Retailers shot up by PoS scraping brute force cannon (interview in The Register)
I gave a brief interview to The Register about the role of PCI in recent retail card data breaches.
I'll be doing two one-hour book signings at Black Hat USA 2014 and DEF CON 22 conferences in Las Vegas:
Black Hat USA 2014:
August 6, 2014, 5:30 pm
Mandalay Bay Conference Center, Tripwire booth 141
(I'll be doing a short presentation before the book signing)
DEF CON 22:
August 8, 2014, 11:00 am
Rio Hotel & Casino, No Starch Press community table in Vendor Area
The recording of the Hacking Point of Sale live webcast is now available at Tripwire website:
HACKING POINT OF SALE: HOW MEGA RETAILERS ARE COMPROMISED
PF Chang's restaurants switch to manual credit card processing as a protection measure against ongoing card data breach
It turns out that the most effective way of card data breach prevention is... stop swiping the cards and take them manually, just like it was done 50 years ago! The old manual imprinting machine is still alive and very relevant, and can become an alternative to being PCI compliant and breached. Target would not have all those security problems if they switched to manual processing ahead of time. It saves electricity too!
Scottsdale, Ariz. (June 12, 2014) — On Tuesday, June 10, P.F. Chang's learned of a security compromise that involves credit and debit card data reportedly stolen from some of our restaurants. Immediately, we initiated an investigation with the United States Secret Service and a team of third-party forensics experts to understand the nature and scope of the incident, and while the investigation is still ongoing, we have concluded that data has been compromised.
PCI compliance tool - DLP card data scanner - is used by hackers to validate the stolen magnetic tracks
At least they have found a good practical use case for those merchants' PCI DLP tools.
While researching POS RAM scraper malware, I came across an interesting sample: a RAR archive that contained a development version of a POS RAM Scraper malware and a cracked copy of Ground Labs’ Card Recon software. Card Recon is a commercial Data Leakage Prevention (DLP) product used by merchants for PCI compliance. It looks like the criminal gangs are using the RAM scrapers to dump memory, and (ironically) using DLP to find the cards.
The PCI scanning tools such as Card Recon are not used by hackers directly to scan the RAM and search for the card numbers because they are slow. But they are good for validating and refining the results of the search and filtering out the false positives.
The criminals need to check and validate the data they have stolen, which they then sell in the underground carder marketplace. Selling bad data will damage their reputation and might even have nastier repercussions than merely losing credibility.
It was unexpected to see the Target's REDcard in the list of emerging technologies, just next to the systems such as Bitcoin. What is so alternative in decoupoed debit card, and why other similar decoupled debit cards are not listed, for example, Nordstrom Debit? It looks like this ad belongs to Target reputation rehabilitation PR campaign:
The PIN-protected card was not affected by the data breach Target announced in 2013.
This statement is alarming and requiring validation. The PIN numbers apparently were not disclosed during the breach, but online purchases do not require PIN.
Target will switch their proprietary credit and debit RED cards to MasterCard chip-and-PIN
Beginning in early 2015, the entire REDcard portfolio, including all Target-branded credit and debit cards, will be enabled with MasterCard’s chip-and-PIN solution. Existing co-branded cards will be reissued as MasterCard co-branded chip-and-PIN cards. Ultimately, through this initiative, all of Target’s REDcard products will be chip-and-PIN secured.
Fallacy of Tokenization
This article in The New York Times blog is another example of fallacy of tokenization.
That is a gap that tokenization is meant to fill. The technology works behind the scenes of a digital transaction: Customers still put in their card number, but software then transforms that information into a one-time token — a randomly generated code — that is sent through the payment-processing chain. Thieves who intercept the code can do little with it without the means to unscramble the token.
This description is untrue. Tokenization does not work this way. In order to get authorization for the credit card charge, the point of sale system still needs to send the full card data (the content of magnetic track 1 or 2) to the payment processing server. Such data cannot be just "transformed into a one-time randomly generated token" because the server system must be able to recognize and process it. So the card data should be encrypted using another technology called point-to-point encryption (P2PE) which is different from tokenization. Only after the card data is decrypted and processed at the payment processor's data center, it can be tokenized using the method described above, and the resulting token can be returned to the point of sale system. There are P2PE systems that are able to produce the format-preserving encryption so the resulting encrypted data looks similar to the original input so maybe that's created a confusion. But in any case, the data produced by such system is not "randomly generated", and it's not a token, and it's done in hardware rather than software, and the system is called P2PE and not tokenization. Unfortunately, such misunderstanding and overestimation of tokenization is very common perception.
This essay was previously published by VentureBeat on March 26, 2014
Trustmark National Bank and Green Bank, N.A. filed a class action lawsuit on March 24 against Target and Trustwave, which is Target’s quality security assessor (QSA), over the recent card data breach. Trustwave is a big security firm, and QSA (Qualified Security Assessor) is one of its main lines of business.
But the lawsuit contains some questionable interpretations of the Payment Card Industry Data Security Standard (PCI DSS).
The lawsuit claims:
“Under PCI DSS, merchants like Target are required to encrypt customer names, payment card numbers, expiration dates, CVV codes (Card Verification Value codes), and PIN numbers (“Track Data”).”
This is wrong. PCI DSS requires encryption only for sensitive cardholder data stored on hard drives or transmitted over public networks (like the Internet). Data in computer memory and data on local networks can remain unencrypted, which is allowed by PCI DSS, and such an environment would be still PCI compliant.
The lawsuit also states, “The fact that the three-digit CVV security codes were compromised shows they were being stored.”
This is wrong for the same reason. The fact that CVV codes were compromised does not mean they were being stored. They could be stolen either from memory using RAM scraping techniques or from the local network using network sniffers (there are many other methods, but those two are the most common). And as I said before, PCI DSS does not require encryption of sensitive cardholder data (including CVV) in memory or on a local network. Those are only two short statements from the large lawsuit, but they show that even if the merchant (Target in this case, but it can be anyone else) is PCI compliant, it is not safe from a security breach.
In addition, or maybe even instead of PCI DSS measures, merchants and their payment processors should implement special security technologies such as P2PE (point-to-point encryption), which protects the sensitive cardholder data from the moment it enters the card reader and makes it virtually inaccessible to hackers.
One thing to keep in mind here is that this lawsuit could set a precedent (if Trustwave is found liable), where the PCI security auditor is responsible for card data breaches even when the company they are auditing is fully in compliance with the PCI DSS.