Tokenization Payment Data Out Securing Payment Data Storage
Project Part A & B 10.15.14
1. 1
Timothy Haney
SEC 577: Cryptography
Project Phase A & B
XYZ Gas Station
Professor Sadeghi
10/17/14
2. 2
Table of Contents
Company Overview………………………………………………………………………………………………………..3
Problem Statement………………………………………………………………………………………..………………3
Solutions…………………………………………………………………………………………………………………………7
P2PE…………………………………………………………………………………………………………………….7
IPSec……………………………………………………………………………………………………………………8
Credit Card Processing…………………………………………………………………………………………8
POS System Vulnerabilities Diagram……………………………..….……………………………….11
Biometrics……………………………………………………………………………………………………….…11
Anti-Skimming and PED…………………………………………………….……………………………….13
Skimming Diagram……………………………………………………………………………………………..14
EMV……………………………………………………………………………………………………………………14
Operating Systems and Software Security…………………………………………………………..14
Conclusion…………………………………………………………………………………………………….……15
References……………………………………………………………………..…………………….……………16
3. 3
Company Overview
XYZ Gas Company has over a thousand gas stations around the globe. Each gas station
has ten point of entry (POE) swipe card readers. XYZ Gas relies heavily on the card swipe as a
form of payment. To use the pumps, a customer will swipe their credit or debit card at the
pump POE to purchase gas. In the gas station store, the attendant has a card swipe for
customers to purchase gas or retail items. Each gas station has a Wi-Fi connection to the
Internet for system convenience.
Problem Statement
As criminals develop more sophisticated methods to obtain access to credit card
information to steal identities and money, senior management at XYZ Gas Company realizes a
more secure solution needs to be in place to protect the point of sale (POS) systems for the gas
stations. The in-store systems where customers pay merchants for goods or services is called
the point of entry (POE) and linked to the POS. The attacks to the POS system affects
confidentiality. While some customers pay cash, many POS transactions involve customers
swiping their cards through a card reader (Symantec). Many modern POS systems are all-in-
one systems which can handle a variety of customer transactions such as gift cards, returns,
promotions, and sales (Symantec). Many all-in-one POS systems are based on operating
systems which are susceptible to a number of scenarios which could lead to large-scale
breaches (Symantec). The two most common ways in which criminals steal consumer and
business data are through affixing a physical device or “skimmer” to POS hardware devices in
4. 4
order to capture card data, or by using malware to gain access to POS networks and acquire
credit and debit card data as it passes through (Point of Sale News, 2014).
The POE card swipe mechanism can be compromised in a number of ways with
skimmers or other modifications. These skimmers use two devices to capture customers’ credit
card numbers and personal identification numbers (PIN). One device sits near where the
customer swipes their card and reads the magnetic strip on the card with the account number.
Criminals can install devices inside the swiping mechanism to store the card information, which
can be transmitted to the criminal at the desired time (Acohido, 2012). The POE devices can
actually be removed from site at night, altered, and then brought back without anyone noticing
(Point of Sale News, 2014). Identical devices can also be ordered online to match the
corresponding manufactured device; criminals will implant this identical device and program it
to transmit card data to them (Krebs on Security).
Skimming is used to obtain customers’ PINs as well as their credit card information. One
component device used for skimming is a hidden camera, for capturing the PIN. The attacker
can be in his car with a laptop remotely accessing the device (Point of Sale News, 2014) to
record various PINs. Another new method to capture PINs is through the use of an iPhone 5
with the FLIR thermal imaging camera accessory. The accessory allows someone to see which
keys were pushed when a debit card transaction occurred due to the heat sensory information
left behind on non-metal keys. Once the attacker has the credit card information and PIN, they
are then able to use well established mechanisms for turning that information from POS into
money (Acohido, 2012). Yet another method used to obtain PIN information are fake key pads.
Skimming keypads are designed to mimic a keypad and fit over it like a glove (Fenlon). It
5. 5
records the PINs that are inputted for criminals to use later. However, out of all these methods,
the easiest way to get someone’s PIN is to shoulder surf. Shoulder surfing is when the attacker
looks over the customer’s shoulder to see the PIN as they input it. For about $200, anyone can
order a device called a mag stripe encoder and embed a stolen payment card number onto a
blank magnetic striped card. Free cash is only an ATM machine away as long as they have the
PIN. Skimming is a crime which is difficult to catch, despite the sheer volume of crimes taking
place.
A software attack through the corporate network can be very common. If the attacker
gains access through a spear phishing email or a vulnerable public facing server, the attacker
can search the network until they can access an entry point to the POS network (Symantec).
Attackers can use weaknesses in external facing systems, such as an SQL injection on a web
server or finding a periphery device that still uses default manufacturer passwords. They can
also infiltrate the systemby sending a spear phishing email to an individual in the organization.
The spear phishing email would contain a malicious attachment, which would allow backdoor
access onto the victim’s machine. Usually the entry point an administrator uses to maintain the
POS systems is how an attacker gets in (Symantec).
The attackers would need to gain access to the POS systems once they are inside the
network. They will use special tools to map out the location of the POS system, and will try to
gain access by obtaining user credentials. User credentials can be obtained by a number of
ways, including brute force, keylogging, password hash extraction, cracking, Trojans, or
replaying captured login sequences. It is even possible that they gain control of the domain
6. 6
controller, giving them full access to all computers in the network. Once inside the POS system
area, malware is installed to capture credit card information from the POS systems (Symantec).
The information read about credit cards from the card swipe at the POS systemmust be
sent and processed at the retailer’s payment processor. This information should be encrypted.
Some of XYZ’s gas stations do not have encryption for the information traveling over the public
network. The PAN (primary access number) may not be encrypted. The credit card numbers
themselves might not be encrypted where they are stored within internal networks and could
be in plaintext (Symantec). Many criminals have taken advantage of this and have exploited
other companies for over one hundred million credit card numbers. Rather than extracting the
data while it is traveling through the network, attackers can get a hold of the data through
“RAM scraping” malware, which allows attackers to extract this data from memory while the
data is being processed inside the terminal (Symantec ). Network sniffing tools are used for
some attacks, to collect credit card numbers as they traverse unencrypted networks.
Many POS systems run older operating systems like Windows XP or Windows XP
Embedded. These programs will no longer be supported for vulnerabilities and patches once
the deadline occurs. Organizations are putting themselves at risk for attack if they are using
these outdated programs (Symantec). POS systems that run Windows are very susceptible to
malware attacks which are commonly seen on Windows operating systems. The attackers do
not need specialized skills to hack the Windows software because there are malware programs
available online which will be sufficient to crack their POS system based in Windows.
7. 7
The attackers may attempt to hijack an internal systemserver that normally
communicates with the POS systems and piggybacks on normal communication in order to go
unnoticed. The information gathered from RAM scraping will be sent to this server for the
appropriate time to be transferred to the attacker. A compromised FTP server belonging to a
third party could be used as the external system to send the information to. These transactions
will likely go unnoticed if these compromised servers are used from legitimate sites to receive
stolen data, especially if they are sites often visited by the victim organization.
Solutions
There are many action that can be taken to mitigate the security problems with the POS
systems. An important solution would be to implement point-to-point encryption (P2PE) and
Internet Protocol Security (IPSec). This will provide encryption at both ends and create a secure
tunnel between the POE device and the data center. P2PE protects data at the point of
capture, which is literally the first opportunity you have to protect it. P2PE will encrypt the data
as soon as possible, and keep it encrypted by default, end-to-end. The account data is
encrypted at the point of capture (at ATM machine, gas pump POE, and store clerk’s POE
device) and is protected as it flows through the merchant’s IT systems and passes down the
payment chain. The data remains in a protected (encrypted) state except when decrypted only
for when it is required by specific business processes that need to access original account data
(Thales Esecurity, 2014). To defeat RAM scraping attacks, secure card readers (SCR) exist and
have been implemented in some environments enabling P2PE. These card readers encrypt the
data at the time of swipe and the credit card number remains encrypted throughout the
process even within the memory and underneath network level encryption (Symantec). PINs
8. 8
must be encrypted at the PIN pad terminal when using debit cards. When provisioning
terminals, a payment processor or sponsor must provision the terminal by performing “key
injection” where a unique encryption key is developed directly to the device. With this scheme,
the PIN remains encrypted at all times (Symantec).
According to Burnett, “IPSec is framework of open standards for ensuring private
communications over IP networks” (Burnett, 2004). IPSec ensures confidentiality, integrity, and
authenticity of data communications across a public IP network and is based on standards
developed by Internet Engineering Task Force (IETF) (Burnett, 2004). IPSec is a necessary
standards-based, flexible solution for deploying a network-wide security policy. IPSec
implements network layer encryption and authentication, providing an end-to-end security
solution in the network architecture (Burnett, 2004). IPSec packets look like ordinary IP
packets, and can be easily routed through any IP network—such as the Internet—without any
changes to the intermediate networking equipment. The only devices that know about the
encryption are the endpoints (Burnett, 2004).
A contract will be put into place between the internal communications at XYZ Gas
Station POE devices and the external network banks to use IPSec together to create a secure
tunnel. Both sessions (XYZ Gas Stations and Banking) will be encrypted end-to-end. This will
secure the information being transferred between XYZ Gas Stations and the banking network.
Credit card payment processing takes place in two phases: authorization (getting
approval for the transaction that is stored with the order) and settlement/capture (processing
the sale, which transfers the funds from the issuing bank to the merchant's account). When the
9. 9
card is swiped at the point of entry device at the gas station, the information goes to Interstate
Processing (ISP), where it stays, and then travels to the mainframe (data center), and the bank
and checks to see if the cardholder has enough funds. After that, it comes back and reports to
the merchant that the cardholder has sufficient funds.
According to Burnett, in the authorization process, when an order is processed from a
cardholder, the merchant attempts to authorize the transaction by initiating a two-way
message exchange between the merchant and the payment gateway (Burnett, 2004). First, an
authorization request is sent from the merchant to the payment gateway. The merchant
software generates and digitally signs an authorization request, which includes the amount to
be authorized, the transaction identifier from the order information, and other information
about the transaction. This information is then digitally enveloped using a payment gateway’s
public key. The authorization request and the cardholder payment information are transmitted
to the payment gateway (Burnett, 2004).
The next step of the authorization process is an authorization response, and is received
from the merchant by the payment gateway. The payment gateway decrypts and verifies the
contents of the message when the authorization request is received. If everything is valid, the
payment gateway generates an authorization response message, which is then digitally
enveloped with the merchant’s public key and transmitted back to the merchant (Burnett,
2004). Upon receipt of the authorization response message from the payment gateway, the
merchant decrypts the digital envelope and verifies the data within. If the purchase is
authorized, the merchant then completes processing of the cardholder’s order by performing
the services indicated in the order like issuing products, gas, or money (Burnett, 2004).
10. 10
After authorization is complete, the settlement/payment capture takes place. When
the order-processing portion is completed with the cardholder, the merchant then requests
payment from the payment gateway. Payment capture/settlement is accomplished by the
exchange of the capture request and response. In the capture request, the merchant software
generates the capture request, which includes the final amount of the transaction, the
transaction identifier, and other information about the transaction. This message is then
digitally enveloped using the payment gateway’s public key and transmitted to the payment
gateway (Burnett, 2004).
The second portion of settlement/capture is the capture response. The capture
response request is received and its contents verified. The capture response includes
information pertaining to the payment for the transaction requested. This response is then
digitally enveloped using the merchant’s public key and is transmitted back to the merchant.
Upon receipt of the capture response from the payment gateway, the merchant software
decrypts the digital envelope, verifying the signature and message data (Burnett, 2004).
11. 11
A solution to prevent PINs from being stolen for skimming attacks would be to
implement a two-factor authentication system involving biometric (fingerprint) authentication
with the credit card/debit card, instead of using a PIN. Biometrics add security over using a PIN.
Biometrics uses your physical characteristic to verify your identity. The most well-known
biometric is the fingerprint. Everyone has a unique fingerprint, even an identical twin. The
machine can determine through a fingerprint reading whether the appropriate person is
12. 12
requesting an operation. Some of these machines can even tell if the finger is attached to a
living body (Burnett, 2004).
The various biometric recognition mechanisms operate in enrollment and verification
modes. In the enrollment process, the user’s biological feature (physical characteristic or
personal trait) is acquired by the administrator by using a sensor, which typically resides at the
front end of the biometric authentication mechanism. This stored characteristic, commonly
known as a template, is usually placed in a back-end database for later retrieval.
After the users are enrolled, their biometrics are used to verify their identity. To
authenticate someone, his or her biological feature is acquired from the sensor and converted
to a digital representation, called a live scan. Then the live scan is compared to the stored
biometric template. Typically the live scan does not exactly match the user’s stored template.
Because biometrics almost always contain variations, these systems cannot require an exact
match between the enrollment template and a current pattern. Instead, the current pattern is
considered valid if it falls with a certain statistical range of values. A comparison algorithm is
used to determine whether the user being verified is the same user that was enrolled. The
comparison algorithm yields a result that indicates how close the live scan is to the stored
template. The result indicates how close the live scan is to the stored template. If the result
falls into an “acceptable” range, an affirmative response is given or if it falls into an
“unacceptable” range, a negative response is given. The definition of acceptable levels is
determined by the administrator.
13. 13
Another layer of security will be to upgrade the PED (PIN-entry level devices) to an
encrypted Toshiba device. Since these devices can be tampered with, we will install security
cameras for extra protection. The cameras will prevent skimming by protecting the customers’
transactions. The camera footage will be reviewed regularly and kept for at least 90 days. The
use of secure stands, tethers, alarms or security cables is an acceptable practice to keep the
PEDs safe. Something secure should be used for the wiring, like conduit. We must also check
our POS environment for any hidden cameras or other recording devices. We can also put up
bulletins to educate the customers on tips to avoid skimming attacks like to press all keys after
keying in any PINs or not allowing anyone to see their PIN from behind (at any locations which
still use PINs). We would also recommend to customers to use a credit card instead of using a
debit card because of the unprotected nature of debit cards. It is recommended that the
merchant continually track and monitor all POS terminals that accept VISA cards. This would
include routinely examining the terminals for anything missing or altered seals, screws,
extraneous wiring, holes in the device, or the addition of labels, or other decals (Visa, 2010).
Merchants should only use PCI compliant devices. The staff will be trained on POS equipment
tampering prevention by being notified how to spot it. Policies and procedures will be put into
place so only authorized personnel should be allowed to access the PEDs. Employment
screening will be implemented to check new employees for background checks (Visa, 2010).
14. 14
Another added security measure will be the adoption of the Europay, Mastercard, and
Visa (EMV) smart cards. Due to the high cost, the EMV has been adopted very slowly. I would
recommend we transition to using this system (commonly known as a smartcard, or “chip-and-
pin” card), which contain embedded microprocessors that provide strong transaction security
features. EMV never transmits the credit card data in clear text, mitigating many common POS
attacks. The cards are difficult to clone so attackers are less attracted to them (Symantec).
We will transfer over all POS systems from Windows to Linux operating systems. For the
systems still using Windows, all operating systems must be up-to-date and have all patches and
hot-fixes applied in a timely manner to help prevent hacking. Some other considerations will be
to install and maintain a firewall to facilitate network segmentation, change default system
passwords or other security parameters, use a regularly updated security software, use
intrusion protection system(IPS) at critical points and the perimeter the network, use file
15. 15
integrity and monitoring software, and encrypt all PIN and PAN information (Symantec).
Additionally, we should test security systems, perform pen-testing, implement a vulnerability
management program, maintain security policies and implement regular training for all
personnel. Implementation of anti-virus and anti-malware with the latest updates would be
optimal to prevent the malware attacks prevalent with POS systems. A last precaution would
be to have the information security team be aware of attackers using commonly used vendors
against us by stealing their credentials and pretending to be them. We must expect this sort of
attack because of all of the latest security breaches by major retailers (Target, Home Depot,
etc.) that have been discussed in recent headlines.
There are many security issues with the POS systems at XYZ gas stations like having
unencrypted networks and utilizing vulnerable operating systems, which could lead to theft of
credit card information by the use of skimmers and malware attacks by hackers. Some
solutions to these issues are possible through implementation of P2PE and IPSec, biometrics,
physical security of PEDs, EMV cards, Linux operating systems, security policies with best
practices, and training for merchants and employees on POS systems. XYZ gas stations should
cut out of most of its POS system issues once these safeguards are put into place.
16. 16
References
Acohido, B. (2012, November 6). Data thieves target debit cards, PINs at point of sale. Retrieved
from http://www.usatoday.com/story/tech/personal/2012/11/05/debit-card--numbers-pins-
stolen-at-pos-terminals/1675795/
Burnett, S., Paine, S., & RSA Security. (2004). RSA Security's official guide to cryptography. New
York: Osborne/McGraw-Hill
Fenlon, W. (n.d.). HowStuffWorks "How does ATM skimming work?". Retrieved
fromhttp://money.howstuffworks.com/atm-
skimming3.htmhttp://www.bankrate.com/finance/savings/4-tips-to-protect-you-from-atm-
thieves-1.aspx
Krebs on Security. (May). Retrieved from krebsonsecurity.com/2011/05/point-of-sale-
skimmers-robbed-at-the-register/
Point of Sale News. (2014). Five Ways to Protect Point of Sale Stations and Networks From
Cybercrime | On Managing | Learn. Retrieved from http://pointofsale.com/On-Managing/Five-
Ways-to-Protect-Point-of-Sale-Stations-and-Networks-From-Cybercrime.html
Symantec. (n.d.). Attacks on Point of Sale. Retrieved from
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/a
ttacks_on_point_of_sale_systems.pdf
Thales Esecurity. (2014). Point-to-Point Encryption: Challenges, Risks, and Solutions. Retrieved
from https://www.thales-esecurity.com/solutions/by-technology-focus/point-to-point-
encryption
VISA. (2010). Point-of-sale terminal tampering is a crime... Retrieved from
http://usa.visa.com/download/merchants/alert-pos-terminal-tampering-020311.pdf