This document discusses recent payment card industry hacks, including international and regional incidents from 2012. It provides statistics on the culprits behind these hacks (both external and internal actors), their motives (usually financial gain), and the means used (including social engineering, skimming devices, and hacking servers or databases). Some possible defenses are proposed, such as implementing social engineering tests, enhancing physical security of POS and ATM machines, strengthening server security through testing and audits, and balancing business needs with security.

1. Recent Payment Card Industry Hacks
Techniques used; & possible Defense
Muhammad Faisal Naqvi
CISSP, CISA, ISO27K LA & MI, ISO20K I, AMBCI
ACMA inter, MS E-Commerce (Gold)

2. Agenda
• MOM Analysis (Motives, Opportunities & Means)
• International Incidents
• Regional Incidents
• Statistics about Payment Card Industry Hacks
• Who are the Culprits?
• What are the Motives?
• What are the Means?
• Which Assets are under Attack?
• What could be Possible Defense?

3. International Incidents

4. Banking data stolen from Millions
• News Date: 04 April 2012
• Country: UK
• Means: Trojans e.g. Zeus & Spyeye to collect personal
details
• Opportunity: Social Engineering
• Motive: Fun, curiosity, or pride ($3,800 in 20 Months)
• Source: www.theregister.co.uk

5. Attack on one-time-passwords on mobile
• News Date: 15 March 2012
• Country: USA
• Means:
1. Used Gozi Trojan to steal IMEI # of Account Holder
2. Report about lost/ stolen device & new SIM request
3. All one-time-passwords will come on new SIM
• Opportunity: partner’s weak processes
• Source: www.computerworld.com

6. Millions customers of famous Bank at
risk NFC attack
• News Date: 23 March 2012
• Country: UK
• Means: Contactless readers in mobile phones
to extract card data even through wallets or bags
• Opportunity:
• Excessive card details
• Weak merchant process
• Motive: Online Shopping
• Source: www.channel4.com

7. Gang of 50 steals at least $7 million
• News Date: 11 May 2012
• Country: Canada
• Means: Installing Skimmers on stolen POS Machines in
< 1 Hr.
• Opportunity:
• Physical Security
• Lack of Monitoring
• Motive: $7 million
• Source: www.wired.com

8. 111 Arrested In Identity Theft Probe
• News Date: 10 October 2011
• Country: USA
• Means: bank tellers, retail workers, waiters
• Opportunity: Weak processes
• Motive: $13m in 16 Months
• Source: www.bbc.co.uk
Thermal Image showing
sequence of keys
pressed

9. Hackers Skim Customers’ Credit Cards
via Self-Checkout
• News Date: 7 December 2011
• Country: USA
• Means: Skimmers
• Opportunity: Physical Security
• Motive: Financial gain
• Source: news.cnet.com

10. Gang Used 3D Printers for Skimmers
• News Date: 20 September 2011
• Country: USA
• Means: 3D Printed Skimmers
• Opportunity: Physical Security
• Motive: $400,000
• Source: krebsonsecurity.com

11. Adult web site breached 40,000 Cards
data
• News Date: 12 March 2012
• Country: USA
• Means: Server Hack
• Opportunity: ?
• Motive: 40,000 CC numbers, expiry dates, security
codes along with user IDs, email addresses, passwords.
• Source: www.scmagazine.com

12. More than 10 million cards may have
been compromised
• News Date: 30 March 2012
• Country: USA
• Means: Servers Hacked
• Opportunity: ?
• Motive: Track 2 data (card's primary account number,
expiration date, service code, PIN and CVV number)
• Source: www.bbc.com

13. Gang stole $13 million in a day
• News Date: 26 August 2011
• Country: USA, Greece, Russia, Spain, Sweden,
Ukraine, UK
• Means: Remote Access to prepaid cards database
update cards set bal = 10000 where ccno=12345678910
• Opportunity: Stolen credentials
• Motive: $13 million
• Source: www.msnbc.msn.com

14. Simple URL manipulation affected over
360,000 cards & $2.7M
• News Date: 27 June 2011
• Country: USA
• Means: script
• Opportunity: Insecure Direct Object References
https://www.onlinebank.com/user?acct=6065
• Motive: $2.7M
• Source: www.informationweek.com

16. Regional Incidents

17. Saudi (claimed) Hackers Expose 15,000
Israelis' Credit Cards
• News Date: 01 January 2012
• Country: Israel
• Means: Sports Web Site
• Opportunity: ?
• Motive: Hacktivism
• Source: www.israelnationalnews.com
• Hacker died just after 2 days of getting Govt. Job
• www.emirates247.com

18. Two hospital employees arrested on
credit card fraud charges
• News Date: April 10, 2012
• Country: UAE
• Means: Online Shopping
• Opportunity: Visible Credit Card Information
• Motive: Dh9,300
• Source: gulfnews.com

19. Police arrest suspect for credit card
forgery
• News Date: 26 April 2011
• Country: UAE
• Means: Expired cards, card copier, card data from web
• Opportunity:
• Motive: Financial
• Source: gulfnews.com

20. Statistics about Payment Card Industry Hacks
Source: 2012 Data Breach Investigation Report

21. Culprits
Source: 2012 Data Breach Investigation Report

22. External Culprits
Source: 2012 Data Breach Investigation Report

23. Internal Culprits
Source: 2012 Data Breach Investigation Report

24. Motives
Source: 2012 Data Breach Investigation Report

25. Means
Source: 2012 Data Breach Investigation Report

26. Assets
Source: 2012 Data Breach Investigation Report

27. Hacks Possible Defense
• Social engineering • Automated social pen
testing
• Fake Online Transactions • Balance between Business
& Security
• POS Skimming • Disconnection logs
Bar-coded tamper evident
seals
• ATM Skimming • Anti skimming solutions
• Servers/Applications/DBs • Information Security, Pen
testing & Audits

28. Questions
faisal.naqvi@msn.com
http://ae.linkedin.com/in/mfaisalnaqvi

29. Thank
You