This is the POS Vulnerability Rank Calculator from my book - Hacking Point of Sale - which is located in Appendix A. Thanks Wiley for creating this presentation and making it available for everyone. Using this questionnaire, which consists of 20 questions, anyone can conduct a very brief security risk assessment of their point of sale system. The result of the assessment is a numeric score - "POS Vulnerability Rank" - in a range from 0 to 20, where 0 means the perfect system and 20 stands for the most unprotected POS environment. The rank can be interpreted according to the "Decoding the Results" table. Give it a try and and let me know about the results! |
0 Comments
Nothing changes as there is no need to change the mechanism that works. The same familiar scenario: An initial investigation revealed that someone, most likely outside the United States, remotely installed malware on the Big Rapids restaurant's server sometime during the past month. According to this study, more than 63% of businesses do not encrypt the account numbers of payment cards. Isn't it a true hacker heaven? During its 2014 study, PANscan scanned 145,144 gigs of data on 2,590 computers and found: The recording of the Hacking Point of Sale live webcast is now available at Tripwire website: HACKING POINT OF SALE: HOW MEGA RETAILERS ARE COMPROMISED I will be presenting at the live webcast organized by Tripwire. LIVE WEBCAST: HACKING POINT OF SALE: HOW MEGA RETAILERS ARE COMPROMISED Tuesday, July 15, 2014 – 11:00 AM Pacific / 2:00 PM Eastern REGISTER HERE The US payment industry is disconnected from the the rest of the world so any insight on different implementation abroad is always interesting and helpful. My book about payment security is going to be translated to Korean, so I guess they will be surprised to see some differences between the US and South Korean models such as lack of acquirers (payment processors have direct links to card issuers which eliminates the need to pass transactions through acquirers and payment brand networks, which means less complexity and lower fees for merchants). However, I guess security issues on store/POS level remain the same regardless the back end implementation. At least they have found a good practical use case for those merchants' PCI DLP tools. While researching POS RAM scraper malware, I came across an interesting sample: a RAR archive that contained a development version of a POS RAM Scraper malware and a cracked copy of Ground Labs’ Card Recon software. Card Recon is a commercial Data Leakage Prevention (DLP) product used by merchants for PCI compliance. It looks like the criminal gangs are using the RAM scrapers to dump memory, and (ironically) using DLP to find the cards. The PCI scanning tools such as Card Recon are not used by hackers directly to scan the RAM and search for the card numbers because they are slow. But they are good for validating and refining the results of the search and filtering out the false positives. The criminals need to check and validate the data they have stolen, which they then sell in the underground carder marketplace. Selling bad data will damage their reputation and might even have nastier repercussions than merely losing credibility. LevelUp implements an interesting idea of accumulating multiple transactions made by the same customer and processing them as a single transaction which saves merchants' money on average transaction processing fee. I think it has a potential of being accepted by mainstream because it provides merchants with good incentive (low 1.95% fee instead of traditional 3% and up). Those fees is very important and painful issue for merchants. However, I would check what they do with debit cards - debit fees are lower than credit, debit transactions require instant settlement (so technically you cannot accumulate them), and debit segment is growing comparing to credit. BTW, they are using basically the same mechanism (credit card + online account + scanner + barcode on mobile phone screen) as I proposed back in April 2009... Thank you for appreciating and implementing this idea! As a "side effect", this mechanism solves the credit card security problem because the customer's mobile phone and the merchant's point of sale are exchanging data using tokens rather than actual sensitive cardholder information which never touches the merchant's store systems or customer's mobile phone during transaction processing. Michaels card data breach, which was discovered back in January, also includes Aaron Brother stores. After weeks of analysis, we discovered evidence confirming that systems of Michaels stores in the United States and our subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms. The affected U.S. systems contained certain payment card information, such as payment card number and expiration date, about both Michaels and Aaron Brothers customers. There is information about security breach at Hess gas stations. A total of 16 Hess gas stations are involved, including one in Fort Myers. We're talking about the Hess gas station located on 15260 McGregor Boulevard off Iona Road. Skimming is a physical attack which is different from what's happened at Target. Special skimming devices, which are installed at the pump's MSR (magnetic stripe reader), read and accumulate the cardholder data, then send it to hackers through bluetooth or cell network. In many cases, debit pin numbers are also stolen using fake keyboards installed at pinpad or hidden video camera which is set up to monitor the pinpads' keyboard and record the keystrokes. |
Books
Recent Posts
Categories
All
Archives
January 2025
|