Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions
A book by Slava Gomzin
Published: John Wiley & Sons
312 pages
February 2014
Paperback, eBook
ISBN: 978-1-118-81011-8
A book by Slava Gomzin
Published: John Wiley & Sons
312 pages
February 2014
Paperback, eBook
ISBN: 978-1-118-81011-8
Full Table of Contents
Introduction
Part I Chapter 1 |
Anatomy of Payment Application Vulnerabilities Processing Payment Transactions Payment Cards Card Entry Methods MSR Pinpad Key Players Consumer (Cardholder) Merchant Acquirer Issuer Card Brands More Players Payment Processor Payment Gateway Even More Players Payment Software Vendors Hardware Manufacturers Payment Stages Authorization Settlement Payment Transactions Sale vs PreAuth/Completion 16 Void and Return Fallback Processing Timeout Reversals Special Transaction Types Key Areas of Payment Application Vulnerabilities Summary |
xxiii
1 3 3 5 5 6 6 7 7 7 7 8 8 8 9 11 11 11 12 12 13 16 16 16 17 18 18 19 22 |
Chapter 2
|
Payment Application Architecture
Essential Payment Application Blocks Interfaces Processing Modules Data Storage Typical Payment Transaction Flow Communication Between Modules Physical Connections Communication Protocols Local Communication Message Protocols Internal Protocols Communication Summary Deployment of Payment Applications The Concept of EPS Payment Switch Comparing Deployment Models Store EPS Deployment Model POS EPS Deployment Model Hybrid POS/Store Deployment Model Gas Station Payment Systems Mobile Payments Summary |
25
25 25 28 31 32 34 34 35 36 36 38 38 39 39 40 41 43 44 46 46 48 50 |
Chapter 3
|
PCI
What is PCI? PCI Standards PA-DSS vs. PCI DSS PA-DSS PCI DSS Comparing PA-DSS and PCI DSS Requirements PTS P2PE PCI Guidelines Fallacy of Tokenization EMV Guidance Mobile Payments Guidelines for Developers Summary |
55
56 57 59 59 67 77 80 81 83 83 85 86 86 |
Part II
Chapter 4 |
Attacks on Point of Sale Systems
Turning 40 Digits into Gold Magic Plastic Physical Structure and Security Features Why Security Features Fail Inside the Magnetic Stripe Track 1 Track 2 PAN Expiration Date ISO Prefix and BIN Ranges PAN Check Digit Service Code Card Verification Values Regular Expressions Getting the Dumps: Hackers Security Breach Largest Point of Sale Breach Converting the Bits into Cash: Carders Monetization Strategies: Cashers Producing Counterfeit Cards Encoders Printers Summary |
91
93 93 94 97 98 98 100 101 102 103 105 106 107 110 111 112 113 114 115 116 118 120 121 |
Chapter 5
|
Penetrating Security Free Zones
Payment Application Memory RAM Scraping WinHex MemoryScraper Utility Windows Page File Sniffing Traffic on Local Networks Network Sniffers NetScraper Utility More Communication Vulnerability Points Exploiting Other Vulnerabilities Tampering With the Application Tampering With the Hardware Targeting New Technologies Attacks on Integrity and Availability Summary |
125
125 126 126 127 134 134 135 135 136 139 140 140 141 142 143 144 |
Chapter 6
|
Breaking into PCI-protected Areas
PCI Areas of Interest Data at Rest: The Mantra of PCI Temporary Storage Application Logs Hashed PAN Insecure Storage of Encryption Keys DiskScraper Utility Data in Transit: What is Covered by PCI? SSL Vulnerabilities Man-in-the-Middle Summary |
147
147 148 149 150 152 153 157 160 160 161 162 |
Part III
Chapter 7 |
Defense
Cryptography in Payment Applications The Tip of the Iceberg Symmetric, Asymmetric, or One-way? Does Size Matter? Key Entropy Key Stretching Symmetric Encryption Strong Algorithms EncryptionDemo Implementing Symmetric Encryption Generating the Key Blocks, Padding, and Initialization Vectors Encryption and Decryption Asymmetric Encryption Implementing Public-key Encryption Generating the Keys Self-Signed Certificate PFX Certificate File Encryption Decryption One-way Encryption Implementing One-way Encryption Salting Tokens Salting Passwords Validating Passwords Digital Signatures Attached vs. Detached Signatures Code and Configuration Signing Data File and Message Signing Cryptographic Hardware Cryptographic Standards NIST and FIPS ANSI PKCS Summary |
165
167 167 168 170 170 171 172 173 173 174 174 175 175 176 177 178 178 179 180 180 181 181 182 184 184 186 186 187 187 188 188 189 191 191 191 |
Chapter 8
|
Protecting Cardholder Data
Data in Memory Minimizing Data Exposure Encrypting Data End to End Data in Transit Implementing SSL Using Encrypted Tunnels Data at Rest Secure Key Management Multiple Key Components KEK and DEK Key Rotation Point-to-Point Encryption What Point-to-Point Really Means Levels of P2PE Hardware P2PE DUKPT Key Management EMV Mobile and Contactless Payments Summary |
195
195 196 196 197 197 206 207 207 207 208 209 209 209 209 210 211 214 215 215 |
Chapter 9
|
Securing Application Code
Code Signing Authenticode Code Signing Certificates Creating the Root CA Using OpenSSL Certificate Formats Creating a Production-Grade Code Signing Certificate Timestamp Implementing Code Signing Signing Configuration and Data Files Attached or Detached? Data Signing Certifi cate Certificate Store Implementing Detached Signature Attached Signatures Signing XML Files Implementing Attached Signature Code Obfuscation Reverse Engineering Obfuscating the Code Secure Coding Guidelines OWASP Top 10 CWE/SANS Top 25 Language-Specifi c Guidelines Summary Conclusion |
219
219 220 220 221 222 223 226 227 229 229 230 231 232 235 235 235 237 237 240 242 242 243 245 246 249 |
Appendix A
Appendix B Index |
POS Vulnerability Rank Calculator
Security Questionnaire and Vulnerability Rank The Scoring System Instructions POS Security Questionnaire Decoding the Results Glossary of Terms and Abbreviations |
251
251 252 252 252 255 257 265 |