SlideShare une entreprise Scribd logo

Point-Of-Sale Hacking - 2600Thailand#20

Prathan Phongthiproek
Prathan Phongthiproek

POS Hacking at 2600TH

Formation
1  sur  25
Télécharger pour lire hors ligne
Point-of-Sale (POS)
Areas of Vulnerability Data in Memory Data at Rest Data inTransit Application Code and Configuration 1 2 3 4
Security Risk  Data in Memory Security concerns remain the same as those for device interfaces there are no standard security mechanisms. Specific issues depend on the type of connectivity. If POS and PA run under the same OS process, the memory of the process can be scanned using RAM scraping in order to retrieve sensitive data.
Security Risk
Security Risk  Data at Rest “data at rest,” a term used to describe any form of hard-drive storage such as database, fl at-data file, or log file.
Security Risk  Data in Transit There are different ways to “tap into the wire.” One of various sniffing attack scenarios would be a hidden network tap device plugged into the store network. The tap device will catch the payment application traffic and mirror it to the remote control center.
Security Risk  Data in Transit
Security Risk  Application Code and Configuration Another key vulnerability area is payment Application Code itself and its Configuration (config). The code or config don’t contain any cardholder information by themselves, but can be tampered by attacker or malicious software in order to gain unauthorized access to the data in other key vulnerability areas.
Exposure Area Retail Store – POS Machine POI Device Payment Application Storage Memory POS App Payment Processor Data Center Payment Processing Host 1 2 3 3 4 2 1 3 4 Data in memory Data at rest Data in Transit App Code and Configuration
Pros and Cons Some of the security pros and cons of this model are:  Pro  There’s no central location in the store that accumulates all the Sensitive data in memory, disk storage, or network traffic. It is easier (and less expensive!) to protect a single machine and application instance; however, once it is broken, all the store data is gone.  The communication between POS and PA doesn’t carry sensitive data because PA handles all the aspects of any payment transaction and only returns the masked results to the POS at the end without exposing the details of the magnetic stripe.  Con  All POS machines (memory, data storage) at the store are exposed to sensitive data as well as communication between the POS machine and the payment host.
The concept of EPS  EPS stands for Electronic Payment System  The main purpose of EPS is isolating the electronic payment processing application from the rest of the point-of-sale functions.  A logical (and often physical) separation of the POS and payment system allows “removing POS from the scope” (security auditors terminology meaning that security standard requirements like PCI are not applicable to a particular application or machine).  Placing the POS application or machine “out of scope” saves a lot of Development and implementation work for both software manufacturers and consumers
Store EPS Deployment Model Retail Store POI Device Payment Application Storage Memory POS Payment Processing Host POS Machine Store Server Payment Processor Data Center 2 1 3 4 Data in memory Data at rest Data in Transit App Code and Configuration 1 2 4 3 3
Pros and Cons Some of the security pros and cons of this model are:  Pro  The POS machine isn’t exposed to sensitive data because it doesn’t communicate with POI devices.  Communication between the POS and the store server machines doesn’t contain sensitive data, so there’s no need to encrypt this traffic  Con  Communication between POI devices and the store server is implemented through the store LAN (usually TCP/IP packets), exposing sensitive cardholder information to the network.
Hybrid POS/Store Deployment Model Retail Store Payment Server App Storage Memory POS Payment Processor Data Center Payment Processing Host POS App Store Server Payment Client App POI Device Memory Storage 2 1 3 4 Data in memory Data at rest Data in Transit App Code and Configuration 11 22 44 3 3 3
Pros and Cons Some of the security pros and cons of this model are:  Pro  There are no security pros associated with this model.  Con  Both the POS and the store server machines and almost all their Components (memory, data storage, application code, and communication lines) are entirely vulnerable.
Case Study: Pentesting POS Retail Store Payment Processing Host Counter/ POS Area Back-Office Area Payment Processor Data Center Storing Room EPS
Case Study: Pentesting POS Retail Store Payment Processing Host Counter/ POS Area Back-Office Area Payment Processor Data Center Storing Room Physical & Host Assessment EPS
Case Study: Pentesting POS  Physical & Host Assessment  USB Drives, Keyboard and Mouse  Hot-Key Shortcuts  Randomly presses on touchscreen  BIOS Configuration  Reverse Engineering on Application [.Net]  Directory Traversal on Application
Case Study: Pentesting POS Retail Store Payment Processing Host Counter/ POS Area Back-Office Area Payment Processor Data Center Storing Room Network Segregation & Infrastructure Assessment EPS
Case Study: Pentesting POS  Network Segregation & Infrastructure Assessment  Excessive Port on Device and Server  Network Segmentation  Password Reuse Rampant  Pass-The-Hash  Dump clear text passwords stored by Windows authentication packages Really !?
Case Study: Pentesting POS Retail Store Payment Processing Host Counter/ POS Area Back-Office Area Payment Processor Data Center Storing Room Traffic Monitoring EPS
Case Study: Pentesting POS  Traffic Monitoring  Identify PAN over the network.  Sensitive information between SIT and EPS.
Protection  Data in Memory  Minimizing Data Exposure from the Application (.NET SecureString, Memory Buffer]  Point-to-Point Encryption (P2PE), encrypt the data before it even reaches the memory of the hosting machine, and decrypt it only after it has left the POS (in the Payment Gateway)  Data in Transit  Implementing Secure Socket Layer (SSL]  Encrypted Tunnels, IPSec  Data at Rest  Avoiding the storage of sensitive data at all.  Point-to-Point Encryption [P2PE]  Symmetric Key Encryption
Thank you  Recommended Book

Recommandé

Présentation AzureAD ( Identité hybrides et securité)
Présentation AzureAD ( Identité hybrides et securité)Présentation AzureAD ( Identité hybrides et securité)
Présentation AzureAD ( Identité hybrides et securité)
☁️Seyfallah Tagrerout☁ [MVP]
 
Os Command Injection Attack
Os Command Injection AttackOs Command Injection Attack
Os Command Injection Attack
Raghav Bisht
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware Attacks
Marco Morana
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Scott Hurrey
 
Palestra: Fundamentos do Desenvolvimento Seguro de Softwares
Palestra: Fundamentos do Desenvolvimento Seguro de SoftwaresPalestra: Fundamentos do Desenvolvimento Seguro de Softwares
Palestra: Fundamentos do Desenvolvimento Seguro de Softwares
Andre Henrique
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
Megha Sahu
 
Métricas de Software
Métricas de SoftwareMétricas de Software
Métricas de Software
elliando dias
 
Introduction oauth 2.0 et openid connect 1.0
Introduction oauth 2.0 et openid connect 1.0Introduction oauth 2.0 et openid connect 1.0
Introduction oauth 2.0 et openid connect 1.0
Marc-André Tousignant
 

Recommandé

Présentation AzureAD ( Identité hybrides et securité)
Présentation AzureAD ( Identité hybrides et securité)Présentation AzureAD ( Identité hybrides et securité)
Présentation AzureAD ( Identité hybrides et securité)
☁️Seyfallah Tagrerout☁ [MVP]
 
Os Command Injection Attack
Os Command Injection AttackOs Command Injection Attack
Os Command Injection Attack
Raghav Bisht
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware Attacks
Marco Morana
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Scott Hurrey
 
Palestra: Fundamentos do Desenvolvimento Seguro de Softwares
Palestra: Fundamentos do Desenvolvimento Seguro de SoftwaresPalestra: Fundamentos do Desenvolvimento Seguro de Softwares
Palestra: Fundamentos do Desenvolvimento Seguro de Softwares
Andre Henrique
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
Megha Sahu
 
Métricas de Software
Métricas de SoftwareMétricas de Software
Métricas de Software
elliando dias
 
Introduction oauth 2.0 et openid connect 1.0
Introduction oauth 2.0 et openid connect 1.0Introduction oauth 2.0 et openid connect 1.0
Introduction oauth 2.0 et openid connect 1.0
Marc-André Tousignant
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
José Haro Peralta
 
Mod security
Mod securityMod security
Mod security
Shruthi Kamath
 
WLAN Attacks and Protection
WLAN Attacks and ProtectionWLAN Attacks and Protection
WLAN Attacks and Protection
Chandrak Trivedi
 
Resumo ISO 27002
Resumo ISO 27002 Resumo ISO 27002
Resumo ISO 27002
Fernando Palma
 
Programme de cybersécurité : Implementer le framework NIST CSF en entreprise
Programme de cybersécurité : Implementer le framework NIST CSF en entrepriseProgramme de cybersécurité : Implementer le framework NIST CSF en entreprise
Programme de cybersécurité : Implementer le framework NIST CSF en entreprise
EyesOpen Association
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
Jerod Brennen
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling Everything
Anne Oikarinen
 
Introduction à la sécurité des WebServices
Introduction à la sécurité des WebServicesIntroduction à la sécurité des WebServices
Introduction à la sécurité des WebServices
ConFoo
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)
danb02
 
Présentation des services AWS
Présentation des services AWSPrésentation des services AWS
Présentation des services AWS
Julien SIMON
 
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
Amazon Web Services
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
NCC Group
 
Du business process modeling pour orchestrer des microservices julien cognet
Du business process modeling pour orchestrer des microservices julien cognetDu business process modeling pour orchestrer des microservices julien cognet
Du business process modeling pour orchestrer des microservices julien cognet
Julien Cognet
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
n|u - The Open Security Community
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
Octogence
 
Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016
Aujas
 
Anatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilitiesAnatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilities
DaveEdwards12
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
Age
AgeAge
Age
oscargaliza
 
Exploring Italy
Exploring ItalyExploring Italy
Exploring Italy
Leslie02537
 

Contenu connexe

Tendances

Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling Everything
Anne Oikarinen
 
Introduction à la sécurité des WebServices
Introduction à la sécurité des WebServicesIntroduction à la sécurité des WebServices
Introduction à la sécurité des WebServices
ConFoo
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)
danb02
 
Du business process modeling pour orchestrer des microservices julien cognet
Du business process modeling pour orchestrer des microservices julien cognetDu business process modeling pour orchestrer des microservices julien cognet
Du business process modeling pour orchestrer des microservices julien cognet
Julien Cognet
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
Octogence
 
Anatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilitiesAnatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilities
DaveEdwards12
 

Tendances (20)

API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
 
Mod security
Mod securityMod security
Mod security
 
WLAN Attacks and Protection
WLAN Attacks and ProtectionWLAN Attacks and Protection
WLAN Attacks and Protection
 
Resumo ISO 27002
Resumo ISO 27002 Resumo ISO 27002
Resumo ISO 27002
 
Programme de cybersécurité : Implementer le framework NIST CSF en entreprise
Programme de cybersécurité : Implementer le framework NIST CSF en entrepriseProgramme de cybersécurité : Implementer le framework NIST CSF en entreprise
Programme de cybersécurité : Implementer le framework NIST CSF en entreprise
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling Everything
 
Introduction à la sécurité des WebServices
Introduction à la sécurité des WebServicesIntroduction à la sécurité des WebServices
Introduction à la sécurité des WebServices
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)
 
Présentation des services AWS
Présentation des services AWSPrésentation des services AWS
Présentation des services AWS
 
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 
Du business process modeling pour orchestrer des microservices julien cognet
Du business process modeling pour orchestrer des microservices julien cognetDu business process modeling pour orchestrer des microservices julien cognet
Du business process modeling pour orchestrer des microservices julien cognet
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
 
Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016
 
Anatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilitiesAnatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilities
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 

En vedette

ASA RA VPN with AD Authentication
ASA RA VPN with AD AuthenticationASA RA VPN with AD Authentication
ASA RA VPN with AD Authentication
dirflash
 
פרטיות ברשת האינטרנט א
פרטיות ברשת האינטרנט אפרטיות ברשת האינטרנט א
פרטיות ברשת האינטרנט א
haimkarel
 
Anexo ás normas, calendario previo (aprobado)
Anexo ás normas, calendario previo (aprobado)Anexo ás normas, calendario previo (aprobado)
Anexo ás normas, calendario previo (aprobado)
oscargaliza
 
תכירו את שולה הישנה והחדשה
תכירו את שולה הישנה והחדשהתכירו את שולה הישנה והחדשה
תכירו את שולה הישנה והחדשה
haimkarel
 
C:\Fakepath\Sacchetti Di Plastica
C:\Fakepath\Sacchetti Di PlasticaC:\Fakepath\Sacchetti Di Plastica
C:\Fakepath\Sacchetti Di Plastica
tilapia69
 

En vedette (20)

Age
AgeAge
Age
 
Exploring Italy
Exploring ItalyExploring Italy
Exploring Italy
 
ASA RA VPN with AD Authentication
ASA RA VPN with AD AuthenticationASA RA VPN with AD Authentication
ASA RA VPN with AD Authentication
 
פרטיות ברשת האינטרנט א
פרטיות ברשת האינטרנט אפרטיות ברשת האינטרנט א
פרטיות ברשת האינטרנט א
 
Anexo ás normas, calendario previo (aprobado)
Anexo ás normas, calendario previo (aprobado)Anexo ás normas, calendario previo (aprobado)
Anexo ás normas, calendario previo (aprobado)
 
2014 Stop slavery! Pocheon African Art musuem in South Korea
2014 Stop slavery! Pocheon African Art musuem in South Korea2014 Stop slavery! Pocheon African Art musuem in South Korea
2014 Stop slavery! Pocheon African Art musuem in South Korea
 
เศรษฐศาสตร์เบื้องต้น
เศรษฐศาสตร์เบื้องต้นเศรษฐศาสตร์เบื้องต้น
เศรษฐศาสตร์เบื้องต้น
 
Eidea_SEMCOM
Eidea_SEMCOMEidea_SEMCOM
Eidea_SEMCOM
 
תכירו את שולה הישנה והחדשה
תכירו את שולה הישנה והחדשהתכירו את שולה הישנה והחדשה
תכירו את שולה הישנה והחדשה
 
Digit Roman
Digit RomanDigit Roman
Digit Roman
 
Liu Natural Scene Statistics At Stereo Fixations
Liu Natural Scene Statistics At Stereo FixationsLiu Natural Scene Statistics At Stereo Fixations
Liu Natural Scene Statistics At Stereo Fixations
 
Sarau
SarauSarau
Sarau
 
Integrate Your Message: tools to uniting your newsletter, blog, Twitter & Fac...
Integrate Your Message: tools to uniting your newsletter, blog, Twitter & Fac...Integrate Your Message: tools to uniting your newsletter, blog, Twitter & Fac...
Integrate Your Message: tools to uniting your newsletter, blog, Twitter & Fac...
 
Manual de intervenciones enfermeras protocolo de procedimientos enfermeros 2009
Manual de intervenciones enfermeras protocolo de procedimientos enfermeros 2009Manual de intervenciones enfermeras protocolo de procedimientos enfermeros 2009
Manual de intervenciones enfermeras protocolo de procedimientos enfermeros 2009
 
C:\Fakepath\Sacchetti Di Plastica
C:\Fakepath\Sacchetti Di PlasticaC:\Fakepath\Sacchetti Di Plastica
C:\Fakepath\Sacchetti Di Plastica
 
Galerija Magicus Dnevnik Esencija Do 21 3 2010 Ciklus Cernik I Madonin Sv...
Galerija Magicus Dnevnik Esencija Do 21 3 2010 Ciklus Cernik I Madonin Sv...Galerija Magicus Dnevnik Esencija Do 21 3 2010 Ciklus Cernik I Madonin Sv...
Galerija Magicus Dnevnik Esencija Do 21 3 2010 Ciklus Cernik I Madonin Sv...
 
Mission UID
Mission UIDMission UID
Mission UID
 
งานนำเสนอ1
งานนำเสนอ1งานนำเสนอ1
งานนำเสนอ1
 
Rock'n Roll in Database S
Rock'n Roll in Database SRock'n Roll in Database S
Rock'n Roll in Database S
 
Hennessey An Open Source Eye Gaze Interface Expanding The Adoption Of Eye Gaz...
Hennessey An Open Source Eye Gaze Interface Expanding The Adoption Of Eye Gaz...Hennessey An Open Source Eye Gaze Interface Expanding The Adoption Of Eye Gaz...
Hennessey An Open Source Eye Gaze Interface Expanding The Adoption Of Eye Gaz...
 

Similaire à Point-Of-Sale Hacking - 2600Thailand#20

Understanding the POS Malware
Understanding the POS MalwareUnderstanding the POS Malware
Understanding the POS Malware
vijay1926
 
Cdp Blog
Cdp BlogCdp Blog
Cdp Blog
iarthur
 
Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...
Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...
Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...
IJRTEMJOURNAL
 
Commercial Data Processing Intro
Commercial Data Processing IntroCommercial Data Processing Intro
Commercial Data Processing Intro
nS789
 
Commercial data processing
Commercial data processingCommercial data processing
Commercial data processing
vDrPepper
 
Commercial Data Processing Intro
Commercial Data Processing IntroCommercial Data Processing Intro
Commercial Data Processing Intro
thomashendry14
 
Hacking Point of Sale
Hacking Point of SaleHacking Point of Sale
Hacking Point of Sale
Tripwire
 

Similaire à Point-Of-Sale Hacking - 2600Thailand#20 (20)

Demystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales SystemsDemystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales Systems
 
IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...
IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...
IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...
 
Understanding the POS Malware
Understanding the POS MalwareUnderstanding the POS Malware
Understanding the POS Malware
 
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data ProtectionISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
 
Mamouth white paper
Mamouth white paperMamouth white paper
Mamouth white paper
 
E banking security
E banking securityE banking security
E banking security
 
Cdp Blog
Cdp BlogCdp Blog
Cdp Blog
 
Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...
Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...
Improvement of a PIN-Entry Method Resilient to ShoulderSurfing and Recording ...
 
Commercial Data Processing Intro
Commercial Data Processing IntroCommercial Data Processing Intro
Commercial Data Processing Intro
 
Commercial data processing
Commercial data processingCommercial data processing
Commercial data processing
 
What is smart card on tam
What is smart card on tamWhat is smart card on tam
What is smart card on tam
 
Commercial Data Processing Intro
Commercial Data Processing IntroCommercial Data Processing Intro
Commercial Data Processing Intro
 
Ecommerce Security
Ecommerce SecurityEcommerce Security
Ecommerce Security
 
E-Business And Technology Essay
E-Business And Technology EssayE-Business And Technology Essay
E-Business And Technology Essay
 
50120130405028
5012013040502850120130405028
50120130405028
 
IGCSE ICT Theory
IGCSE ICT Theory IGCSE ICT Theory
IGCSE ICT Theory
 
Paper Publication
Paper PublicationPaper Publication
Paper Publication
 
Hacking Point of Sale
Hacking Point of SaleHacking Point of Sale
Hacking Point of Sale
 
87559489 auth
87559489 auth87559489 auth
87559489 auth
 
Embedded systems presentation power point.ppt
Embedded systems presentation power point.pptEmbedded systems presentation power point.ppt
Embedded systems presentation power point.ppt
 

Plus de Prathan Phongthiproek

OWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingOWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration Testing
Prathan Phongthiproek
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
Prathan Phongthiproek
 
CDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopCDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest Workshop
Prathan Phongthiproek
 
Layer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetLayer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load Target
Prathan Phongthiproek
 
Tisa-Social Network and Mobile Security
Tisa-Social Network and Mobile SecurityTisa-Social Network and Mobile Security
Tisa-Social Network and Mobile Security
Prathan Phongthiproek
 

Plus de Prathan Phongthiproek (20)

Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
 
The CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team OperationThe CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team Operation
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application Exploitation
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVS
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
 
The Hookshot: Runtime Exploitation
The Hookshot: Runtime ExploitationThe Hookshot: Runtime Exploitation
The Hookshot: Runtime Exploitation
 
Understanding ransomware
Understanding ransomwareUnderstanding ransomware
Understanding ransomware
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
 
Don't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksDon't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application Attacks
 
Owasp Top 10 Mobile Risks
Owasp Top 10 Mobile RisksOwasp Top 10 Mobile Risks
Owasp Top 10 Mobile Risks
 
OWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingOWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration Testing
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure Coding
 
CDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopCDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest Workshop
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
Layer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetLayer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load Target
 
Advanced Malware Analysis
Advanced Malware AnalysisAdvanced Malware Analysis
Advanced Malware Analysis
 
Tisa mobile forensic
Tisa mobile forensicTisa mobile forensic
Tisa mobile forensic
 
Tisa-Social Network and Mobile Security
Tisa-Social Network and Mobile SecurityTisa-Social Network and Mobile Security
Tisa-Social Network and Mobile Security
 

Dernier

Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
KarakKing
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 

Dernier (20)

Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxOn_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxCOMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 

Point-Of-Sale Hacking - 2600Thailand#20

  • 1.
  • 3. Areas of Vulnerability Data in Memory Data at Rest Data inTransit Application Code and Configuration 1 2 3 4
  • 4. Security Risk  Data in Memory Security concerns remain the same as those for device interfaces there are no standard security mechanisms. Specific issues depend on the type of connectivity. If POS and PA run under the same OS process, the memory of the process can be scanned using RAM scraping in order to retrieve sensitive data.
  • 6. Security Risk  Data at Rest “data at rest,” a term used to describe any form of hard-drive storage such as database, fl at-data file, or log file.
  • 7. Security Risk  Data in Transit There are different ways to “tap into the wire.” One of various sniffing attack scenarios would be a hidden network tap device plugged into the store network. The tap device will catch the payment application traffic and mirror it to the remote control center.
  • 9. Security Risk  Application Code and Configuration Another key vulnerability area is payment Application Code itself and its Configuration (config). The code or config don’t contain any cardholder information by themselves, but can be tampered by attacker or malicious software in order to gain unauthorized access to the data in other key vulnerability areas.
  • 10. Exposure Area Retail Store – POS Machine POI Device Payment Application Storage Memory POS App Payment Processor Data Center Payment Processing Host 1 2 3 3 4 2 1 3 4 Data in memory Data at rest Data in Transit App Code and Configuration
  • 11. Pros and Cons Some of the security pros and cons of this model are:  Pro  There’s no central location in the store that accumulates all the Sensitive data in memory, disk storage, or network traffic. It is easier (and less expensive!) to protect a single machine and application instance; however, once it is broken, all the store data is gone.  The communication between POS and PA doesn’t carry sensitive data because PA handles all the aspects of any payment transaction and only returns the masked results to the POS at the end without exposing the details of the magnetic stripe.  Con  All POS machines (memory, data storage) at the store are exposed to sensitive data as well as communication between the POS machine and the payment host.
  • 12. The concept of EPS  EPS stands for Electronic Payment System  The main purpose of EPS is isolating the electronic payment processing application from the rest of the point-of-sale functions.  A logical (and often physical) separation of the POS and payment system allows “removing POS from the scope” (security auditors terminology meaning that security standard requirements like PCI are not applicable to a particular application or machine).  Placing the POS application or machine “out of scope” saves a lot of Development and implementation work for both software manufacturers and consumers
  • 13. Store EPS Deployment Model Retail Store POI Device Payment Application Storage Memory POS Payment Processing Host POS Machine Store Server Payment Processor Data Center 2 1 3 4 Data in memory Data at rest Data in Transit App Code and Configuration 1 2 4 3 3
  • 14. Pros and Cons Some of the security pros and cons of this model are:  Pro  The POS machine isn’t exposed to sensitive data because it doesn’t communicate with POI devices.  Communication between the POS and the store server machines doesn’t contain sensitive data, so there’s no need to encrypt this traffic  Con  Communication between POI devices and the store server is implemented through the store LAN (usually TCP/IP packets), exposing sensitive cardholder information to the network.
  • 15. Hybrid POS/Store Deployment Model Retail Store Payment Server App Storage Memory POS Payment Processor Data Center Payment Processing Host POS App Store Server Payment Client App POI Device Memory Storage 2 1 3 4 Data in memory Data at rest Data in Transit App Code and Configuration 11 22 44 3 3 3
  • 16. Pros and Cons Some of the security pros and cons of this model are:  Pro  There are no security pros associated with this model.  Con  Both the POS and the store server machines and almost all their Components (memory, data storage, application code, and communication lines) are entirely vulnerable.
  • 17. Case Study: Pentesting POS Retail Store Payment Processing Host Counter/ POS Area Back-Office Area Payment Processor Data Center Storing Room EPS
  • 18. Case Study: Pentesting POS Retail Store Payment Processing Host Counter/ POS Area Back-Office Area Payment Processor Data Center Storing Room Physical & Host Assessment EPS
  • 19. Case Study: Pentesting POS  Physical & Host Assessment  USB Drives, Keyboard and Mouse  Hot-Key Shortcuts  Randomly presses on touchscreen  BIOS Configuration  Reverse Engineering on Application [.Net]  Directory Traversal on Application
  • 20. Case Study: Pentesting POS Retail Store Payment Processing Host Counter/ POS Area Back-Office Area Payment Processor Data Center Storing Room Network Segregation & Infrastructure Assessment EPS
  • 21. Case Study: Pentesting POS  Network Segregation & Infrastructure Assessment  Excessive Port on Device and Server  Network Segmentation  Password Reuse Rampant  Pass-The-Hash  Dump clear text passwords stored by Windows authentication packages Really !?
  • 22. Case Study: Pentesting POS Retail Store Payment Processing Host Counter/ POS Area Back-Office Area Payment Processor Data Center Storing Room Traffic Monitoring EPS
  • 23. Case Study: Pentesting POS  Traffic Monitoring  Identify PAN over the network.  Sensitive information between SIT and EPS.
  • 24. Protection  Data in Memory  Minimizing Data Exposure from the Application (.NET SecureString, Memory Buffer]  Point-to-Point Encryption (P2PE), encrypt the data before it even reaches the memory of the hosting machine, and decrypt it only after it has left the POS (in the Payment Gateway)  Data in Transit  Implementing Secure Socket Layer (SSL]  Encrypted Tunnels, IPSec  Data at Rest  Avoiding the storage of sensitive data at all.  Point-to-Point Encryption [P2PE]  Symmetric Key Encryption