Plastic Money Plastic Trust

1
Plastic Money Plastic Trust

• Why you should never trust a merchant with your
  credit card

2
About this talk

• Work in progress
• Agenda
• Credit card backgrounder (hacker style)
• PCI Overview Defenses
• PCI Flaws
• Ongoing project, to be updated

3
Who do you trust?
4
A California Drivers License
5
CA License Spec
6
PAN Tester (Front)
7
Commerce without Trust

• Cash Commerce
• You visit a merchant
• You give them (money)
• They give you (goods or services)

8
Commerce with Trust

• Diners Club starts in the 50s
• A customer is as good as their name
• Merchant (via a Bank) extends credit
• Customer carries (paper) credit card
• Merchant trusts customer to pay
• Customer extends no extra trust to merchant

9
And the joke is

• Credit cards are clonable
• Trusting the merchant was a bad idea

10
PCI
11
The Players

• Customers
• Merchants
• Acquirers
• Banks
• Credit Card Associations
• The bad guys

12
Payment Card Industry

• Industry association
• Agenda
• defend the brand
• Make the customers feel safe
• Protect profits
• Standards issued
• Created auditor/expert role
• Advocate of PCI Security

13
Credit Cards

• ISO Standard
• Machine readable (partially)
• Clonable
• Purely data

14
CC Process Assumptions

• (CC means credit card)
• The customer will defend the CC
• The merchant will defend the CC
• Its hard to steal the CC
• If the CC is stolen, revocation will minimize
  damage

15
PCI Standard

• Requirement 1 Install and maintain a firewall
  configuration to protect cardholder data
• Requirement 2 Do not use vendor-supplied
  defaults for system passwords and other
• security parameters
• Requirement 3 Protect stored cardholder data
• Requirement 4 Encrypt transmission of cardholder
  data across open, public networks
• Requirement 5 Use and regularly update
  anti-virus software
• Requirement 6 Develop and maintain secure
  systems and applications
• Requirement 7 Restrict access to cardholder data
  by business need-to-know
• Requirement 8 Assign a unique ID to each person
  with computer access
• Requirement 9 Restrict physical access to
  cardholder data
• Requirement 10 Track and monitor all access to
  network resources and cardholder data
• Requirement 11 Regularly test security systems
  and processes
• Requirement 12 Maintain a policy that addresses
  information security

16
Interpretations

• There are many (at least one per auditor)
• Not generally as good as current best practice
• Implicitly hides merchants who dont use best
  practice
• Advisory they wont really fine us

17
PCI Defense
18
PAN Sample (Front)
19
PAN Sample (Back)
20
PCI Defenses

• The standard
• The audit process
• Technical upgrades and workarounds
• Payment process improvements
• Best Practices for a modern enterprise

21
Defenses the standard

• The usual best-practices motherhood and hacker
  pie platitudes about computer security.
• Intuitively obvious requirements
• Never save the CVV
• PAN should be encrypted when at rest
• PAN should be defended while in motion

22
PCI Defenses - Crypto

• Pre-Internet crypto use
• Vaguely bank-like crypto
• (Some) symmetric algorithms
• (Some) key hygiene
• (Some) use of encrypted data
• (Some) use of encryption in the network

23
PCI Defenses - Audit

• Country club auditors
• Non-technical
• Paid by merchant
• Interpreter of requirements
• Interpreter of solutions
• anonymous

24
PCI Security Research
25
PCI Security Research

• Targets
• PAN
• End nodes
• Data
• At rest
• In motion
• Processes
• Merchant
• Back-end
• Contractual

26
PAN Research

• PAN Tester
• Credit card
• Gift Card
• Captive cards

27
PAN Tester (Front)
28
PAN Tester (Back)
29
Faux Credit Cards
30
Target Sample
31
Targets

• Decrepit POS terminals are mainstream
• Win2k is considered modern
• Very low horsepower
• Not patched
• Not encrypted
• On undefended network

32
Other Targets

• POS networks
• 2000 stores across the US talking to a central
  site is not a private network
• Substandard defenses by conventional enterprise
  standards
• Comingled with corporate networks
• Minimally funded security efforts

33
Other Targets

• Acquirer connection
• Out of bounds for merchant audits
• Not clear anyone checks them
• Defense of acquirer not discussed

34
Recon

• Physical security of end systems
• Process recon
• Web access
• PAN Processing flaws

35
PCI Violation
36
PCI Crypto
37
Crypto Vulnerabilities

• No key management
• Weak keys
• Poor key management
• Poor key hygiene
• Home-grown crypto
• Ignorance of crypto work in the last 5 years

38
Potential Crypto flaws

• SQL Injection to find keys in the database
• Format glitches
• Information leakage (first 6 plus last 4 6
  decimal digits in namespace)
• Key generation
• Algorithm implementations

39
Boring Attacks

• Porous perimiter
• Web site
• include ltweb_site_attack.hgt
• Storefront
• Digital limpet mines
• Bored quasi-geek employees
• Back office
• include ltfrugal_dp_management.hgt
• Corporate office
• include ltsimple_enterprise_attacks.hgt

40
Boring Targets

• Windows 2000 is current for POS terminals
• Databases contain keys, leaked information
• Effectively unsecured networks
• 40 bit WEP at best
• Genuinely unsecured networks
• Cleartext internal networks

41
Boring Exploits

• Anything in The Idiots Guide to Attacking with
  Metasploit
• All your (Cisco) passwords are belong to us
• Logs? We dont need no steenkin logs
• Klingon logins (authentication is for the weak
  and timid)
• Passwords last changed when Reagan was President
• Passwords based on employee id/name

42
Conclusions

• A TJX-class incident might happen
• Oops old news.
• Someone might get caught using 40 bit WEP
• Oops old news.
• Someone might use a digital limpet mine
• Oops old news.
• Databases might be compromised

43
Conclusions (Seriously)

• Major compromises are possible
• Litigation is possible
• Paypal on a bad day might be better than Visa
• People will start to question the use of
  pre-Internet legacy payment networks
• Merchants should use 21st century network defense
  technologies
• Merchants are enterprises handling money and
  should act accordingly

44
Credits

• Conference venue by Toorcon
• Three Stooges Drivers License found at
  http//www.imhimports.com
• Drivers License Spec http//www.aamva.org/NR/rdo
  nlyres/66260AD6-64B9-45E9-A253-B8AA32241BE0/0/2005
  DLIDCardSpecV2FINAL.pdf
• PAN Sample photographs by Operations
• PCI Standard https//www.pcisecuritystandards.org
  /pdfs/pci_dss_v1-1.pdf
• Visa Gift Card from Visa International Service
  Association http//www.visa.com issued by Wells
  Fargo Bank
• Presentation software Office 2003 Excel by
  Microsoft
• Disclaimer
• No actual PANs were harmed in the production of
  this presentation.

45

Rodney Thayer rodney_at_thesecurityconsortium.net www
.thesecurityconsortium.net