pos malware: is your debit/credit transcations secure?
TRANSCRIPT
POS Malware: Is your Credit/Debit Card
Transaction Secure?Amit Malik
Member @ Cysinfo Researcher @ Netskope
Agenda• POS Terminal
• Understanding Credit Card transaction ecosystem
• POS malware - Introduction
• POS Malware Evolution
• POS Infection Vectors
• Case study
• BlackPOS
• New Technologies (EMV/NFC/RFAID)
POS Terminal• Wikipedia: ht tps:/ /en.wikipedia.org/wiki /
Point_of_sale
• POS terminals are combination of software and hardware that allows the retail locations to accept credit card.
Credit Card Transaction Ecosystem
http://www.pathwaypayments.com/processing-diagram.html
Inside Credit Card• Magnetic Strip of the card has three data tracks
-1,2 and 3. Only Track -1, 2 are used by cards.
• Track 1 was created by IATA (International Airport Transpor t Associat ion) and contains 79 alphanumeric characters.
• Track 2 was created by American Bankers Association and contains 40 numeric characters.
• https://en.wikipedia.org/wiki/Magnetic_stripe_card
Inside Credit Card Cont.
• Checksum is calculated using Luhn algorithm (https://en.wikipedia.org/wiki/Luhn_algorithm).
• https://en.wikipedia.org/wiki/Payment_card_number
POS Malware: Introduction• Early data breaches used network sniffing to
capture the card data while in transit. But this became obsolete because of end to end encryption on the wire.
• POS terminals read the card data. The card data can be found in clear text for a very small amount of time in the POS RAM.
• POS malware scrap the RAM to collect the card data.
POS Malware Data Breaches
20122013
20142015
2016
subwayTarget
& The Home Depot
SchnucksNEXTEP
& Hilton
MICROS
POS Malware Incidents per Industry
0
25
50
75
100
Accomodation
Entertainment
Healthcare
Retail
Other Services
2013 2014 2015
*Data from Verizon Reports
%
POS malware Evolution
20112012
20132014
2015
Rdasrv VmSkimmer, Chewbacca
BlackPOS, Alina, Dexter
Decebal, JackPOS, Soraya, Backoff, BrutPOS,
BlackPOS v2
POSeidon, LogPOS, pwnPOS,
FighterPOS
POS Infection Methods• Stolen Credentials
• Social engineering
• Phishing Campaign
• Insiders
• Software vulnerability
Case Study - BlackPOS• Demo (Conceptual) - Memory scrapping using
Pymal
• Sample Analysis - BlackPOS.
New Technologies• EMV - ‘Chip and PIN’, The chip on the card now
stores the encrypted card data. It makes the counterfeit difficult but not immune to POS malware.
• New methods like Apple pay or contactless payment methods are not vulnerable to this threat but they open the new possibilities and change in threat landscape.