Debit and credit card transactions are part of our daily lives. Very few people use cash nowadays as it is way more convenient to use a payment card for a purchase. Most of these transactions are performed through a standalone Point-of-Sale (POS) device, an Electronic Cash Registry (ECR) or through a Virtual Terminal (VT).
Even though there is a number of different ways for completing a transaction, there are specific rules and standards to be followed in order to ensure the security of these transactions. All certified POS devices, ECRs, and VT applications, make use of strong encryption and secure communication channels, according to the standards being enforced to comply with. It is not possible for these systems to connect to the authorisation servers and perform transactions safely otherwise. More specifically, the Payment Card Industry Data Security Standard (PCI DSS) describes the security requirements mandated by the card schemes (Europay, MasterCard, VISA, etc.)*, that ensure the security of cardholder data, and the security of the systems in-scope, in order to reduce the risk of fraud.
On the other hand, in 2014 we saw the evolution of POS-affecting malware, where some large/global organizations like Target, Home Depot, and UPS were targeted by “BlackPOS”, “FrameworkPOS”, and “Backoff” respectively, (or the most recent example of “NitlovePOS”) ending up in millions of card details being stolen, and millions of customers being affected by financial fraud and identity theft. Cyber-criminals and fraudsters developed malware and were able to exploit security weaknesses, specifically targeting card holder data.
The purpose of this talk is to familiarise the audience with the Payment Card Industry and shed light upon the way these transactions are conducted. Instead of treating the Payment Card Industry as a black box, participants are given the opportunity to be provided with some insights on how these transactions are performed, why “offline” transactions are accepted, what are the different types of transactions supported, and in general what is actually happening behind the scenes during a purchase.
The research undertaken focused on the features of POS devices themselves by investigating the way they communicate with the ECR, and how transactions are completed when using a VT application. Looking at all these components and processes from a different perspective (a bit closer), it was possible to come up with a number of observations regarding the functionality and features of these systems. Keep in mind that there is a large number of different POS devices in the market and different OS vendors to mix and choose from. Most importantly, due to the fact that it is not easy for everyone to get their hands on these devices, along with the applications developed for handling transactions while connected to a real back-end system, it is extremely difficult to assess and discover how they behave under different circumstances.
As with all systems, the aforementioned do come with a number of features. These features, in most cases, are provided as standard functionality in POS devices, while it is possible for these to be misused. Taking this a step further, the main focus of the presentation is on a Threat Modelling engagement undertaken against Virtual Terminals. This will highlight security issues which surface when vendors do not build software with security in mind, even though the end product complies with all the enforced standards. More specifically, I will demonstrate the major difference between last year’s POS malware targeting Card Holder Data (CHD), and a different approach which targets the money-handling process directly.
In other words, I will present how I could have ended up with billions in my account without having to steal a single card number, but mostly by interlinking a number of security issues and logic flaws that allow me to take advantage of the system(s).
If you want to learn more and join Dr. Grigorios Fragkos at his Security BSides London 2015 talk in a presentation that is not going to be filmed or recorded due to the sensitive information it contains, you may follow Grigorios on twitter where he will be sharing more about the presentation and any future work. Follow: @drgfragkos
*The PCI DSS is administered by the PCI Security Standards Council
About the Author: Dr. Grigorios Fragkos at Sysnet Global Solutions, is a Senior Information Security Consultant and Penetration Tester. BSc, MSc, PhD, AST, QSTM, KEPYES CyberDefense Adding to Information Security with new ideas and problem solving is what excites me and drives me passionately. Thinking ahead and contributing to science by taking existing systems, challenging projects and research to the next level, is my daily focus. I love to get hands-on with R&D; especially when it requires safeguarding critical systems utilizing penetration testing, social engineering, vulnerability assessment and handling incident response. My research interests include most aspects of Computer Security and Digital Forensics, with an emphasis on intrusion detection and prevention through automated threat assessment in (near) real-time. Thinking outside the box is my moto and I am always looking forward for the next challenge.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.