SlideShare uma empresa Scribd logo

Point-Of-Sale Hacking - 2600Thailand#20

Prathan Phongthiproek
Prathan Phongthiproek

POS Hacking at 2600TH

Educação
1 de 25
Baixar para ler offline
Point-of-Sale (POS)
Areas of Vulnerability Data in Memory Data at Rest Data inTransit Application Code and Configuration 1 2 3 4
Security Risk  Data in Memory Security concerns remain the same as those for device interfaces there are no standard security mechanisms. Specific issues depend on the type of connectivity. If POS and PA run under the same OS process, the memory of the process can be scanned using RAM scraping in order to retrieve sensitive data.
Security Risk
Security Risk  Data at Rest “data at rest,” a term used to describe any form of hard-drive storage such as database, fl at-data file, or log file.
Security Risk  Data in Transit There are different ways to “tap into the wire.” One of various sniffing attack scenarios would be a hidden network tap device plugged into the store network. The tap device will catch the payment application traffic and mirror it to the remote control center.
Security Risk  Data in Transit
Security Risk  Application Code and Configuration Another key vulnerability area is payment Application Code itself and its Configuration (config). The code or config don’t contain any cardholder information by themselves, but can be tampered by attacker or malicious software in order to gain unauthorized access to the data in other key vulnerability areas.
Exposure Area Retail Store – POS Machine POI Device Payment Application Storage Memory POS App Payment Processor Data Center Payment Processing Host 1 2 3 3 4 2 1 3 4 Data in memory Data at rest Data in Transit App Code and Configuration
Pros and Cons Some of the security pros and cons of this model are:  Pro  There’s no central location in the store that accumulates all the Sensitive data in memory, disk storage, or network traffic. It is easier (and less expensive!) to protect a single machine and application instance; however, once it is broken, all the store data is gone.  The communication between POS and PA doesn’t carry sensitive data because PA handles all the aspects of any payment transaction and only returns the masked results to the POS at the end without exposing the details of the magnetic stripe.  Con  All POS machines (memory, data storage) at the store are exposed to sensitive data as well as communication between the POS machine and the payment host.
The concept of EPS  EPS stands for Electronic Payment System  The main purpose of EPS is isolating the electronic payment processing application from the rest of the point-of-sale functions.  A logical (and often physical) separation of the POS and payment system allows “removing POS from the scope” (security auditors terminology meaning that security standard requirements like PCI are not applicable to a particular application or machine).  Placing the POS application or machine “out of scope” saves a lot of Development and implementation work for both software manufacturers and consumers
Store EPS Deployment Model Retail Store POI Device Payment Application Storage Memory POS Payment Processing Host POS Machine Store Server Payment Processor Data Center 2 1 3 4 Data in memory Data at rest Data in Transit App Code and Configuration 1 2 4 3 3
Pros and Cons Some of the security pros and cons of this model are:  Pro  The POS machine isn’t exposed to sensitive data because it doesn’t communicate with POI devices.  Communication between the POS and the store server machines doesn’t contain sensitive data, so there’s no need to encrypt this traffic  Con  Communication between POI devices and the store server is implemented through the store LAN (usually TCP/IP packets), exposing sensitive cardholder information to the network.
Hybrid POS/Store Deployment Model Retail Store Payment Server App Storage Memory POS Payment Processor Data Center Payment Processing Host POS App Store Server Payment Client App POI Device Memory Storage 2 1 3 4 Data in memory Data at rest Data in Transit App Code and Configuration 11 22 44 3 3 3
Pros and Cons Some of the security pros and cons of this model are:  Pro  There are no security pros associated with this model.  Con  Both the POS and the store server machines and almost all their Components (memory, data storage, application code, and communication lines) are entirely vulnerable.
Case Study: Pentesting POS Retail Store Payment Processing Host Counter/ POS Area Back-Office Area Payment Processor Data Center Storing Room EPS
Case Study: Pentesting POS Retail Store Payment Processing Host Counter/ POS Area Back-Office Area Payment Processor Data Center Storing Room Physical & Host Assessment EPS
Case Study: Pentesting POS  Physical & Host Assessment  USB Drives, Keyboard and Mouse  Hot-Key Shortcuts  Randomly presses on touchscreen  BIOS Configuration  Reverse Engineering on Application [.Net]  Directory Traversal on Application
Case Study: Pentesting POS Retail Store Payment Processing Host Counter/ POS Area Back-Office Area Payment Processor Data Center Storing Room Network Segregation & Infrastructure Assessment EPS
Case Study: Pentesting POS  Network Segregation & Infrastructure Assessment  Excessive Port on Device and Server  Network Segmentation  Password Reuse Rampant  Pass-The-Hash  Dump clear text passwords stored by Windows authentication packages Really !?
Case Study: Pentesting POS Retail Store Payment Processing Host Counter/ POS Area Back-Office Area Payment Processor Data Center Storing Room Traffic Monitoring EPS
Case Study: Pentesting POS  Traffic Monitoring  Identify PAN over the network.  Sensitive information between SIT and EPS.
Protection  Data in Memory  Minimizing Data Exposure from the Application (.NET SecureString, Memory Buffer]  Point-to-Point Encryption (P2PE), encrypt the data before it even reaches the memory of the hosting machine, and decrypt it only after it has left the POS (in the Payment Gateway)  Data in Transit  Implementing Secure Socket Layer (SSL]  Encrypted Tunnels, IPSec  Data at Rest  Avoiding the storage of sensitive data at all.  Point-to-Point Encryption [P2PE]  Symmetric Key Encryption
Thank you  Recommended Book

Recomendados

Mobile security
Mobile securityMobile security
Mobile security
priyanka pandey
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
IndusfacePvtLtd
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
Transport layer security
Transport layer securityTransport layer security
Transport layer security
Hrudya Balachandran
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
Adeel Javaid
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
Noaman Aziz
 
Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall intro
Rich Helton
 
How a Proxy Server Works
How a Proxy Server WorksHow a Proxy Server Works
How a Proxy Server Works
Mer Joyce
 

Recomendados

Mobile security
Mobile securityMobile security
Mobile security
priyanka pandey
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
IndusfacePvtLtd
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
Transport layer security
Transport layer securityTransport layer security
Transport layer security
Hrudya Balachandran
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
Adeel Javaid
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
Noaman Aziz
 
Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall intro
Rich Helton
 
How a Proxy Server Works
How a Proxy Server WorksHow a Proxy Server Works
How a Proxy Server Works
Mer Joyce
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
Web application security
Web application securityWeb application security
Web application security
Akhil Raj
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
Malware
MalwareMalware
Malware
Anoushka Srivastava
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
Eryk Budi Pratama
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service Attacks
Pascal Flöschel
 
Practical API Security - PyCon 2018
Practical API Security - PyCon 2018Practical API Security - PyCon 2018
Practical API Security - PyCon 2018
Adam Englander
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
Pragati Rai
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Scott Hurrey
 
Android Security
Android SecurityAndroid Security
Android Security
Arqum Ahmad
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
Ludovic Petit
 
Identity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTIdentity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoT
AllSeen Alliance
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Apache Presentation
Apache PresentationApache Presentation
Apache Presentation
Manish Bothra
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
CNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application TechnologiesCNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application Technologies
Sam Bowne
 
How to Reduce Latency with Cloudflare Argo Smart Routing
How to Reduce Latency with Cloudflare Argo Smart RoutingHow to Reduce Latency with Cloudflare Argo Smart Routing
How to Reduce Latency with Cloudflare Argo Smart Routing
Cloudflare
 
Aircrack
AircrackAircrack
Aircrack
MuhammadHanzalah6
 
Age
AgeAge
Age
oscargaliza
 
Exploring Italy
Exploring ItalyExploring Italy
Exploring Italy
Leslie02537
 

Mais conteúdo relacionado

Mais procurados

OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Practical API Security - PyCon 2018
Practical API Security - PyCon 2018Practical API Security - PyCon 2018
Practical API Security - PyCon 2018
Adam Englander
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 

Mais procurados (20)

OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Web application security
Web application securityWeb application security
Web application security
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Malware
MalwareMalware
Malware
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service Attacks
 
Practical API Security - PyCon 2018
Practical API Security - PyCon 2018Practical API Security - PyCon 2018
Practical API Security - PyCon 2018
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Android Security
Android SecurityAndroid Security
Android Security
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
 
Identity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTIdentity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoT
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Apache Presentation
Apache PresentationApache Presentation
Apache Presentation
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
 
CNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application TechnologiesCNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application Technologies
 
How to Reduce Latency with Cloudflare Argo Smart Routing
How to Reduce Latency with Cloudflare Argo Smart RoutingHow to Reduce Latency with Cloudflare Argo Smart Routing
How to Reduce Latency with Cloudflare Argo Smart Routing
 
Aircrack
AircrackAircrack
Aircrack
 

Destaque

ASA RA VPN with AD Authentication
ASA RA VPN with AD AuthenticationASA RA VPN with AD Authentication
ASA RA VPN with AD Authentication
dirflash
 
פרטיות ברשת האינטרנט א
פרטיות ברשת האינטרנט אפרטיות ברשת האינטרנט א
פרטיות ברשת האינטרנט א
haimkarel
 
Anexo ás normas, calendario previo (aprobado)
Anexo ás normas, calendario previo (aprobado)Anexo ás normas, calendario previo (aprobado)
Anexo ás normas, calendario previo (aprobado)
oscargaliza
 
תכירו את שולה הישנה והחדשה
תכירו את שולה הישנה והחדשהתכירו את שולה הישנה והחדשה
תכירו את שולה הישנה והחדשה
haimkarel
 
C:\Fakepath\Sacchetti Di Plastica
C:\Fakepath\Sacchetti Di PlasticaC:\Fakepath\Sacchetti Di Plastica
C:\Fakepath\Sacchetti Di Plastica
tilapia69
 

Destaque (20)

Age
AgeAge
Age
 
Exploring Italy
Exploring ItalyExploring Italy
Exploring Italy
 
ASA RA VPN with AD Authentication
ASA RA VPN with AD AuthenticationASA RA VPN with AD Authentication
ASA RA VPN with AD Authentication
 
פרטיות ברשת האינטרנט א
פרטיות ברשת האינטרנט אפרטיות ברשת האינטרנט א
פרטיות ברשת האינטרנט א
 
Anexo ás normas, calendario previo (aprobado)
Anexo ás normas, calendario previo (aprobado)Anexo ás normas, calendario previo (aprobado)
Anexo ás normas, calendario previo (aprobado)
 
2014 Stop slavery! Pocheon African Art musuem in South Korea
2014 Stop slavery! Pocheon African Art musuem in South Korea2014 Stop slavery! Pocheon African Art musuem in South Korea
2014 Stop slavery! Pocheon African Art musuem in South Korea
 
เศรษฐศาสตร์เบื้องต้น
เศรษฐศาสตร์เบื้องต้นเศรษฐศาสตร์เบื้องต้น
เศรษฐศาสตร์เบื้องต้น
 
Eidea_SEMCOM
Eidea_SEMCOMEidea_SEMCOM
Eidea_SEMCOM
 
תכירו את שולה הישנה והחדשה
תכירו את שולה הישנה והחדשהתכירו את שולה הישנה והחדשה
תכירו את שולה הישנה והחדשה
 
Digit Roman
Digit RomanDigit Roman
Digit Roman
 
Liu Natural Scene Statistics At Stereo Fixations
Liu Natural Scene Statistics At Stereo FixationsLiu Natural Scene Statistics At Stereo Fixations
Liu Natural Scene Statistics At Stereo Fixations
 
Sarau
SarauSarau
Sarau
 
Integrate Your Message: tools to uniting your newsletter, blog, Twitter & Fac...
Integrate Your Message: tools to uniting your newsletter, blog, Twitter & Fac...Integrate Your Message: tools to uniting your newsletter, blog, Twitter & Fac...
Integrate Your Message: tools to uniting your newsletter, blog, Twitter & Fac...
 
Manual de intervenciones enfermeras protocolo de procedimientos enfermeros 2009
Manual de intervenciones enfermeras protocolo de procedimientos enfermeros 2009Manual de intervenciones enfermeras protocolo de procedimientos enfermeros 2009
Manual de intervenciones enfermeras protocolo de procedimientos enfermeros 2009
 
C:\Fakepath\Sacchetti Di Plastica
C:\Fakepath\Sacchetti Di PlasticaC:\Fakepath\Sacchetti Di Plastica
C:\Fakepath\Sacchetti Di Plastica
 
Galerija Magicus Dnevnik Esencija Do 21 3 2010 Ciklus Cernik I Madonin Sv...
Galerija Magicus Dnevnik Esencija Do 21 3 2010 Ciklus Cernik I Madonin Sv...Galerija Magicus Dnevnik Esencija Do 21 3 2010 Ciklus Cernik I Madonin Sv...
Galerija Magicus Dnevnik Esencija Do 21 3 2010 Ciklus Cernik I Madonin Sv...
 
Mission UID
Mission UIDMission UID
Mission UID
 
งานนำเสนอ1
งานนำเสนอ1งานนำเสนอ1
งานนำเสนอ1
 
Rock'n Roll in Database S
Rock'n Roll in Database SRock'n Roll in Database S
Rock'n Roll in Database S
 
Hennessey An Open Source Eye Gaze Interface Expanding The Adoption Of Eye Gaz...
Hennessey An Open Source Eye Gaze Interface Expanding The Adoption Of Eye Gaz...Hennessey An Open Source Eye Gaze Interface Expanding The Adoption Of Eye Gaz...
Hennessey An Open Source Eye Gaze Interface Expanding The Adoption Of Eye Gaz...
 

Semelhante a Point-Of-Sale Hacking - 2600Thailand#20

Understanding the POS Malware
Understanding the POS MalwareUnderstanding the POS Malware
Understanding the POS Malware
vijay1926
 
Cdp Blog
Cdp BlogCdp Blog
Cdp Blog
iarthur
 
Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...
Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...
Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...
IJRTEMJOURNAL
 
Commercial Data Processing Intro
Commercial Data Processing IntroCommercial Data Processing Intro
Commercial Data Processing Intro
nS789
 
Commercial data processing
Commercial data processingCommercial data processing
Commercial data processing
vDrPepper
 
Commercial Data Processing Intro
Commercial Data Processing IntroCommercial Data Processing Intro
Commercial Data Processing Intro
thomashendry14
 
Hacking Point of Sale
Hacking Point of SaleHacking Point of Sale
Hacking Point of Sale
Tripwire
 

Semelhante a Point-Of-Sale Hacking - 2600Thailand#20 (20)

Demystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales SystemsDemystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales Systems
 
IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...
IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...
IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...
 
Understanding the POS Malware
Understanding the POS MalwareUnderstanding the POS Malware
Understanding the POS Malware
 
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data ProtectionISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
 
Mamouth white paper
Mamouth white paperMamouth white paper
Mamouth white paper
 
E banking security
E banking securityE banking security
E banking security
 
Cdp Blog
Cdp BlogCdp Blog
Cdp Blog
 
Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...
Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...
Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...
 
Commercial Data Processing Intro
Commercial Data Processing IntroCommercial Data Processing Intro
Commercial Data Processing Intro
 
Commercial data processing
Commercial data processingCommercial data processing
Commercial data processing
 
What is smart card on tam
What is smart card on tamWhat is smart card on tam
What is smart card on tam
 
Commercial Data Processing Intro
Commercial Data Processing IntroCommercial Data Processing Intro
Commercial Data Processing Intro
 
Ecommerce Security
Ecommerce SecurityEcommerce Security
Ecommerce Security
 
E-Business And Technology Essay
E-Business And Technology EssayE-Business And Technology Essay
E-Business And Technology Essay
 
50120130405028
5012013040502850120130405028
50120130405028
 
IGCSE ICT Theory
IGCSE ICT Theory IGCSE ICT Theory
IGCSE ICT Theory
 
Paper Publication
Paper PublicationPaper Publication
Paper Publication
 
Hacking Point of Sale
Hacking Point of SaleHacking Point of Sale
Hacking Point of Sale
 
87559489 auth
87559489 auth87559489 auth
87559489 auth
 
Embedded systems presentation power point.ppt
Embedded systems presentation power point.pptEmbedded systems presentation power point.ppt
Embedded systems presentation power point.ppt
 

Mais de Prathan Phongthiproek

OWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingOWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration Testing
Prathan Phongthiproek
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
Prathan Phongthiproek
 
CDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopCDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest Workshop
Prathan Phongthiproek
 
Layer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetLayer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load Target
Prathan Phongthiproek
 
Tisa-Social Network and Mobile Security
Tisa-Social Network and Mobile SecurityTisa-Social Network and Mobile Security
Tisa-Social Network and Mobile Security
Prathan Phongthiproek
 

Mais de Prathan Phongthiproek (20)

Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
 
The CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team OperationThe CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team Operation
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application Exploitation
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVS
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
 
The Hookshot: Runtime Exploitation
The Hookshot: Runtime ExploitationThe Hookshot: Runtime Exploitation
The Hookshot: Runtime Exploitation
 
Understanding ransomware
Understanding ransomwareUnderstanding ransomware
Understanding ransomware
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
 
Don't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksDon't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application Attacks
 
Owasp Top 10 Mobile Risks
Owasp Top 10 Mobile RisksOwasp Top 10 Mobile Risks
Owasp Top 10 Mobile Risks
 
OWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingOWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration Testing
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure Coding
 
CDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopCDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest Workshop
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
Layer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetLayer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load Target
 
Advanced Malware Analysis
Advanced Malware AnalysisAdvanced Malware Analysis
Advanced Malware Analysis
 
Tisa mobile forensic
Tisa mobile forensicTisa mobile forensic
Tisa mobile forensic
 
Tisa-Social Network and Mobile Security
Tisa-Social Network and Mobile SecurityTisa-Social Network and Mobile Security
Tisa-Social Network and Mobile Security
 

Último

Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
negromaestrong
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
kauryashika82
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch LetterGardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch Letter
MateoGardella
 

Último (20)

Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch LetterGardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch Letter
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
 

Point-Of-Sale Hacking - 2600Thailand#20

  • 1.
  • 3. Areas of Vulnerability Data in Memory Data at Rest Data inTransit Application Code and Configuration 1 2 3 4
  • 4. Security Risk  Data in Memory Security concerns remain the same as those for device interfaces there are no standard security mechanisms. Specific issues depend on the type of connectivity. If POS and PA run under the same OS process, the memory of the process can be scanned using RAM scraping in order to retrieve sensitive data.
  • 6. Security Risk  Data at Rest “data at rest,” a term used to describe any form of hard-drive storage such as database, fl at-data file, or log file.
  • 7. Security Risk  Data in Transit There are different ways to “tap into the wire.” One of various sniffing attack scenarios would be a hidden network tap device plugged into the store network. The tap device will catch the payment application traffic and mirror it to the remote control center.
  • 9. Security Risk  Application Code and Configuration Another key vulnerability area is payment Application Code itself and its Configuration (config). The code or config don’t contain any cardholder information by themselves, but can be tampered by attacker or malicious software in order to gain unauthorized access to the data in other key vulnerability areas.
  • 10. Exposure Area Retail Store – POS Machine POI Device Payment Application Storage Memory POS App Payment Processor Data Center Payment Processing Host 1 2 3 3 4 2 1 3 4 Data in memory Data at rest Data in Transit App Code and Configuration
  • 11. Pros and Cons Some of the security pros and cons of this model are:  Pro  There’s no central location in the store that accumulates all the Sensitive data in memory, disk storage, or network traffic. It is easier (and less expensive!) to protect a single machine and application instance; however, once it is broken, all the store data is gone.  The communication between POS and PA doesn’t carry sensitive data because PA handles all the aspects of any payment transaction and only returns the masked results to the POS at the end without exposing the details of the magnetic stripe.  Con  All POS machines (memory, data storage) at the store are exposed to sensitive data as well as communication between the POS machine and the payment host.
  • 12. The concept of EPS  EPS stands for Electronic Payment System  The main purpose of EPS is isolating the electronic payment processing application from the rest of the point-of-sale functions.  A logical (and often physical) separation of the POS and payment system allows “removing POS from the scope” (security auditors terminology meaning that security standard requirements like PCI are not applicable to a particular application or machine).  Placing the POS application or machine “out of scope” saves a lot of Development and implementation work for both software manufacturers and consumers
  • 13. Store EPS Deployment Model Retail Store POI Device Payment Application Storage Memory POS Payment Processing Host POS Machine Store Server Payment Processor Data Center 2 1 3 4 Data in memory Data at rest Data in Transit App Code and Configuration 1 2 4 3 3
  • 14. Pros and Cons Some of the security pros and cons of this model are:  Pro  The POS machine isn’t exposed to sensitive data because it doesn’t communicate with POI devices.  Communication between the POS and the store server machines doesn’t contain sensitive data, so there’s no need to encrypt this traffic  Con  Communication between POI devices and the store server is implemented through the store LAN (usually TCP/IP packets), exposing sensitive cardholder information to the network.
  • 15. Hybrid POS/Store Deployment Model Retail Store Payment Server App Storage Memory POS Payment Processor Data Center Payment Processing Host POS App Store Server Payment Client App POI Device Memory Storage 2 1 3 4 Data in memory Data at rest Data in Transit App Code and Configuration 11 22 44 3 3 3
  • 16. Pros and Cons Some of the security pros and cons of this model are:  Pro  There are no security pros associated with this model.  Con  Both the POS and the store server machines and almost all their Components (memory, data storage, application code, and communication lines) are entirely vulnerable.
  • 17. Case Study: Pentesting POS Retail Store Payment Processing Host Counter/ POS Area Back-Office Area Payment Processor Data Center Storing Room EPS
  • 18. Case Study: Pentesting POS Retail Store Payment Processing Host Counter/ POS Area Back-Office Area Payment Processor Data Center Storing Room Physical & Host Assessment EPS
  • 19. Case Study: Pentesting POS  Physical & Host Assessment  USB Drives, Keyboard and Mouse  Hot-Key Shortcuts  Randomly presses on touchscreen  BIOS Configuration  Reverse Engineering on Application [.Net]  Directory Traversal on Application
  • 20. Case Study: Pentesting POS Retail Store Payment Processing Host Counter/ POS Area Back-Office Area Payment Processor Data Center Storing Room Network Segregation & Infrastructure Assessment EPS
  • 21. Case Study: Pentesting POS  Network Segregation & Infrastructure Assessment  Excessive Port on Device and Server  Network Segmentation  Password Reuse Rampant  Pass-The-Hash  Dump clear text passwords stored by Windows authentication packages Really !?
  • 22. Case Study: Pentesting POS Retail Store Payment Processing Host Counter/ POS Area Back-Office Area Payment Processor Data Center Storing Room Traffic Monitoring EPS
  • 23. Case Study: Pentesting POS  Traffic Monitoring  Identify PAN over the network.  Sensitive information between SIT and EPS.
  • 24. Protection  Data in Memory  Minimizing Data Exposure from the Application (.NET SecureString, Memory Buffer]  Point-to-Point Encryption (P2PE), encrypt the data before it even reaches the memory of the hosting machine, and decrypt it only after it has left the POS (in the Payment Gateway)  Data in Transit  Implementing Secure Socket Layer (SSL]  Encrypted Tunnels, IPSec  Data at Rest  Avoiding the storage of sensitive data at all.  Point-to-Point Encryption [P2PE]  Symmetric Key Encryption