SlideShare a Scribd company logo

Project Part A & B 10.15.14

Download as DOCX, PDF
H
haney888
1 of 16
1 Timothy Haney SEC 577: Cryptography Project Phase A & B XYZ Gas Station Professor Sadeghi 10/17/14
2 Table of Contents Company Overview………………………………………………………………………………………………………..3 Problem Statement………………………………………………………………………………………..………………3 Solutions…………………………………………………………………………………………………………………………7 P2PE…………………………………………………………………………………………………………………….7 IPSec……………………………………………………………………………………………………………………8 Credit Card Processing…………………………………………………………………………………………8 POS System Vulnerabilities Diagram……………………………..….……………………………….11 Biometrics……………………………………………………………………………………………………….…11 Anti-Skimming and PED…………………………………………………….……………………………….13 Skimming Diagram……………………………………………………………………………………………..14 EMV……………………………………………………………………………………………………………………14 Operating Systems and Software Security…………………………………………………………..14 Conclusion…………………………………………………………………………………………………….……15 References……………………………………………………………………..…………………….……………16
3 Company Overview XYZ Gas Company has over a thousand gas stations around the globe. Each gas station has ten point of entry (POE) swipe card readers. XYZ Gas relies heavily on the card swipe as a form of payment. To use the pumps, a customer will swipe their credit or debit card at the pump POE to purchase gas. In the gas station store, the attendant has a card swipe for customers to purchase gas or retail items. Each gas station has a Wi-Fi connection to the Internet for system convenience. Problem Statement As criminals develop more sophisticated methods to obtain access to credit card information to steal identities and money, senior management at XYZ Gas Company realizes a more secure solution needs to be in place to protect the point of sale (POS) systems for the gas stations. The in-store systems where customers pay merchants for goods or services is called the point of entry (POE) and linked to the POS. The attacks to the POS system affects confidentiality. While some customers pay cash, many POS transactions involve customers swiping their cards through a card reader (Symantec). Many modern POS systems are all-in- one systems which can handle a variety of customer transactions such as gift cards, returns, promotions, and sales (Symantec). Many all-in-one POS systems are based on operating systems which are susceptible to a number of scenarios which could lead to large-scale breaches (Symantec). The two most common ways in which criminals steal consumer and business data are through affixing a physical device or “skimmer” to POS hardware devices in
4 order to capture card data, or by using malware to gain access to POS networks and acquire credit and debit card data as it passes through (Point of Sale News, 2014). The POE card swipe mechanism can be compromised in a number of ways with skimmers or other modifications. These skimmers use two devices to capture customers’ credit card numbers and personal identification numbers (PIN). One device sits near where the customer swipes their card and reads the magnetic strip on the card with the account number. Criminals can install devices inside the swiping mechanism to store the card information, which can be transmitted to the criminal at the desired time (Acohido, 2012). The POE devices can actually be removed from site at night, altered, and then brought back without anyone noticing (Point of Sale News, 2014). Identical devices can also be ordered online to match the corresponding manufactured device; criminals will implant this identical device and program it to transmit card data to them (Krebs on Security). Skimming is used to obtain customers’ PINs as well as their credit card information. One component device used for skimming is a hidden camera, for capturing the PIN. The attacker can be in his car with a laptop remotely accessing the device (Point of Sale News, 2014) to record various PINs. Another new method to capture PINs is through the use of an iPhone 5 with the FLIR thermal imaging camera accessory. The accessory allows someone to see which keys were pushed when a debit card transaction occurred due to the heat sensory information left behind on non-metal keys. Once the attacker has the credit card information and PIN, they are then able to use well established mechanisms for turning that information from POS into money (Acohido, 2012). Yet another method used to obtain PIN information are fake key pads. Skimming keypads are designed to mimic a keypad and fit over it like a glove (Fenlon). It
5 records the PINs that are inputted for criminals to use later. However, out of all these methods, the easiest way to get someone’s PIN is to shoulder surf. Shoulder surfing is when the attacker looks over the customer’s shoulder to see the PIN as they input it. For about $200, anyone can order a device called a mag stripe encoder and embed a stolen payment card number onto a blank magnetic striped card. Free cash is only an ATM machine away as long as they have the PIN. Skimming is a crime which is difficult to catch, despite the sheer volume of crimes taking place. A software attack through the corporate network can be very common. If the attacker gains access through a spear phishing email or a vulnerable public facing server, the attacker can search the network until they can access an entry point to the POS network (Symantec). Attackers can use weaknesses in external facing systems, such as an SQL injection on a web server or finding a periphery device that still uses default manufacturer passwords. They can also infiltrate the systemby sending a spear phishing email to an individual in the organization. The spear phishing email would contain a malicious attachment, which would allow backdoor access onto the victim’s machine. Usually the entry point an administrator uses to maintain the POS systems is how an attacker gets in (Symantec). The attackers would need to gain access to the POS systems once they are inside the network. They will use special tools to map out the location of the POS system, and will try to gain access by obtaining user credentials. User credentials can be obtained by a number of ways, including brute force, keylogging, password hash extraction, cracking, Trojans, or replaying captured login sequences. It is even possible that they gain control of the domain
6 controller, giving them full access to all computers in the network. Once inside the POS system area, malware is installed to capture credit card information from the POS systems (Symantec). The information read about credit cards from the card swipe at the POS systemmust be sent and processed at the retailer’s payment processor. This information should be encrypted. Some of XYZ’s gas stations do not have encryption for the information traveling over the public network. The PAN (primary access number) may not be encrypted. The credit card numbers themselves might not be encrypted where they are stored within internal networks and could be in plaintext (Symantec). Many criminals have taken advantage of this and have exploited other companies for over one hundred million credit card numbers. Rather than extracting the data while it is traveling through the network, attackers can get a hold of the data through “RAM scraping” malware, which allows attackers to extract this data from memory while the data is being processed inside the terminal (Symantec ). Network sniffing tools are used for some attacks, to collect credit card numbers as they traverse unencrypted networks. Many POS systems run older operating systems like Windows XP or Windows XP Embedded. These programs will no longer be supported for vulnerabilities and patches once the deadline occurs. Organizations are putting themselves at risk for attack if they are using these outdated programs (Symantec). POS systems that run Windows are very susceptible to malware attacks which are commonly seen on Windows operating systems. The attackers do not need specialized skills to hack the Windows software because there are malware programs available online which will be sufficient to crack their POS system based in Windows.
7 The attackers may attempt to hijack an internal systemserver that normally communicates with the POS systems and piggybacks on normal communication in order to go unnoticed. The information gathered from RAM scraping will be sent to this server for the appropriate time to be transferred to the attacker. A compromised FTP server belonging to a third party could be used as the external system to send the information to. These transactions will likely go unnoticed if these compromised servers are used from legitimate sites to receive stolen data, especially if they are sites often visited by the victim organization. Solutions There are many action that can be taken to mitigate the security problems with the POS systems. An important solution would be to implement point-to-point encryption (P2PE) and Internet Protocol Security (IPSec). This will provide encryption at both ends and create a secure tunnel between the POE device and the data center. P2PE protects data at the point of capture, which is literally the first opportunity you have to protect it. P2PE will encrypt the data as soon as possible, and keep it encrypted by default, end-to-end. The account data is encrypted at the point of capture (at ATM machine, gas pump POE, and store clerk’s POE device) and is protected as it flows through the merchant’s IT systems and passes down the payment chain. The data remains in a protected (encrypted) state except when decrypted only for when it is required by specific business processes that need to access original account data (Thales Esecurity, 2014). To defeat RAM scraping attacks, secure card readers (SCR) exist and have been implemented in some environments enabling P2PE. These card readers encrypt the data at the time of swipe and the credit card number remains encrypted throughout the process even within the memory and underneath network level encryption (Symantec). PINs
8 must be encrypted at the PIN pad terminal when using debit cards. When provisioning terminals, a payment processor or sponsor must provision the terminal by performing “key injection” where a unique encryption key is developed directly to the device. With this scheme, the PIN remains encrypted at all times (Symantec). According to Burnett, “IPSec is framework of open standards for ensuring private communications over IP networks” (Burnett, 2004). IPSec ensures confidentiality, integrity, and authenticity of data communications across a public IP network and is based on standards developed by Internet Engineering Task Force (IETF) (Burnett, 2004). IPSec is a necessary standards-based, flexible solution for deploying a network-wide security policy. IPSec implements network layer encryption and authentication, providing an end-to-end security solution in the network architecture (Burnett, 2004). IPSec packets look like ordinary IP packets, and can be easily routed through any IP network—such as the Internet—without any changes to the intermediate networking equipment. The only devices that know about the encryption are the endpoints (Burnett, 2004). A contract will be put into place between the internal communications at XYZ Gas Station POE devices and the external network banks to use IPSec together to create a secure tunnel. Both sessions (XYZ Gas Stations and Banking) will be encrypted end-to-end. This will secure the information being transferred between XYZ Gas Stations and the banking network. Credit card payment processing takes place in two phases: authorization (getting approval for the transaction that is stored with the order) and settlement/capture (processing the sale, which transfers the funds from the issuing bank to the merchant's account). When the
9 card is swiped at the point of entry device at the gas station, the information goes to Interstate Processing (ISP), where it stays, and then travels to the mainframe (data center), and the bank and checks to see if the cardholder has enough funds. After that, it comes back and reports to the merchant that the cardholder has sufficient funds. According to Burnett, in the authorization process, when an order is processed from a cardholder, the merchant attempts to authorize the transaction by initiating a two-way message exchange between the merchant and the payment gateway (Burnett, 2004). First, an authorization request is sent from the merchant to the payment gateway. The merchant software generates and digitally signs an authorization request, which includes the amount to be authorized, the transaction identifier from the order information, and other information about the transaction. This information is then digitally enveloped using a payment gateway’s public key. The authorization request and the cardholder payment information are transmitted to the payment gateway (Burnett, 2004). The next step of the authorization process is an authorization response, and is received from the merchant by the payment gateway. The payment gateway decrypts and verifies the contents of the message when the authorization request is received. If everything is valid, the payment gateway generates an authorization response message, which is then digitally enveloped with the merchant’s public key and transmitted back to the merchant (Burnett, 2004). Upon receipt of the authorization response message from the payment gateway, the merchant decrypts the digital envelope and verifies the data within. If the purchase is authorized, the merchant then completes processing of the cardholder’s order by performing the services indicated in the order like issuing products, gas, or money (Burnett, 2004).
10 After authorization is complete, the settlement/payment capture takes place. When the order-processing portion is completed with the cardholder, the merchant then requests payment from the payment gateway. Payment capture/settlement is accomplished by the exchange of the capture request and response. In the capture request, the merchant software generates the capture request, which includes the final amount of the transaction, the transaction identifier, and other information about the transaction. This message is then digitally enveloped using the payment gateway’s public key and transmitted to the payment gateway (Burnett, 2004). The second portion of settlement/capture is the capture response. The capture response request is received and its contents verified. The capture response includes information pertaining to the payment for the transaction requested. This response is then digitally enveloped using the merchant’s public key and is transmitted back to the merchant. Upon receipt of the capture response from the payment gateway, the merchant software decrypts the digital envelope, verifying the signature and message data (Burnett, 2004).
11 A solution to prevent PINs from being stolen for skimming attacks would be to implement a two-factor authentication system involving biometric (fingerprint) authentication with the credit card/debit card, instead of using a PIN. Biometrics add security over using a PIN. Biometrics uses your physical characteristic to verify your identity. The most well-known biometric is the fingerprint. Everyone has a unique fingerprint, even an identical twin. The machine can determine through a fingerprint reading whether the appropriate person is
12 requesting an operation. Some of these machines can even tell if the finger is attached to a living body (Burnett, 2004). The various biometric recognition mechanisms operate in enrollment and verification modes. In the enrollment process, the user’s biological feature (physical characteristic or personal trait) is acquired by the administrator by using a sensor, which typically resides at the front end of the biometric authentication mechanism. This stored characteristic, commonly known as a template, is usually placed in a back-end database for later retrieval. After the users are enrolled, their biometrics are used to verify their identity. To authenticate someone, his or her biological feature is acquired from the sensor and converted to a digital representation, called a live scan. Then the live scan is compared to the stored biometric template. Typically the live scan does not exactly match the user’s stored template. Because biometrics almost always contain variations, these systems cannot require an exact match between the enrollment template and a current pattern. Instead, the current pattern is considered valid if it falls with a certain statistical range of values. A comparison algorithm is used to determine whether the user being verified is the same user that was enrolled. The comparison algorithm yields a result that indicates how close the live scan is to the stored template. The result indicates how close the live scan is to the stored template. If the result falls into an “acceptable” range, an affirmative response is given or if it falls into an “unacceptable” range, a negative response is given. The definition of acceptable levels is determined by the administrator.
13 Another layer of security will be to upgrade the PED (PIN-entry level devices) to an encrypted Toshiba device. Since these devices can be tampered with, we will install security cameras for extra protection. The cameras will prevent skimming by protecting the customers’ transactions. The camera footage will be reviewed regularly and kept for at least 90 days. The use of secure stands, tethers, alarms or security cables is an acceptable practice to keep the PEDs safe. Something secure should be used for the wiring, like conduit. We must also check our POS environment for any hidden cameras or other recording devices. We can also put up bulletins to educate the customers on tips to avoid skimming attacks like to press all keys after keying in any PINs or not allowing anyone to see their PIN from behind (at any locations which still use PINs). We would also recommend to customers to use a credit card instead of using a debit card because of the unprotected nature of debit cards. It is recommended that the merchant continually track and monitor all POS terminals that accept VISA cards. This would include routinely examining the terminals for anything missing or altered seals, screws, extraneous wiring, holes in the device, or the addition of labels, or other decals (Visa, 2010). Merchants should only use PCI compliant devices. The staff will be trained on POS equipment tampering prevention by being notified how to spot it. Policies and procedures will be put into place so only authorized personnel should be allowed to access the PEDs. Employment screening will be implemented to check new employees for background checks (Visa, 2010).
14 Another added security measure will be the adoption of the Europay, Mastercard, and Visa (EMV) smart cards. Due to the high cost, the EMV has been adopted very slowly. I would recommend we transition to using this system (commonly known as a smartcard, or “chip-and- pin” card), which contain embedded microprocessors that provide strong transaction security features. EMV never transmits the credit card data in clear text, mitigating many common POS attacks. The cards are difficult to clone so attackers are less attracted to them (Symantec). We will transfer over all POS systems from Windows to Linux operating systems. For the systems still using Windows, all operating systems must be up-to-date and have all patches and hot-fixes applied in a timely manner to help prevent hacking. Some other considerations will be to install and maintain a firewall to facilitate network segmentation, change default system passwords or other security parameters, use a regularly updated security software, use intrusion protection system(IPS) at critical points and the perimeter the network, use file
15 integrity and monitoring software, and encrypt all PIN and PAN information (Symantec). Additionally, we should test security systems, perform pen-testing, implement a vulnerability management program, maintain security policies and implement regular training for all personnel. Implementation of anti-virus and anti-malware with the latest updates would be optimal to prevent the malware attacks prevalent with POS systems. A last precaution would be to have the information security team be aware of attackers using commonly used vendors against us by stealing their credentials and pretending to be them. We must expect this sort of attack because of all of the latest security breaches by major retailers (Target, Home Depot, etc.) that have been discussed in recent headlines. There are many security issues with the POS systems at XYZ gas stations like having unencrypted networks and utilizing vulnerable operating systems, which could lead to theft of credit card information by the use of skimmers and malware attacks by hackers. Some solutions to these issues are possible through implementation of P2PE and IPSec, biometrics, physical security of PEDs, EMV cards, Linux operating systems, security policies with best practices, and training for merchants and employees on POS systems. XYZ gas stations should cut out of most of its POS system issues once these safeguards are put into place.
16 References Acohido, B. (2012, November 6). Data thieves target debit cards, PINs at point of sale. Retrieved from http://www.usatoday.com/story/tech/personal/2012/11/05/debit-card--numbers-pins- stolen-at-pos-terminals/1675795/ Burnett, S., Paine, S., & RSA Security. (2004). RSA Security's official guide to cryptography. New York: Osborne/McGraw-Hill Fenlon, W. (n.d.). HowStuffWorks "How does ATM skimming work?". Retrieved fromhttp://money.howstuffworks.com/atm- skimming3.htmhttp://www.bankrate.com/finance/savings/4-tips-to-protect-you-from-atm- thieves-1.aspx Krebs on Security. (May). Retrieved from krebsonsecurity.com/2011/05/point-of-sale- skimmers-robbed-at-the-register/ Point of Sale News. (2014). Five Ways to Protect Point of Sale Stations and Networks From Cybercrime | On Managing | Learn. Retrieved from http://pointofsale.com/On-Managing/Five- Ways-to-Protect-Point-of-Sale-Stations-and-Networks-From-Cybercrime.html Symantec. (n.d.). Attacks on Point of Sale. Retrieved from http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/a ttacks_on_point_of_sale_systems.pdf Thales Esecurity. (2014). Point-to-Point Encryption: Challenges, Risks, and Solutions. Retrieved from https://www.thales-esecurity.com/solutions/by-technology-focus/point-to-point- encryption VISA. (2010). Point-of-sale terminal tampering is a crime... Retrieved from http://usa.visa.com/download/merchants/alert-pos-terminal-tampering-020311.pdf

Recommended

Payment Tokenization
Payment TokenizationPayment Tokenization
Payment TokenizationHamid Ghorbani
 
SMS hashing system (Real-Time) for the reliability of financial transactions
SMS hashing system (Real-Time) for the reliability of financial transactionsSMS hashing system (Real-Time) for the reliability of financial transactions
SMS hashing system (Real-Time) for the reliability of financial transactionsIJRES Journal
 
Zsun
ZsunZsun
ZsunHai Nguyen
 
Le security v0.8
Le security v0.8Le security v0.8
Le security v0.8Ravikiran HV
 
Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)DCIT, a.s.
 
Secure Code Generation for Multi-level Mutual Authentication
Secure Code Generation for Multi-level Mutual AuthenticationSecure Code Generation for Multi-level Mutual Authentication
Secure Code Generation for Multi-level Mutual AuthenticationTELKOMNIKA JOURNAL
 
E Authentication System with QR Code and OTP
E Authentication System with QR Code and OTPE Authentication System with QR Code and OTP
E Authentication System with QR Code and OTPijtsrd
 
Online Secure payment System using shared Images
Online Secure payment System using shared ImagesOnline Secure payment System using shared Images
Online Secure payment System using shared ImagesIRJET Journal
 

Recommended

Payment Tokenization
Payment TokenizationPayment Tokenization
Payment TokenizationHamid Ghorbani
 
SMS hashing system (Real-Time) for the reliability of financial transactions
SMS hashing system (Real-Time) for the reliability of financial transactionsSMS hashing system (Real-Time) for the reliability of financial transactions
SMS hashing system (Real-Time) for the reliability of financial transactionsIJRES Journal
 
Zsun
ZsunZsun
ZsunHai Nguyen
 
Le security v0.8
Le security v0.8Le security v0.8
Le security v0.8Ravikiran HV
 
Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)DCIT, a.s.
 
Secure Code Generation for Multi-level Mutual Authentication
Secure Code Generation for Multi-level Mutual AuthenticationSecure Code Generation for Multi-level Mutual Authentication
Secure Code Generation for Multi-level Mutual AuthenticationTELKOMNIKA JOURNAL
 
E Authentication System with QR Code and OTP
E Authentication System with QR Code and OTPE Authentication System with QR Code and OTP
E Authentication System with QR Code and OTPijtsrd
 
Online Secure payment System using shared Images
Online Secure payment System using shared ImagesOnline Secure payment System using shared Images
Online Secure payment System using shared ImagesIRJET Journal
 
Cybercriminals target online banking
Cybercriminals target online bankingCybercriminals target online banking
Cybercriminals target online bankingScientia Groups
 
9 3
9 39 3
9 3Hai Nguyen
 
H029044050
H029044050H029044050
H029044050researchinventy
 
BLOCKSAFE WHITEPAPER
BLOCKSAFE WHITEPAPERBLOCKSAFE WHITEPAPER
BLOCKSAFE WHITEPAPERLandmarkClub
 
TheGRID
TheGRIDTheGRID
TheGRIDe-Lock Corporation
 
Attacking Session Management
Attacking Session ManagementAttacking Session Management
Attacking Session ManagementSehan Lee
 
C132733
C132733C132733
C132733IJRES Journal
 
Tellerpass -
Tellerpass - Tellerpass -
Tellerpass - Yiannis Hatzopoulos
 
Cyber Attacks on Financial _ Vikjava
Cyber Attacks on Financial _ VikjavaCyber Attacks on Financial _ Vikjava
Cyber Attacks on Financial _ VikjavaSecurity Bootcamp
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiYury Chemerkin
 
Cscu module 08 securing online transactions
Cscu module 08 securing online transactionsCscu module 08 securing online transactions
Cscu module 08 securing online transactionsSejahtera Affif
 
Online security and payment system
Online security and payment systemOnline security and payment system
Online security and payment systemGc university faisalabad
 
E security and payment 2013-1
E security and payment 2013-1E security and payment 2013-1
E security and payment 2013-1Abdelfatah hegazy
 
13_2
13_213_2
13_2Prince Gupta
 
Tellerpass - an OTP SIM applet for Banking
Tellerpass - an OTP SIM applet for BankingTellerpass - an OTP SIM applet for Banking
Tellerpass - an OTP SIM applet for BankingYiannis Hatzopoulos
 
Backup of FinalExam-EssayQ-Mon
Backup of FinalExam-EssayQ-MonBackup of FinalExam-EssayQ-Mon
Backup of FinalExam-EssayQ-MonFares Sharif
 
Web Application Technologies
Web Application TechnologiesWeb Application Technologies
Web Application TechnologiesSehan Lee
 
Web Application Security 101 - 07 Session Management
Web Application Security 101 - 07 Session ManagementWeb Application Security 101 - 07 Session Management
Web Application Security 101 - 07 Session ManagementWebsecurify
 
New Malicious Attacks on Mobile Banking Applications
New Malicious Attacks on Mobile Banking ApplicationsNew Malicious Attacks on Mobile Banking Applications
New Malicious Attacks on Mobile Banking ApplicationsDR.P.S.JAGADEESH KUMAR
 
Demystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales SystemsDemystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales SystemsSymantec
 
Point of Sale (POS) Malware: Easy to Spot, Hard to Stop
Point of Sale (POS) Malware: Easy to Spot, Hard to StopPoint of Sale (POS) Malware: Easy to Spot, Hard to Stop
Point of Sale (POS) Malware: Easy to Spot, Hard to StopSymantec
 
Attacks on Point-of-Sales Systems | RapidSSLonline
Attacks on Point-of-Sales Systems | RapidSSLonlineAttacks on Point-of-Sales Systems | RapidSSLonline
Attacks on Point-of-Sales Systems | RapidSSLonlineRapidSSLOnline.com
 

More Related Content

What's hot

Cybercriminals target online banking
Cybercriminals target online bankingCybercriminals target online banking
Cybercriminals target online bankingScientia Groups
 
BLOCKSAFE WHITEPAPER
BLOCKSAFE WHITEPAPERBLOCKSAFE WHITEPAPER
BLOCKSAFE WHITEPAPERLandmarkClub
 
Attacking Session Management
Attacking Session ManagementAttacking Session Management
Attacking Session ManagementSehan Lee
 
Cyber Attacks on Financial _ Vikjava
Cyber Attacks on Financial _ VikjavaCyber Attacks on Financial _ Vikjava
Cyber Attacks on Financial _ VikjavaSecurity Bootcamp
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiYury Chemerkin
 
Cscu module 08 securing online transactions
Cscu module 08 securing online transactionsCscu module 08 securing online transactions
Cscu module 08 securing online transactionsSejahtera Affif
 
E security and payment 2013-1
E security and payment 2013-1E security and payment 2013-1
E security and payment 2013-1Abdelfatah hegazy
 
Tellerpass - an OTP SIM applet for Banking
Tellerpass - an OTP SIM applet for BankingTellerpass - an OTP SIM applet for Banking
Tellerpass - an OTP SIM applet for BankingYiannis Hatzopoulos
 
Backup of FinalExam-EssayQ-Mon
Backup of FinalExam-EssayQ-MonBackup of FinalExam-EssayQ-Mon
Backup of FinalExam-EssayQ-MonFares Sharif
 
Web Application Technologies
Web Application TechnologiesWeb Application Technologies
Web Application TechnologiesSehan Lee
 
Web Application Security 101 - 07 Session Management
Web Application Security 101 - 07 Session ManagementWeb Application Security 101 - 07 Session Management
Web Application Security 101 - 07 Session ManagementWebsecurify
 
New Malicious Attacks on Mobile Banking Applications
New Malicious Attacks on Mobile Banking ApplicationsNew Malicious Attacks on Mobile Banking Applications
New Malicious Attacks on Mobile Banking ApplicationsDR.P.S.JAGADEESH KUMAR
 

What's hot (19)

Cybercriminals target online banking
Cybercriminals target online bankingCybercriminals target online banking
Cybercriminals target online banking
 
9 3
9 39 3
9 3
 
H029044050
H029044050H029044050
H029044050
 
BLOCKSAFE WHITEPAPER
BLOCKSAFE WHITEPAPERBLOCKSAFE WHITEPAPER
BLOCKSAFE WHITEPAPER
 
TheGRID
TheGRIDTheGRID
TheGRID
 
Attacking Session Management
Attacking Session ManagementAttacking Session Management
Attacking Session Management
 
C132733
C132733C132733
C132733
 
Tellerpass -
Tellerpass - Tellerpass -
Tellerpass -
 
Cyber Attacks on Financial _ Vikjava
Cyber Attacks on Financial _ VikjavaCyber Attacks on Financial _ Vikjava
Cyber Attacks on Financial _ Vikjava
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part ii
 
Cscu module 08 securing online transactions
Cscu module 08 securing online transactionsCscu module 08 securing online transactions
Cscu module 08 securing online transactions
 
Online security and payment system
Online security and payment systemOnline security and payment system
Online security and payment system
 
E security and payment 2013-1
E security and payment 2013-1E security and payment 2013-1
E security and payment 2013-1
 
13_2
13_213_2
13_2
 
Tellerpass - an OTP SIM applet for Banking
Tellerpass - an OTP SIM applet for BankingTellerpass - an OTP SIM applet for Banking
Tellerpass - an OTP SIM applet for Banking
 
Backup of FinalExam-EssayQ-Mon
Backup of FinalExam-EssayQ-MonBackup of FinalExam-EssayQ-Mon
Backup of FinalExam-EssayQ-Mon
 
Web Application Technologies
Web Application TechnologiesWeb Application Technologies
Web Application Technologies
 
Web Application Security 101 - 07 Session Management
Web Application Security 101 - 07 Session ManagementWeb Application Security 101 - 07 Session Management
Web Application Security 101 - 07 Session Management
 
New Malicious Attacks on Mobile Banking Applications
New Malicious Attacks on Mobile Banking ApplicationsNew Malicious Attacks on Mobile Banking Applications
New Malicious Attacks on Mobile Banking Applications
 

Similar to Project Part A & B 10.15.14

Demystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales SystemsDemystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales SystemsSymantec
 
Point of Sale (POS) Malware: Easy to Spot, Hard to Stop
Point of Sale (POS) Malware: Easy to Spot, Hard to StopPoint of Sale (POS) Malware: Easy to Spot, Hard to Stop
Point of Sale (POS) Malware: Easy to Spot, Hard to StopSymantec
 
Attacks on Point-of-Sales Systems | RapidSSLonline
Attacks on Point-of-Sales Systems | RapidSSLonlineAttacks on Point-of-Sales Systems | RapidSSLonline
Attacks on Point-of-Sales Systems | RapidSSLonlineRapidSSLOnline.com
 
Attacks on Point of Sale systems - By Symantec
Attacks on Point of Sale systems - By SymantecAttacks on Point of Sale systems - By Symantec
Attacks on Point of Sale systems - By SymantecCheapSSLsecurity
 
Understanding the POS Malware
Understanding the POS MalwareUnderstanding the POS Malware
Understanding the POS Malwarevijay1926
 
Cant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardCant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardSlawomir Jasek
 
micro payments using coin
micro payments using coinmicro payments using coin
micro payments using coinNaga Dinesh
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII studentsAkiumi Hasegawa
 
Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Halo Metrics
 
Cyber crime - Understanding the Organised Criminal Group model
Cyber crime - Understanding the Organised Criminal Group modelCyber crime - Understanding the Organised Criminal Group model
Cyber crime - Understanding the Organised Criminal Group modelInnesGerrard
 
cyber_crime_investigation_ppt.pdf
cyber_crime_investigation_ppt.pdfcyber_crime_investigation_ppt.pdf
cyber_crime_investigation_ppt.pdfArifAhmad83
 
Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017Anil Jain
 
Parag presentation on ethical hacking
Parag presentation on ethical hackingParag presentation on ethical hacking
Parag presentation on ethical hackingparag101
 
ISACA - The False Sense of Security
ISACA - The False Sense of SecurityISACA - The False Sense of Security
ISACA - The False Sense of SecurityFabian Borg
 
All You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptxAll You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptxITIO Innovex
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Securitybelsis
 
Securing PoS Terminal - A Technical Guideline on Securing PoS System From Hac...
Securing PoS Terminal - A Technical Guideline on Securing PoS System From Hac...Securing PoS Terminal - A Technical Guideline on Securing PoS System From Hac...
Securing PoS Terminal - A Technical Guideline on Securing PoS System From Hac...Syed Ubaid Ali Jafri
 
Tokenization Payment Data Out Securing Payment Data Storage
Tokenization Payment Data Out Securing Payment Data StorageTokenization Payment Data Out Securing Payment Data Storage
Tokenization Payment Data Out Securing Payment Data Storage- Mark - Fullbright
 

Similar to Project Part A & B 10.15.14 (20)

Demystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales SystemsDemystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales Systems
 
Point of Sale (POS) Malware: Easy to Spot, Hard to Stop
Point of Sale (POS) Malware: Easy to Spot, Hard to StopPoint of Sale (POS) Malware: Easy to Spot, Hard to Stop
Point of Sale (POS) Malware: Easy to Spot, Hard to Stop
 
Attacks on Point-of-Sales Systems | RapidSSLonline
Attacks on Point-of-Sales Systems | RapidSSLonlineAttacks on Point-of-Sales Systems | RapidSSLonline
Attacks on Point-of-Sales Systems | RapidSSLonline
 
Attacks on Point of Sale systems - By Symantec
Attacks on Point of Sale systems - By SymantecAttacks on Point of Sale systems - By Symantec
Attacks on Point of Sale systems - By Symantec
 
Understanding the POS Malware
Understanding the POS MalwareUnderstanding the POS Malware
Understanding the POS Malware
 
Cant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardCant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless card
 
micro payments using coin
micro payments using coinmicro payments using coin
micro payments using coin
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII students
 
Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!
 
Cyber crime - Understanding the Organised Criminal Group model
Cyber crime - Understanding the Organised Criminal Group modelCyber crime - Understanding the Organised Criminal Group model
Cyber crime - Understanding the Organised Criminal Group model
 
E banking security
E banking securityE banking security
E banking security
 
cyber_crime_investigation_ppt.pdf
cyber_crime_investigation_ppt.pdfcyber_crime_investigation_ppt.pdf
cyber_crime_investigation_ppt.pdf
 
Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017
 
Parag presentation on ethical hacking
Parag presentation on ethical hackingParag presentation on ethical hacking
Parag presentation on ethical hacking
 
Hacking Presentation
Hacking PresentationHacking Presentation
Hacking Presentation
 
ISACA - The False Sense of Security
ISACA - The False Sense of SecurityISACA - The False Sense of Security
ISACA - The False Sense of Security
 
All You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptxAll You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptx
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
Securing PoS Terminal - A Technical Guideline on Securing PoS System From Hac...
Securing PoS Terminal - A Technical Guideline on Securing PoS System From Hac...Securing PoS Terminal - A Technical Guideline on Securing PoS System From Hac...
Securing PoS Terminal - A Technical Guideline on Securing PoS System From Hac...
 
Tokenization Payment Data Out Securing Payment Data Storage
Tokenization Payment Data Out Securing Payment Data StorageTokenization Payment Data Out Securing Payment Data Storage
Tokenization Payment Data Out Securing Payment Data Storage
 

Project Part A & B 10.15.14

  • 1. 1 Timothy Haney SEC 577: Cryptography Project Phase A & B XYZ Gas Station Professor Sadeghi 10/17/14
  • 2. 2 Table of Contents Company Overview………………………………………………………………………………………………………..3 Problem Statement………………………………………………………………………………………..………………3 Solutions…………………………………………………………………………………………………………………………7 P2PE…………………………………………………………………………………………………………………….7 IPSec……………………………………………………………………………………………………………………8 Credit Card Processing…………………………………………………………………………………………8 POS System Vulnerabilities Diagram……………………………..….……………………………….11 Biometrics……………………………………………………………………………………………………….…11 Anti-Skimming and PED…………………………………………………….……………………………….13 Skimming Diagram……………………………………………………………………………………………..14 EMV……………………………………………………………………………………………………………………14 Operating Systems and Software Security…………………………………………………………..14 Conclusion…………………………………………………………………………………………………….……15 References……………………………………………………………………..…………………….……………16
  • 3. 3 Company Overview XYZ Gas Company has over a thousand gas stations around the globe. Each gas station has ten point of entry (POE) swipe card readers. XYZ Gas relies heavily on the card swipe as a form of payment. To use the pumps, a customer will swipe their credit or debit card at the pump POE to purchase gas. In the gas station store, the attendant has a card swipe for customers to purchase gas or retail items. Each gas station has a Wi-Fi connection to the Internet for system convenience. Problem Statement As criminals develop more sophisticated methods to obtain access to credit card information to steal identities and money, senior management at XYZ Gas Company realizes a more secure solution needs to be in place to protect the point of sale (POS) systems for the gas stations. The in-store systems where customers pay merchants for goods or services is called the point of entry (POE) and linked to the POS. The attacks to the POS system affects confidentiality. While some customers pay cash, many POS transactions involve customers swiping their cards through a card reader (Symantec). Many modern POS systems are all-in- one systems which can handle a variety of customer transactions such as gift cards, returns, promotions, and sales (Symantec). Many all-in-one POS systems are based on operating systems which are susceptible to a number of scenarios which could lead to large-scale breaches (Symantec). The two most common ways in which criminals steal consumer and business data are through affixing a physical device or “skimmer” to POS hardware devices in
  • 4. 4 order to capture card data, or by using malware to gain access to POS networks and acquire credit and debit card data as it passes through (Point of Sale News, 2014). The POE card swipe mechanism can be compromised in a number of ways with skimmers or other modifications. These skimmers use two devices to capture customers’ credit card numbers and personal identification numbers (PIN). One device sits near where the customer swipes their card and reads the magnetic strip on the card with the account number. Criminals can install devices inside the swiping mechanism to store the card information, which can be transmitted to the criminal at the desired time (Acohido, 2012). The POE devices can actually be removed from site at night, altered, and then brought back without anyone noticing (Point of Sale News, 2014). Identical devices can also be ordered online to match the corresponding manufactured device; criminals will implant this identical device and program it to transmit card data to them (Krebs on Security). Skimming is used to obtain customers’ PINs as well as their credit card information. One component device used for skimming is a hidden camera, for capturing the PIN. The attacker can be in his car with a laptop remotely accessing the device (Point of Sale News, 2014) to record various PINs. Another new method to capture PINs is through the use of an iPhone 5 with the FLIR thermal imaging camera accessory. The accessory allows someone to see which keys were pushed when a debit card transaction occurred due to the heat sensory information left behind on non-metal keys. Once the attacker has the credit card information and PIN, they are then able to use well established mechanisms for turning that information from POS into money (Acohido, 2012). Yet another method used to obtain PIN information are fake key pads. Skimming keypads are designed to mimic a keypad and fit over it like a glove (Fenlon). It
  • 5. 5 records the PINs that are inputted for criminals to use later. However, out of all these methods, the easiest way to get someone’s PIN is to shoulder surf. Shoulder surfing is when the attacker looks over the customer’s shoulder to see the PIN as they input it. For about $200, anyone can order a device called a mag stripe encoder and embed a stolen payment card number onto a blank magnetic striped card. Free cash is only an ATM machine away as long as they have the PIN. Skimming is a crime which is difficult to catch, despite the sheer volume of crimes taking place. A software attack through the corporate network can be very common. If the attacker gains access through a spear phishing email or a vulnerable public facing server, the attacker can search the network until they can access an entry point to the POS network (Symantec). Attackers can use weaknesses in external facing systems, such as an SQL injection on a web server or finding a periphery device that still uses default manufacturer passwords. They can also infiltrate the systemby sending a spear phishing email to an individual in the organization. The spear phishing email would contain a malicious attachment, which would allow backdoor access onto the victim’s machine. Usually the entry point an administrator uses to maintain the POS systems is how an attacker gets in (Symantec). The attackers would need to gain access to the POS systems once they are inside the network. They will use special tools to map out the location of the POS system, and will try to gain access by obtaining user credentials. User credentials can be obtained by a number of ways, including brute force, keylogging, password hash extraction, cracking, Trojans, or replaying captured login sequences. It is even possible that they gain control of the domain
  • 6. 6 controller, giving them full access to all computers in the network. Once inside the POS system area, malware is installed to capture credit card information from the POS systems (Symantec). The information read about credit cards from the card swipe at the POS systemmust be sent and processed at the retailer’s payment processor. This information should be encrypted. Some of XYZ’s gas stations do not have encryption for the information traveling over the public network. The PAN (primary access number) may not be encrypted. The credit card numbers themselves might not be encrypted where they are stored within internal networks and could be in plaintext (Symantec). Many criminals have taken advantage of this and have exploited other companies for over one hundred million credit card numbers. Rather than extracting the data while it is traveling through the network, attackers can get a hold of the data through “RAM scraping” malware, which allows attackers to extract this data from memory while the data is being processed inside the terminal (Symantec ). Network sniffing tools are used for some attacks, to collect credit card numbers as they traverse unencrypted networks. Many POS systems run older operating systems like Windows XP or Windows XP Embedded. These programs will no longer be supported for vulnerabilities and patches once the deadline occurs. Organizations are putting themselves at risk for attack if they are using these outdated programs (Symantec). POS systems that run Windows are very susceptible to malware attacks which are commonly seen on Windows operating systems. The attackers do not need specialized skills to hack the Windows software because there are malware programs available online which will be sufficient to crack their POS system based in Windows.
  • 7. 7 The attackers may attempt to hijack an internal systemserver that normally communicates with the POS systems and piggybacks on normal communication in order to go unnoticed. The information gathered from RAM scraping will be sent to this server for the appropriate time to be transferred to the attacker. A compromised FTP server belonging to a third party could be used as the external system to send the information to. These transactions will likely go unnoticed if these compromised servers are used from legitimate sites to receive stolen data, especially if they are sites often visited by the victim organization. Solutions There are many action that can be taken to mitigate the security problems with the POS systems. An important solution would be to implement point-to-point encryption (P2PE) and Internet Protocol Security (IPSec). This will provide encryption at both ends and create a secure tunnel between the POE device and the data center. P2PE protects data at the point of capture, which is literally the first opportunity you have to protect it. P2PE will encrypt the data as soon as possible, and keep it encrypted by default, end-to-end. The account data is encrypted at the point of capture (at ATM machine, gas pump POE, and store clerk’s POE device) and is protected as it flows through the merchant’s IT systems and passes down the payment chain. The data remains in a protected (encrypted) state except when decrypted only for when it is required by specific business processes that need to access original account data (Thales Esecurity, 2014). To defeat RAM scraping attacks, secure card readers (SCR) exist and have been implemented in some environments enabling P2PE. These card readers encrypt the data at the time of swipe and the credit card number remains encrypted throughout the process even within the memory and underneath network level encryption (Symantec). PINs
  • 8. 8 must be encrypted at the PIN pad terminal when using debit cards. When provisioning terminals, a payment processor or sponsor must provision the terminal by performing “key injection” where a unique encryption key is developed directly to the device. With this scheme, the PIN remains encrypted at all times (Symantec). According to Burnett, “IPSec is framework of open standards for ensuring private communications over IP networks” (Burnett, 2004). IPSec ensures confidentiality, integrity, and authenticity of data communications across a public IP network and is based on standards developed by Internet Engineering Task Force (IETF) (Burnett, 2004). IPSec is a necessary standards-based, flexible solution for deploying a network-wide security policy. IPSec implements network layer encryption and authentication, providing an end-to-end security solution in the network architecture (Burnett, 2004). IPSec packets look like ordinary IP packets, and can be easily routed through any IP network—such as the Internet—without any changes to the intermediate networking equipment. The only devices that know about the encryption are the endpoints (Burnett, 2004). A contract will be put into place between the internal communications at XYZ Gas Station POE devices and the external network banks to use IPSec together to create a secure tunnel. Both sessions (XYZ Gas Stations and Banking) will be encrypted end-to-end. This will secure the information being transferred between XYZ Gas Stations and the banking network. Credit card payment processing takes place in two phases: authorization (getting approval for the transaction that is stored with the order) and settlement/capture (processing the sale, which transfers the funds from the issuing bank to the merchant's account). When the
  • 9. 9 card is swiped at the point of entry device at the gas station, the information goes to Interstate Processing (ISP), where it stays, and then travels to the mainframe (data center), and the bank and checks to see if the cardholder has enough funds. After that, it comes back and reports to the merchant that the cardholder has sufficient funds. According to Burnett, in the authorization process, when an order is processed from a cardholder, the merchant attempts to authorize the transaction by initiating a two-way message exchange between the merchant and the payment gateway (Burnett, 2004). First, an authorization request is sent from the merchant to the payment gateway. The merchant software generates and digitally signs an authorization request, which includes the amount to be authorized, the transaction identifier from the order information, and other information about the transaction. This information is then digitally enveloped using a payment gateway’s public key. The authorization request and the cardholder payment information are transmitted to the payment gateway (Burnett, 2004). The next step of the authorization process is an authorization response, and is received from the merchant by the payment gateway. The payment gateway decrypts and verifies the contents of the message when the authorization request is received. If everything is valid, the payment gateway generates an authorization response message, which is then digitally enveloped with the merchant’s public key and transmitted back to the merchant (Burnett, 2004). Upon receipt of the authorization response message from the payment gateway, the merchant decrypts the digital envelope and verifies the data within. If the purchase is authorized, the merchant then completes processing of the cardholder’s order by performing the services indicated in the order like issuing products, gas, or money (Burnett, 2004).
  • 10. 10 After authorization is complete, the settlement/payment capture takes place. When the order-processing portion is completed with the cardholder, the merchant then requests payment from the payment gateway. Payment capture/settlement is accomplished by the exchange of the capture request and response. In the capture request, the merchant software generates the capture request, which includes the final amount of the transaction, the transaction identifier, and other information about the transaction. This message is then digitally enveloped using the payment gateway’s public key and transmitted to the payment gateway (Burnett, 2004). The second portion of settlement/capture is the capture response. The capture response request is received and its contents verified. The capture response includes information pertaining to the payment for the transaction requested. This response is then digitally enveloped using the merchant’s public key and is transmitted back to the merchant. Upon receipt of the capture response from the payment gateway, the merchant software decrypts the digital envelope, verifying the signature and message data (Burnett, 2004).
  • 11. 11 A solution to prevent PINs from being stolen for skimming attacks would be to implement a two-factor authentication system involving biometric (fingerprint) authentication with the credit card/debit card, instead of using a PIN. Biometrics add security over using a PIN. Biometrics uses your physical characteristic to verify your identity. The most well-known biometric is the fingerprint. Everyone has a unique fingerprint, even an identical twin. The machine can determine through a fingerprint reading whether the appropriate person is
  • 12. 12 requesting an operation. Some of these machines can even tell if the finger is attached to a living body (Burnett, 2004). The various biometric recognition mechanisms operate in enrollment and verification modes. In the enrollment process, the user’s biological feature (physical characteristic or personal trait) is acquired by the administrator by using a sensor, which typically resides at the front end of the biometric authentication mechanism. This stored characteristic, commonly known as a template, is usually placed in a back-end database for later retrieval. After the users are enrolled, their biometrics are used to verify their identity. To authenticate someone, his or her biological feature is acquired from the sensor and converted to a digital representation, called a live scan. Then the live scan is compared to the stored biometric template. Typically the live scan does not exactly match the user’s stored template. Because biometrics almost always contain variations, these systems cannot require an exact match between the enrollment template and a current pattern. Instead, the current pattern is considered valid if it falls with a certain statistical range of values. A comparison algorithm is used to determine whether the user being verified is the same user that was enrolled. The comparison algorithm yields a result that indicates how close the live scan is to the stored template. The result indicates how close the live scan is to the stored template. If the result falls into an “acceptable” range, an affirmative response is given or if it falls into an “unacceptable” range, a negative response is given. The definition of acceptable levels is determined by the administrator.
  • 13. 13 Another layer of security will be to upgrade the PED (PIN-entry level devices) to an encrypted Toshiba device. Since these devices can be tampered with, we will install security cameras for extra protection. The cameras will prevent skimming by protecting the customers’ transactions. The camera footage will be reviewed regularly and kept for at least 90 days. The use of secure stands, tethers, alarms or security cables is an acceptable practice to keep the PEDs safe. Something secure should be used for the wiring, like conduit. We must also check our POS environment for any hidden cameras or other recording devices. We can also put up bulletins to educate the customers on tips to avoid skimming attacks like to press all keys after keying in any PINs or not allowing anyone to see their PIN from behind (at any locations which still use PINs). We would also recommend to customers to use a credit card instead of using a debit card because of the unprotected nature of debit cards. It is recommended that the merchant continually track and monitor all POS terminals that accept VISA cards. This would include routinely examining the terminals for anything missing or altered seals, screws, extraneous wiring, holes in the device, or the addition of labels, or other decals (Visa, 2010). Merchants should only use PCI compliant devices. The staff will be trained on POS equipment tampering prevention by being notified how to spot it. Policies and procedures will be put into place so only authorized personnel should be allowed to access the PEDs. Employment screening will be implemented to check new employees for background checks (Visa, 2010).
  • 14. 14 Another added security measure will be the adoption of the Europay, Mastercard, and Visa (EMV) smart cards. Due to the high cost, the EMV has been adopted very slowly. I would recommend we transition to using this system (commonly known as a smartcard, or “chip-and- pin” card), which contain embedded microprocessors that provide strong transaction security features. EMV never transmits the credit card data in clear text, mitigating many common POS attacks. The cards are difficult to clone so attackers are less attracted to them (Symantec). We will transfer over all POS systems from Windows to Linux operating systems. For the systems still using Windows, all operating systems must be up-to-date and have all patches and hot-fixes applied in a timely manner to help prevent hacking. Some other considerations will be to install and maintain a firewall to facilitate network segmentation, change default system passwords or other security parameters, use a regularly updated security software, use intrusion protection system(IPS) at critical points and the perimeter the network, use file
  • 15. 15 integrity and monitoring software, and encrypt all PIN and PAN information (Symantec). Additionally, we should test security systems, perform pen-testing, implement a vulnerability management program, maintain security policies and implement regular training for all personnel. Implementation of anti-virus and anti-malware with the latest updates would be optimal to prevent the malware attacks prevalent with POS systems. A last precaution would be to have the information security team be aware of attackers using commonly used vendors against us by stealing their credentials and pretending to be them. We must expect this sort of attack because of all of the latest security breaches by major retailers (Target, Home Depot, etc.) that have been discussed in recent headlines. There are many security issues with the POS systems at XYZ gas stations like having unencrypted networks and utilizing vulnerable operating systems, which could lead to theft of credit card information by the use of skimmers and malware attacks by hackers. Some solutions to these issues are possible through implementation of P2PE and IPSec, biometrics, physical security of PEDs, EMV cards, Linux operating systems, security policies with best practices, and training for merchants and employees on POS systems. XYZ gas stations should cut out of most of its POS system issues once these safeguards are put into place.
  • 16. 16 References Acohido, B. (2012, November 6). Data thieves target debit cards, PINs at point of sale. Retrieved from http://www.usatoday.com/story/tech/personal/2012/11/05/debit-card--numbers-pins- stolen-at-pos-terminals/1675795/ Burnett, S., Paine, S., & RSA Security. (2004). RSA Security's official guide to cryptography. New York: Osborne/McGraw-Hill Fenlon, W. (n.d.). HowStuffWorks "How does ATM skimming work?". Retrieved fromhttp://money.howstuffworks.com/atm- skimming3.htmhttp://www.bankrate.com/finance/savings/4-tips-to-protect-you-from-atm- thieves-1.aspx Krebs on Security. (May). Retrieved from krebsonsecurity.com/2011/05/point-of-sale- skimmers-robbed-at-the-register/ Point of Sale News. (2014). Five Ways to Protect Point of Sale Stations and Networks From Cybercrime | On Managing | Learn. Retrieved from http://pointofsale.com/On-Managing/Five- Ways-to-Protect-Point-of-Sale-Stations-and-Networks-From-Cybercrime.html Symantec. (n.d.). Attacks on Point of Sale. Retrieved from http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/a ttacks_on_point_of_sale_systems.pdf Thales Esecurity. (2014). Point-to-Point Encryption: Challenges, Risks, and Solutions. Retrieved from https://www.thales-esecurity.com/solutions/by-technology-focus/point-to-point- encryption VISA. (2010). Point-of-sale terminal tampering is a crime... Retrieved from http://usa.visa.com/download/merchants/alert-pos-terminal-tampering-020311.pdf