As rightly noted in this article, PCI data security standard promoted by major credit card brands are proven to be useless. However, there is an existing technology that could save Target and other breached retailers if they had implemented it. It's called P2PE (Point-to-point Encryption) and it's well known to payment security professionals. In fact, Target started implementing P2PE but they were too late...
1 Comment
Although the preview of the Hacking Point of Sale book is still not available on Amazon and other bookseller websites, the Contents at a Glance can be found here. What we know now for sure is that the Target breach was performed through the attack on point of sale machines using RAM scraping malware. Memory scraping technique is pretty simple. Usually, the RAM scraper selects and scans particular process that belongs to POS or/and payment application. The names of these processes are well known string constants. The card data is filtered out from the memory stream using special technique called regular expressions, or regex. I describe all this in detail in my forthcoming book Hacking Point of Sale. The book also contains code examples of RAM scraper as well as disk and network scanners. There are different and sometimes confusing messages regarding the specific malware used to steal card data from Target stores. Some of them name KAPTOXA as the malware responsible for the attack and reference iSIGHT Partners report. I haven't seen this report so I can't say KAPTOXA directly related to target breach. First time I heard and wrote about KAPTOXA back in May 2013. Interesting fact: the word "KAPTOXA" consist of letters which look the same in both Latin and Cyrillic alphabets, although some of them stand for sounds. If you read this word as Cyrillic letters, it is Russian slang word meaning “potato”. However, I would rather trust McAfee blog which states that the actual malware is “BlackPOS” which contains string "Rescator" which links it to Russian hackers. It is unclear at this moment whether there is any link between KAPTOXA and BlackPOS. I think integrating single mobile payment solution into multiple existing bank apps is interesting idea which has a future. On the one hand, we use mobile phones and we would like to use them as wallets for mobile payments, but we don't trust the mobile payments providers and don't like the eWallet apps. On the other hand, we already use bank apps and we (usually) trust the banks, but they fail to provide universal tool to process mobile payments. If we combine the two problems, there is a chance to get a viable solution. According to Reuters, Target's credit and debit card data was stolen using RAM scraper. I warned of the danger of RAM scrapers in my previous posts, and I dedicate a lot of attention to memory scraping in my forthcoming book about credit card fraud and payment application security - Hacking Point of Sale. Today, memory scraping is most effective way to steal sensitive cardholder information from point of sale machines, which works perfectly even if the software is PA-DSS validated and the merchant is PCI DSS compliant. It is unclear whether the Newman Marcus incident with stolen credit cards is related to recent series of attacks on US retailers including massive Target breach. Regardless of whether it's done by the same group or different individuals, new breach is not surprise per se, and it's definitely not the last one. Based on grim state of security in payment card industry (or more precisely - complete lack of security), we should expect more and more similar events in the near future. The are two companies working on producing the smart cards with biometric (fingerprint) sensor. Epic One plans to transform the existing magnetic stripe data card into a smart payment card with built-in second factor authentication using fingerprint sensor. The card will also generate the one time code instead of storing the original credit card's track data. The main benefit of Epic One card (besides its obvious security features, of course) is that its acceptance does not require any changes in existing merchant payment infrastructure. However, as always, there is a price of convenience. First, the Epic One cards are more expensive than regular EMV smart cards (not to mention magnetic stripe cards which cost just several cents to issuing banks). Second, the credit card issuers will have to modify their authorization systems (both hardware and software changes) in order to process the Epic One card transactions. And finally, the Epic One card cannot be accepted offline - when network connection between the merchant store and payment processor (or payment processor and acquirer, or acquirer and issuer) is down for any reason - because the card does not carry the actual credit card's PAN (Primary Account Number) information but instead generates a temporary time-sensitive token which must be sent in real time to the issuer for validation in order to authorize the purchase. Another company, SmartMetric, in addition to traditional EMV contact and contactless smart card with biometric authentication, plans to create offline bitcoin wallet on biometric smart card. The only missing piece is point of sale equipment (both hardware and software) that should be purchased, installed, and maintained by every merchant in order to accept such card and process the payment transaction through the bitcoin network. Both ideas are interesting but time will tell if biometric authentication is going to be an important part of next generation payment technology or just another fancy gadget for geeks. There were already failed attempts to introduce biometrics in retail payments industry. Maybe this time they will be successful after Apple introduced the iPhone 5S Touch ID into the mainstream. |
Books
![]() ![]() ![]() Recent Posts
Categories
All
Archives
October 2024
|