FREE ELECTRONIC LIBRARY - Abstract, dissertation, book

Pages:   || 2 |

«A SPECIAL REPORT ON Attacks on point-of-sales systems Version 2.0 – November 20, 2014 Cybercrime gangs organize sophisticated operations to steal ...»

-- [ Page 1 ] --



Attacks on point-of-sales systems

Version 2.0 – November 20, 2014

Cybercrime gangs organize sophisticated operations to steal

vast amounts of card data before selling it in underground





Thriving marketplace for stolen cards

Evolution of the threat

POS security issues


Lack of point to point encryption (P2PE)................ 6 Software vulnerabilities

Susceptibility to malicious code

Slow adoption of EMV

Typical anatomy of attacks against POS systems 8 Infiltration

Network traversal

Data-stealing tools

Persistence and stealth


Protecting POS systems from attack

Practical steps to take

Symantec protection


Credit and debit card data theft is one of the earliest forms of cybercrime and persists today. Cybercrime gangs organize sophisticated operations to steal vast amounts of data before selling it in underground marketplaces. Criminals can use the data stolen from a card’s magnetic strip to create clones. It’s a potentially lucrative business with individual cards selling for up to US$130.

There are several routes attackers can take to steal this data. One option is to gain access to a database where card data is stored. But another option is to target the point at which a retailer first acquires that card data – the point-of-sale (POS) system.

Point-of-sale malware is now one of the biggest sources of stolen payment cards for cybercriminals. Although it hit the headlines over the past year, the POS malware threat has been slowly germinating since 2005. Attackers have honed their methods, paving the way for the mega-breaches of 2013 and 2014, which compromised approximately 100 million payment cards in the US.

The massive scale of attacks is explained in part because POS malware kits are now widely available on the cybercrime underground. For a modest investment, attackers can buy tools that can potentially net them millions.

Despite improvements in card security technologies and the requirements of the Payment Card Industry Data Security Standard (PCI DSS), there are still gaps in the security of POS systems. This coupled with more general security weaknesses in corporate IT infrastructure means that retailers find themselves exposed to increasingly resourceful and organized cybercriminal gangs.

Many US retailers are still vulnerable to point-of-sale malware attacks and are likely to remain so until the complete transition to more secure payment card technologies in 2015.


–  –  –

Background Thriving marketplace for stolen cards While the malware used to mount POS attacks is usually sold on underground forums, these forums are also often where the bounty of those attacks returns to be sold. For example, stolen credit card details from some of the biggest US breaches were sold on a forum known as Rescator.

Research from Symantec found that prices for payment card details can vary heavily depending on a number of factors, such as the type of card and its level, i.e. gold, platinum, or business. Card data originating from the US tends to be cheaper because of the widespread availability stolen US cards. Card details along with extra information, known as “Fullz”, tend to attract higher prices because details such as someone’s date of birth or credit card security password make it easier to perform identity theft.

Single credit cards from the US tend to cost $1.50 to $5, with discounts often available for those who buy in bulk. Single cards from the EU tend to cost more, selling for $5 to $8. Fullz start at $5 and can range up to $20.

A single embossed plastic card with custom number and name meanwhile will sell for approximately $70. The stolen cards uploaded to Rescator were initially selling at a cost of $45 to $130 per card before prices later settled down.

Evolution of the threat The term “POS device” most commonly refers to the in-store systems where customers pay merchants for goods or services. While a lot of POS transactions are carried out using cash, many of these payments are made by customers swiping their cards through a card reader. These card readers may be standalone devices but modern POS systems, particularly those in larger retailers, are all-in-one systems which can handle a variety of customer transactions such as sales, returns, gift cards and promotions.

Most importantly from a security standpoint, they can handle multiple payment types.

Attacks on point-of-sale terminals have their genesis as far back as 2005, when attackers began using networking-sniffing malware to intercept payment card data while in transit. A group of attackers led by Albert Gonzalez were the main perpetrators, sstealing more than 90 million card records from retailers.

As payments processors and retailers tightened up their security, the attackers adapted and attention turned to the point-of-sale terminal. When a card is swiped, its details are briefly stored in the terminal’s memory while being transmitted to the payment processor. This provides a brief window for malware on the terminal to copy the card data, which it then transmits back to the attackers. The technique is known as “memory scraping” and it is behind most of the major POS malware attacks seen in 2013 and 2014.

Page 5 SPECIAL REPORT: Attacks on point-of-sales systems POS security issues Many all-in-one POS systems are based on general purpose operating systems such as Windows Embedded, Windows XP and later versions, and Unix operating systems including Linux. Consequently, these systems are susceptible to a wide variety of attack scenarios which could lead to large scale data breaches.

Accessibility All organizations that handle payment card data are required to implement safeguards set down in the PCI DSS.

This standard helps organizations to ensure that their systems and procedures are properly secured.

The standard describes a concept known as the cardholder data environment (CDE) and the need to protect it. This is defined as “The people, processes and technology that store, process or transmit cardholder data or sensitive authentication data, including any connected system components.” The current standards recommend, but do not require the CDE to be network-segmented from other nonPOS systems and the public internet. While a strictly controlled and completely isolated POS system network would be quite secure, it is too impractical for serious consideration. The POS systems must be accessible for software updates and maintenance, allow business data to be exported to other systems (e.g. purchasing data and inventory), allow system and security logs to be exported, have access to required support systems such as network time protocol (NTP) servers (as required by the PCI DSS), and have connectivity to external payment processors.

Despite lacking a rule for segmentation, the PCI DSS does mandate certain levels of access security. For example, if remote access from a public network is allowed, the access must employ two-factor authentication (2FA).

In most mature retail environments, the CDE is appropriately segmented to reduce risk. However, in these environments, pathways still exist from the general corporate network to the CDE.

While previous breaches have occurred by gaining direct access to POS systems, the most common attack route against POS systems is through the corporate network. Once an attacker gains access to the corporate network, for example through a vulnerable public-facing server or spear-phishing email, the attacker could traverse the network until they gain access to an entry point to the POS network. This entry point is often the same as a corporate administrator would utilize to maintain the POS systems.

Lack of point to point encryption (P2PE) When an individual pays by swiping a credit card at a POS system, data contained in the card’s magnetic stripe is read and then passed through a variety of systems and networks before reaching the retailer’s payment processor. When this data is transmitted over a public network, the data must be protected using network level encryption (e.g. Secure Sockets Layer (SSL)).

However, within internal networks and systems, the credit card number is not required to be encrypted except when stored. Albert Gonzalez famously took advantage of this weakness in 2005 by infiltrating many retail networks and installing network-sniffing tools, allowing him to gather over 100 million credit card numbers as they passed through internal networks.

In response, many retailers today use network-level encryption even within their internal networks. While that change protected the data as it travelled from one system to another, the credit card numbers are not encrypted in the systems themselves and can still be found in plain text within the memory of the POS system and other computer systems responsible for processing or passing on the data. This weakness has led to the emergence of “RAM-scraping” malware, which allows attackers to extract this data from memory while the data is being processed inside the terminal rather than when the data is travelling through the network.

Page 6 SPECIAL REPORT: Attacks on point-of-sales systems Secure card readers (SCR) exist and have been implemented in some environments, enabling P2PE. This can defeat RAM-scraping attacks that work by searching the memory of the POS system for patterns of digits that match those of payment card numbers. Such card readers encrypt the card data at time of swipe and the credit card number remains encrypted throughout the process even within the memory and underneath network-level encryption.

Using P2PE within POS environments is not a new concept. Items such as PINs, when used with debit cards, must be encrypted at the PIN pad terminal. When provisioning terminals, a payment processor or sponsor must provision the terminal by performing “key injection” where a unique encryption key is deployed directly to the device. With this scheme, the PIN remains encrypted at all times.

Software vulnerabilities Many POS systems are running older operating systems, such as Windows XP or Windows XP Embedded. These versions are more susceptible to vulnerabilities and are therefore more open to attack. It should also be noted that support for Windows XP ended on April 8, 2014 but for Windows XP Embedded, the deadline has been extended to January 12, 2016. No more patches will be issued for any vulnerabilities found in these operating systems after the cutoff dates. This inevitably places POS operators under increased risk of a successful attack and POS operators should have mitigation plans in place. Organizations should verify with Microsoft the exact end-of-life date for the versions of Windows that they are using and plan accordingly.

Susceptibility to malicious code As many POS systems are running a version of Windows, they are also capable of running any malware that runs on Windows. This means that attackers do not need specialized skills in order to target POS systems and malware that was not specifically designed for use on POS systems could be easily repurposed for use against them.

POS malware was first discovered October 2008, when Visa issued an alert on a new type of exploit. During a fraud investigation, it found that attackers had been installing debugging software on POS systems that was capable of extracting full magnetic stripe data from its memory. Little heed appears to have been taken of this warning, allowing malware authors time to perfect their methods. In the intervening period, the malware authors have worked to streamline the malware, integrating all functionality into a single piece of software.

This development process eventually led to fully featured POS malware kits emerging on underground markets from 2012 onwards. What followed was a flood of high profile breaches, with several major US hit by POS malware attacks.

Case in point: BlackPOS One of the most widely used forms of POS malware is BlackPOS (detected as Infostealer.Reedum), which is also known as KAPTOXA, Memory Monitor, Dump Memory Grabber, and Reedum. Variants of BlackPOS have been used to mount some of the biggest retail POS breaches.

Its development mirrors the evolution of the broader POS malware market. The earliest versions of BlackPOS date from 2010. Over time, it has evolved into a highly capable cybercrime tool which employs encryption to cover its tracks and can be customized to suit the target environment.

By February 2013, BlackPOS was ready for the mass market and the group behind one of its variants began selling it on underground forums, charging customers $2,000 for the package.

–  –  –

Slow adoption of EMV Europay, Mastercard and Visa (EMV) is a set of standards for card payments. It is often referred to as “chip and PIN” and is a replacement for traditional magnetic stripe-based cards. EMV cards contain embedded microprocessors that provide strong transaction security features. EMV never transmits the credit card data in the clear, mitigating many common POS attacks. EMV cards are also less attractive to attackers as they are difficult to clone.

While EMV is commonly used in some parts of the world such as Europe, US merchants in particular have been slow to adopt the EMV standard and will not start implementing it until 2015.

Typical anatomy of attacks against POS systems Attacks against POS systems in mature environments are typically multi-staged. First, the attacker must gain access to the victim’s network. Usually, they gain access to an associated network and not directly to the CDE.

They must then traverse the network, ultimately gaining access to the POS systems. Next, they will install malware in order to steal data from the compromised systems. As the POS system is unlikely to have external network access, the stolen data is then typically sent to an internal staging server and ultimately exfiltrated from the retailer’s network to the attacker.

Pages:   || 2 |

Similar works:

«A Collection of Curricula for the STARLAB Ancient Chinese Legends Cylinder Including: The Skies of Ancient China II: Information and Presentation by Jeanne E. Bishop ©2008 by Science First/STARLAB, 95 Botsford Place, Buffalo, NY 14216. www.starlab.com. All rights reserved. Curriculum Guide Contents Introduction and Background Information.3 Celestial Granary The Four Beasts The Blue Dragon The Red Bird The White Tiger The Black Tortoise Asterisms of the Five Palaces The Spring Palace of the...»

«Church, State, and Society in Ireland since 1960 Brian Girvin Éire-Ireland, Volume 43:1&2, Earrach/Samhradh / Spring/Summer 2008, pp. 74-98 (Article) Published by Irish-American Cultural Institute DOI: 10.1353/eir.0.0009 For additional information about this article http://muse.jhu.edu/journals/eir/summary/v043/43.1-2.girvin.html Access Provided by Trinity College Dublin at 10/11/10 3:17PM GMT Church, State, and Society Brian Girvin in Ireland since  Introduction: A Stable...»

«WO R K I N G PA P E R S E R I E S N O 1 4 0 6 / D E C E M B E R 2 011 THE PUBLIC SECTOR PAY GAP IN A SELECTION OF EURO AREA COUNTRIES by Raffaela Giordano, Domenico Depalo, Manuel Coutinho Pereira, Bruno Eugène, Evangelia Papapetrou, Javier J. Perez, Lukas Reiss, and Mojca Roter WO R K I N G PA P E R S E R I E S N O 14 0 6 / D E C E M B E R 2011 THE PUBLIC SECTOR PAY GAP IN A SELECTION OF EURO AREA COUNTRIES 1 by Raffaela Giordano 2, Domenico Depalo 2, Manuel Coutinho Pereira 3, Bruno Eugène...»

«This document constitutes a supplement pursuant paragraph 16 German Securities Prospectus Act (Wertpapierprospektgesetz) (the “Supplement“) to two base prospectuses of Berlin Hyp AG: (i) the base prospectus in respect of non-equity securities within the meaning of Art. 22 sub-paragraph 6(4) of the Commission Regulation (EC) No. 809/2004 of 29 April 2004, as amended (the “Commission Regulation”) and (ii) the base prospectus in respect of Pfandbriefe (non-equity securities within the...»

«GOTT IST (K)EIN MUSEUM Wie kommt Religion in der Kunst des XXI. Jahrhunderts vor? Johannes Rauchenberger KPH Graz, Didaktischer Schwerpunkttag „Religion und Kunst“, 22. November 2012 2012 jährt sich der 50. Jahrestag der Eröffnung des II. Vatikanischen Konzils. Das Datum wird mit dem von Papst Bendikt XVI. ausgerufenen “Jahr des Glaubens” erinnert: Was bedeutet dieses für die Beziehung von Kunst und Kirche? Johannes Rauchenberger zeichnet ein Panorama des Spannungsverhältnisses...»

«The Power of Pheromones in Ant Foraging Christoph Lenzen, Tsvetomira Radeva {clenzen,radeva}@csail.mit.edu Abstract Consider the following problem. An unknown number k of ants, initially located at the nest, searches the plane for a treasure. The identical, deterministic ants take steps asynchronously, until eventually an ant moves onto the location of the treasure. The only means to record the progress of the search is by marking each explored grid point with a pheromone. It is well-known that...»

«Senatsverwaltung für Stadtentwicklung Planen Bauen Wohnen Natur Verkehr Senatsverwaltung für Stadtentwicklung DG: Am Köllnischen Park 3, D 10179 Berlin; Postanschrift: D 10702 Berlin SenStadt VII E Planfeststellungsbehörde nach BerlStrG PLANFESTSTELLUNGSBESCHLUSS für den Neubau der Axel-Springer-Straße von Krausenstraße bis Leipziger Straße im Bezirk Mitte von Berlin Beschluss VII E – 2/2009 Berlin, den 11. Juni 2010 -3Inhaltsverzeichnis Seite A Entscheidung A.I Feststellung des Plans...»

«Summer 2014 Undergraduate Research Poster Symposium at Washington State University 10 a.m. to 1 p.m., Friday Aug. 1, 2014 Smith CUE Atrium, 2nd Floor Hosted by the Office of Undergraduate Research. Featuring more than 60 students from WSU and 36 other universities and colleges working with faculty on. • Plant genomics • Materials under extreme conditions • Advanced materials • Plant metabolism • Renewable resources/biofuels • Multi-scale engineering • Climate change •...»

«Endogenous Employment and Incomplete Markets∗ † Andres Zambrano Universidad de los Andes May 12, 2014 Abstract This paper explores the role of effort and human capital as mechanisms to alleviate the idiosyncratic risk in the presence of incomplete markets, and its consequences for the wealth distribution. I construct a DSGE model where effort and human capital determine the probability of being employed the next period. While effort is a flow variable that has to be exerted every...»

«Design Note DN016 Compact 868/915 MHz Antenna Design By Audun Andersen Keywords • • CC1100 Chip Antenna • • CC1101 868 MHz • • CC1110 915 MHz • • CC1111 ISM bands • • CC1150 Johanson Technology • CC430 1 Introduction This document describes an antenna size requirement for this antenna is 8.5 design that can be used with all mm x 7.8 mm. The antenna solution transceivers, transmitters, and SoC from consists of a chip antenna from Johanson Texas Instruments which are capable...»

«SOFYA KOVALEVSKAYA: MATHEMATICS AS FANTASY Veda Roodal Persad Simon Fraser University Abstract: What do accounts of and about mathematicians of their involvement with mathematics tell us about the nature of the discipline and the attendant demands, costs, and rewards? Working from the biographies of the first woman in the world to achieve a doctorate of mathematics, Sofya Kovalevskaya (1850-1891), and using the Lacanian notion of desire, I examine the forces that shape and influence engagement...»

«Brokerage Retirement Plan Trust Account Application As a qualified retirement plan service provider, American Century Investments® must provide service, expense and fee information that is intended to comply with Section 408(b)(2) of the Employee Retirement Income Security Act of 1974 (ERISA). As plan sponsor, you must review the information carefully before completing this application. These disclosures are available at americancentury.com/acb_disclosure. Accounts are available only to U.S....»

<<  HOME   |    CONTACTS
2016 www.abstract.xlibx.info - Free e-library - Abstract, dissertation, book

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.