Remember meForgot password?
    Log in with Twitter

article imageInterview: A man who knows how to steal your credit card data Special

By James Green     Aug 2, 2014 in Technology
Lucas Zaichkowsky is an enterprise defense architect for digital investigation firm AccessData. This month at the Black Hat conference, Zaichkowsky will outline how easy it can be to steal your credit card data from big and small businesses.
According to Risk Based Security, 822 million records were exposed in data theft events in 2013, more than double the numbers of 2012. Some, but not all, of these data breaches involved sensitive credit card data.
Both big corporations and small companies are affected by data breaches. Breaches of smaller companies are less likely to make headlines but there have been plenty of high profile data breaches in the past two years.
Target and P.F. Changs are two such high profile data breaches, both losing customers' credit card data when cyber criminals hacked their POS (Point of Sale) systems. During the 19 day Target data breach over 40 million credit and debit card numbers were stolen, and 70 million customer records. The P.F. Changs data breach lasted an astounding nine months, from mid September 2013 until June 2014. There are currently no solid numbers in terms of credit and debit cards stolen during the P.F. Changs data breach, but Security Professional Brian Krebs speculates "PFC locations nationwide probably process approximately 800,000 credit and debit card transactions each month."
All of this had lead many to call for higher standard of security in the credit card industry. Many have speculated the adoption of "Chip and PIN" cards (also known as EMV smart cards), such as the ones used in Europe, could have prevented these data breaches and protected consumers.
But the security provided by EMV smart cards is merely an illusion, cyber criminals will continue to steal EMV smart cards PIN credit card data and they won't even need to change their tactics. More is needed to secure credit card information.
At the Black Hat conference in Las Vegas this month Lucas Zaichkowsky will address the vulnerabilities of POS systems in his presentation "Point of Sale System Architecture and Security." In this presentation Zaichkowsky will demonstrate how EMV smart cards are vulnerable to the same attacks currently being used by cyber criminals and discuss real changes that can be made by big and small companies, and credit card processors, to secure consumers sensitive credit card data.
Mr. Zaichkowsky was nice enough to answer a few questions on the subject of data breaches, POS system security, and the security shortcomings of provided by EMV smart cards.
Q1. It seems the public is largely unaware of what takes place after someone swipes their CC in a POS station. What happens behind the scenes in a POS system when a purchase takes place?
1) When you swipe the credit card, read an EMV chip, or manually key in a card number, that data is transmitted from the peripheral over USB or serial to the POS “terminal” it’s attached to. Most magstripe readers are seen as keyboards and rapidly type out the track data when your card is swiped. This is referred to as keyboard emulation mode.
2) The POS client software running on the terminal will send the transaction information including payment data over the LAN, usually unencrypted to a system running the “back of house server” software component.
3) The back of house server, usually residing in a manager’s office, will then transmit the transaction with credit card data encrypted over the Internet to the merchants credit card processor for approval.
a. In many cases, the system will store the credit card number and expiration date for a period of time in case adjustments need to be made later or for convenience for the customer to make additional purchases later. In case you’re wondering, submitting the card number and expiration date to make adjustments is a legacy requirement in the payment processing world. Modern POS systems encrypt that stored data, but it’s usually trivial for someone that knows what they’re doing to figure out how the developer squirrelled away the key. Some systems make use of tokenization services offered by a third party or the credit card processor so they can store a UUID of sorts. The tokenization provider stores the card number and expiration date on their behalf and swaps out the token with card data when adjustments or additional transactions are sent through.
4) The credit card processor will then transmit the data to the card brand such as Visa over a VPN or point to point connection.
5) The card brand will then pass the transaction through to customer’s card issuing bank as determined by the bank identification number (BIN), the first 6 digits of the card over another VPN or point to point connection for approval.
6) The card issuers response of approved or declined with all sorts of codes traverses backwards along the same path to the POS terminal.
Obviously, there are several points in this process where card data can be intercepted. Sniffing peripheral communications or keystroke recording, LAN traffic, regularly searching process memory space of the POS client or server software (aka RAM scraping).
In the case of PINs entered for debit transactions, those things are TDES encrypted by the PIN pad peripheral using a unique key per transaction (Google for DUKPT) and only the processor can decrypt. Attackers that want debit PINs have been known to go after the processor and gain access to the hardware security module (HSM) used to protect the keys. They’ll then brute force guess PINs against the HSM using the same APIs accessed by legitimate payment processing systems until they guess right.
Q2. Following some high profile data breaches (Target, EBay, Adobe and most recently Goodwill) “Chip and PIN” EMV smartcard adoption has been promoted as a means to secure the CC industry. Are EMV smartcards a safer alternative than what is commonly used now?
EMV does provide better protection than magstripe, however it does suffer a major shortcoming that isn’t widely known.
Although the chip itself cannot be cloned, the card number and expiration date are still passed to the POS terminal in plain text during a chip read and is subject to theft the same way a magstripe read would be. Although less valuable than a magstripe and they don’t have the CVV2 code or customer address, there are plenty of venues where fraud can be committed using just the card number and expiration date. CVV2 and address verification system (AVS) are optional when accepting card not present (CNP) transaction.
Additionally, “track equivalent data” is provided by the chip. Most card issuers have slightly different numbers in that data compared to what’s on a real magstripe (The 3 digit iCVV). However, there have been cases in the past where card issuers didn’t make that change which meant stolen track equivalent data could have been used to make counterfeit magstripe cards to conduct fraud with. See: (PDF).
Lastly, the EMV implementation rolling out in the US isn’t using a PIN. We’re doing chip and signature. Even if you use your US issued EMV card overseas, they have you sign the merchant copy of the receipt instead of entering a PIN. If someone steals your physical card, they can use it to commit fraud until it’s deactivated. No PIN required.
Q3. In your upcoming Black Hat presentation you plan to demonstrate the vulnerabilities in how EMV handles the credit card information. What kind of CC information can be obtained by exploiting these vulnerabilities?
I’ll capture the card number and expiration date of my real EMV credit card along with my name. For demonstration purposes, I use the free Microsoft sysinternals tool, ProcDump to dump the memory space of the demo POS software. I’ll then open the memory dump and show the data is present in plain text. This is actually how RAM scraping first started. Attackers would use a script that created a process memory dump using normal debugging tools, then the script would run a regex search to find card data and output it to another file. That file would automatically be uploaded to an FTP server or the attacker would manually retrieve it.
Q4. How difficult do you believe it would be for cyber criminals to adapt their current methodology to targeting EMV smartcards?
Attackers would have to make no changes in their techniques to capture cardholder names, card numbers, and expiration dates from EMV cards during a transaction.
Q5. Using these new EMV exploits could cybercriminals continue to steal CC information at the same scale as recent high profile data breaches, such as the Target data breach?
Exploiting this “by design” vulnerability would scale exactly the same way as it works now for stealing magstripe data. This isn’t a new vulnerability. The issue is that this vulnerability is severely underreported and unknown to EMV proponents.
Q6. Are there changes that can be made to POS systems that can secure sensitive data and prevent these kinds of data breaches in the future?
I recommend for merchants to use PCI approved PTS devices that also perform point to point encryption (P2PE), encrypting the entire EMV read, magstripe read, and manually keyed in card numbers. They should select a hardware solution supported by their payment processor who acts as the decryption point.
With that setup, no plain text card data is handled by the merchant’s systems and they don’t have the keys necessary to decrypt the card data. The peripheral would have to be tampered with which is difficult to do due to rigorous anti-tampering requirements in the PTS standard. One hardware solution I’m familiar with supported by multiple payment processors including Mercury Payment Systems is the MagTek DynaPro.
There are software based P2PE solutions that claim to be just as good as hardware solutions, but most experts would probably agree with me when I say software based systems can be circumvented remotely since attackers regularly gain administrative level privileges which allows them to do whatever they want inside the operating system.
More about Lucas Zaichkowsky, Credit card fraud, Black Hat conference, Hackers, Target
Latest News
Top News