (Abhyasa Deepika) EM.pdf
10th Social Studies Enrichment Material (Abhyasa Deepika) EM.pdf10th Social Studies Enrichment Material (Abhyasa Deepika) EM.pdf
10th Social Studies Enrichment Material (Abhyasa Deepika) EM.pdf
SSRCreations
 
Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)
Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)
Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)
Cátedra Banco Santander
 
Imagination in Computer Science Research
Imagination in Computer Science ResearchImagination in Computer Science Research
Imagination in Computer Science Research
Abhik Roychoudhury
 
View Inheritance in Odoo 17 - Odoo 17 Slides
View Inheritance in Odoo 17 - Odoo 17  SlidesView Inheritance in Odoo 17 - Odoo 17  Slides
View Inheritance in Odoo 17 - Odoo 17 Slides
Celine George
 
How to Manage Access Rights & User Types in Odoo 17
How to Manage Access Rights & User Types in Odoo 17How to Manage Access Rights & User Types in Odoo 17
How to Manage Access Rights & User Types in Odoo 17
Celine George
 
How to Create & Publish a Blog in Odoo 17 Website
How to Create & Publish a Blog in Odoo 17 WebsiteHow to Create & Publish a Blog in Odoo 17 Website
How to Create & Publish a Blog in Odoo 17 Website
Celine George
 
How To Update One2many Field From OnChange of Field in Odoo 17
How To Update One2many Field From OnChange of Field in Odoo 17How To Update One2many Field From OnChange of Field in Odoo 17
How To Update One2many Field From OnChange of Field in Odoo 17
Celine George
 
SEQUNCES Lecture_Notes_Unit4_chapter11_sequence
SEQUNCES  Lecture_Notes_Unit4_chapter11_sequenceSEQUNCES  Lecture_Notes_Unit4_chapter11_sequence
SEQUNCES Lecture_Notes_Unit4_chapter11_sequence
Murugan Solaiyappan
 
RDBMS Lecture Notes Unit4 chapter12 VIEW
RDBMS Lecture Notes Unit4 chapter12 VIEWRDBMS Lecture Notes Unit4 chapter12 VIEW
RDBMS Lecture Notes Unit4 chapter12 VIEW
Murugan Solaiyappan
 
11EHS Term 3 Week 1 Unit 1 Review: Feedback and improvementpptx
11EHS Term 3 Week 1 Unit 1 Review: Feedback and improvementpptx11EHS Term 3 Week 1 Unit 1 Review: Feedback and improvementpptx
11EHS Term 3 Week 1 Unit 1 Review: Feedback and improvementpptx
mansk2
 
Node JS Interview Question PDF By ScholarHat
Node JS Interview Question PDF By ScholarHatNode JS Interview Question PDF By ScholarHat
Node JS Interview Question PDF By ScholarHat
Scholarhat
 
How to Manage Early Receipt Printing in Odoo 17 POS
How to Manage Early Receipt Printing in Odoo 17 POSHow to Manage Early Receipt Printing in Odoo 17 POS
How to Manage Early Receipt Printing in Odoo 17 POS
Celine George
 
Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...
Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...
Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...
Alvaro Barbosa
 
matatag curriculum education for Kindergarten
matatag curriculum education for Kindergartenmatatag curriculum education for Kindergarten
matatag curriculum education for Kindergarten
SarahAlie1
 

Recently uploaded (20)

New Features in Odoo 17 Sign - Odoo 17 Slides
New Features in Odoo 17 Sign - Odoo 17 SlidesNew Features in Odoo 17 Sign - Odoo 17 Slides
New Features in Odoo 17 Sign - Odoo 17 Slides
 
2 Post harvest Physiology of Horticulture produce.pptx
2 Post harvest Physiology of Horticulture  produce.pptx2 Post harvest Physiology of Horticulture  produce.pptx
2 Post harvest Physiology of Horticulture produce.pptx
 
DepEd School Calendar 2024-2025 DO_s2024_008
DepEd School Calendar 2024-2025 DO_s2024_008DepEd School Calendar 2024-2025 DO_s2024_008
DepEd School Calendar 2024-2025 DO_s2024_008
 
Allopathic M1 Srudent Orientation Powerpoint
Allopathic M1 Srudent Orientation PowerpointAllopathic M1 Srudent Orientation Powerpoint
Allopathic M1 Srudent Orientation Powerpoint
 
How to Manage Line Discount in Odoo 17 POS
How to Manage Line Discount in Odoo 17 POSHow to Manage Line Discount in Odoo 17 POS
How to Manage Line Discount in Odoo 17 POS
 
Genetics Teaching Plan: Dr.Kshirsagar R.V.
Genetics Teaching Plan: Dr.Kshirsagar R.V.Genetics Teaching Plan: Dr.Kshirsagar R.V.
Genetics Teaching Plan: Dr.Kshirsagar R.V.
 
10th Social Studies Enrichment Material (Abhyasa Deepika) EM.pdf
10th Social Studies Enrichment Material (Abhyasa Deepika) EM.pdf10th Social Studies Enrichment Material (Abhyasa Deepika) EM.pdf
10th Social Studies Enrichment Material (Abhyasa Deepika) EM.pdf
 
Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)
Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)
Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)
 
Imagination in Computer Science Research
Imagination in Computer Science ResearchImagination in Computer Science Research
Imagination in Computer Science Research
 
View Inheritance in Odoo 17 - Odoo 17 Slides
View Inheritance in Odoo 17 - Odoo 17  SlidesView Inheritance in Odoo 17 - Odoo 17  Slides
View Inheritance in Odoo 17 - Odoo 17 Slides
 
How to Manage Access Rights & User Types in Odoo 17
How to Manage Access Rights & User Types in Odoo 17How to Manage Access Rights & User Types in Odoo 17
How to Manage Access Rights & User Types in Odoo 17
 
How to Create & Publish a Blog in Odoo 17 Website
How to Create & Publish a Blog in Odoo 17 WebsiteHow to Create & Publish a Blog in Odoo 17 Website
How to Create & Publish a Blog in Odoo 17 Website
 
How To Update One2many Field From OnChange of Field in Odoo 17
How To Update One2many Field From OnChange of Field in Odoo 17How To Update One2many Field From OnChange of Field in Odoo 17
How To Update One2many Field From OnChange of Field in Odoo 17
 
SEQUNCES Lecture_Notes_Unit4_chapter11_sequence
SEQUNCES  Lecture_Notes_Unit4_chapter11_sequenceSEQUNCES  Lecture_Notes_Unit4_chapter11_sequence
SEQUNCES Lecture_Notes_Unit4_chapter11_sequence
 
RDBMS Lecture Notes Unit4 chapter12 VIEW
RDBMS Lecture Notes Unit4 chapter12 VIEWRDBMS Lecture Notes Unit4 chapter12 VIEW
RDBMS Lecture Notes Unit4 chapter12 VIEW
 
11EHS Term 3 Week 1 Unit 1 Review: Feedback and improvementpptx
11EHS Term 3 Week 1 Unit 1 Review: Feedback and improvementpptx11EHS Term 3 Week 1 Unit 1 Review: Feedback and improvementpptx
11EHS Term 3 Week 1 Unit 1 Review: Feedback and improvementpptx
 
Node JS Interview Question PDF By ScholarHat
Node JS Interview Question PDF By ScholarHatNode JS Interview Question PDF By ScholarHat
Node JS Interview Question PDF By ScholarHat
 
How to Manage Early Receipt Printing in Odoo 17 POS
How to Manage Early Receipt Printing in Odoo 17 POSHow to Manage Early Receipt Printing in Odoo 17 POS
How to Manage Early Receipt Printing in Odoo 17 POS
 
Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...
Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...
Benchmarking Sustainability: Neurosciences and AI Tech Research in Macau - Ke...
 
matatag curriculum education for Kindergarten
matatag curriculum education for Kindergartenmatatag curriculum education for Kindergarten
matatag curriculum education for Kindergarten
 

Point-Of-Sale Hacking - 2600Thailand#20

  • 3. Areas of Vulnerability Data in Memory Data at Rest Data inTransit Application Code and Configuration 1 2 3 4
  • 4. Security Risk  Data in Memory Security concerns remain the same as those for device interfaces there are no standard security mechanisms. Specific issues depend on the type of connectivity. If POS and PA run under the same OS process, the memory of the process can be scanned using RAM scraping in order to retrieve sensitive data.
  • 6. Security Risk  Data at Rest “data at rest,” a term used to describe any form of hard-drive storage such as database, fl at-data file, or log file.
  • 7. Security Risk  Data in Transit There are different ways to “tap into the wire.” One of various sniffing attack scenarios would be a hidden network tap device plugged into the store network. The tap device will catch the payment application traffic and mirror it to the remote control center.
  • 9. Security Risk  Application Code and Configuration Another key vulnerability area is payment Application Code itself and its Configuration (config). The code or config don’t contain any cardholder information by themselves, but can be tampered by attacker or malicious software in order to gain unauthorized access to the data in other key vulnerability areas.
  • 10. Exposure Area Retail Store – POS Machine POI Device Payment Application Storage Memory POS App Payment Processor Data Center Payment Processing Host 1 2 3 3 4 2 1 3 4 Data in memory Data at rest Data in Transit App Code and Configuration
  • 11. Pros and Cons Some of the security pros and cons of this model are:  Pro  There’s no central location in the store that accumulates all the Sensitive data in memory, disk storage, or network traffic. It is easier (and less expensive!) to protect a single machine and application instance; however, once it is broken, all the store data is gone.  The communication between POS and PA doesn’t carry sensitive data because PA handles all the aspects of any payment transaction and only returns the masked results to the POS at the end without exposing the details of the magnetic stripe.  Con  All POS machines (memory, data storage) at the store are exposed to sensitive data as well as communication between the POS machine and the payment host.
  • 12. The concept of EPS  EPS stands for Electronic Payment System  The main purpose of EPS is isolating the electronic payment processing application from the rest of the point-of-sale functions.  A logical (and often physical) separation of the POS and payment system allows “removing POS from the scope” (security auditors terminology meaning that security standard requirements like PCI are not applicable to a particular application or machine).  Placing the POS application or machine “out of scope” saves a lot of Development and implementation work for both software manufacturers and consumers
  • 13. Store EPS Deployment Model Retail Store POI Device Payment Application Storage Memory POS Payment Processing Host POS Machine Store Server Payment Processor Data Center 2 1 3 4 Data in memory Data at rest Data in Transit App Code and Configuration 1 2 4 3 3
  • 14. Pros and Cons Some of the security pros and cons of this model are:  Pro  The POS machine isn’t exposed to sensitive data because it doesn’t communicate with POI devices.  Communication between the POS and the store server machines doesn’t contain sensitive data, so there’s no need to encrypt this traffic  Con  Communication between POI devices and the store server is implemented through the store LAN (usually TCP/IP packets), exposing sensitive cardholder information to the network.
  • 15. Hybrid POS/Store Deployment Model Retail Store Payment Server App Storage Memory POS Payment Processor Data Center Payment Processing Host POS App Store Server Payment Client App POI Device Memory Storage 2 1 3 4 Data in memory Data at rest Data in Transit App Code and Configuration 11 22 44 3 3 3
  • 16. Pros and Cons Some of the security pros and cons of this model are:  Pro  There are no security pros associated with this model.  Con  Both the POS and the store server machines and almost all their Components (memory, data storage, application code, and communication lines) are entirely vulnerable.
  • 17. Case Study: Pentesting POS Retail Store Payment Processing Host Counter/ POS Area Back-Office Area Payment Processor Data Center Storing Room EPS
  • 18. Case Study: Pentesting POS Retail Store Payment Processing Host Counter/ POS Area Back-Office Area Payment Processor Data Center Storing Room Physical & Host Assessment EPS
  • 19. Case Study: Pentesting POS  Physical & Host Assessment  USB Drives, Keyboard and Mouse  Hot-Key Shortcuts  Randomly presses on touchscreen  BIOS Configuration  Reverse Engineering on Application [.Net]  Directory Traversal on Application
  • 20. Case Study: Pentesting POS Retail Store Payment Processing Host Counter/ POS Area Back-Office Area Payment Processor Data Center Storing Room Network Segregation & Infrastructure Assessment EPS
  • 21. Case Study: Pentesting POS  Network Segregation & Infrastructure Assessment  Excessive Port on Device and Server  Network Segmentation  Password Reuse Rampant  Pass-The-Hash  Dump clear text passwords stored by Windows authentication packages Really !?
  • 22. Case Study: Pentesting POS Retail Store Payment Processing Host Counter/ POS Area Back-Office Area Payment Processor Data Center Storing Room Traffic Monitoring EPS
  • 23. Case Study: Pentesting POS  Traffic Monitoring  Identify PAN over the network.  Sensitive information between SIT and EPS.
  • 24. Protection  Data in Memory  Minimizing Data Exposure from the Application (.NET SecureString, Memory Buffer]  Point-to-Point Encryption (P2PE), encrypt the data before it even reaches the memory of the hosting machine, and decrypt it only after it has left the POS (in the Payment Gateway)  Data in Transit  Implementing Secure Socket Layer (SSL]  Encrypted Tunnels, IPSec  Data at Rest  Avoiding the storage of sensitive data at all.  Point-to-Point Encryption [P2PE]  Symmetric Key Encryption