A Journey To Protect Points Of Sale - Black Hat | Home€¦ · RAM DB POS Payment Processing Host...

A Journey To Protect Points Of Sale

Nir Valtman, CISSP

W : www.valtman.org

. : @ValtmaNir

Introduction

Photo by Bill Fraser

01/07/2014 3

01/07/2014 4

I’m an architect

01/07/2014 6

Zombies!!!

Defacement

AntiDef

OPEN SOURCE

Memory Scraper

Secure TDD

Why Points Of Sale Targeted?

Deployment

Payment ApplicationPoint Of Sale

IS NOT

POS Payment Processing

PA Server

Store Payment Processor’s Data Center

PA Client

POS Payment Processing

PA Server

Store Payment Processor’s Data Center

PA Client

Rest Transit Memory

Where Are My Credit Cards?

Mobile App Presentation Server Application & Payment Server Payment Processor’s Data Center

Rest Transit Memory

Where Are My Credit Cards?

Mobile App Presentation Server Application & Payment Server Payment Processor’s Data Center

Server

Credit

Retail

Environment

Assumptions

100% PCI Compliant

Retail

Environment

Assumptions

Retail

Environment

Assumptions

Retail

Environment

Assumptions

Notvulnerable

Retail

Environment

Assumptions

Retail

Environment

Assumptions

Cashier ≠ hacker

Retail

Environment

Assumptions

Big Brother

RemoteAdministrationTools

Routing

Threats

READ&WRITE

I AM BOB

ME TOO

Payment Stages - Authorization

Processor

IssuerGateway

Acquirer

Route Track1/2 Transmit Track1/2

Transmit Track1/2

Difficult

Exploitation

Payment Stages - Authorization

Payment Stages - Settlement

42Processor

IssuerGateway

Acquirer

Transmit SettlementStore & Send PANs

PA Server

Credit Merchant’s Account

Difficult

Exploitation

Payment Stages - Settlement

Memory Scraping

OfflineOnline VS

Bypassed Solutions

SecureString Class

Next NextNextNext Next Generation Firewall

Whitelist

MD5 SHA256

Correct Solutions

Intelligence

I have access to POS terminals in the US,

what is the best malware I should use?

You need to infect the firmware of the terminal.

By doing that, you can get full track 1 + 2,

but the PIN will be hashed.

Selling malicious firmware for Verifone’s POS terminals.

Leaks dumps + PINs through GPRS.

Price: Only 700$

Business Development Offer

Owner of a fake POS sells his terminal.

Price: 50% from revenue sharing.

RFI: Change terminal configuration to require PIN for all cards.

Cause: Get only 101 data, but wants PINs

Proposed Solution:

Thermal Imager

Sandbox

Network-based

Anomaly Detection

Operating System

Anomaly Detection

Runtime Obfuscation

Not only products required

Performance Security

Assembly Signing

Assembly Obfuscation

PROCESS ISOLATION

What Next

What Would You Steal?

BIP BIP

Memory

Scraping

Memory

Scraping

Cashier = hacker

Memory

Scraping

Summary

Memory

Scraping

Security by Obscurity

Memory

Scraping

Simple Exploitation

Memory

Scraping

Hard to Protect

Memory

Scraping

You’re Insured

Nir Valtman

W : www.valtman.org

. : @ValtmaNir

A Journey To Protect Points Of Sale - Black Hat | Home€¦ · RAM DB POS Payment Processing Host...

Documents

National Science Foundation Engineering Research Center Faculty Cyrus Shahabi (DB) Craig Knoblock (AI) Ulrich Neumann (CG) Ram Nevatia (CV) Staff Farnoush

Osalliados dB~I~ram gUOFra Hungriahemeroteca.ciasc.sc.gov.br/oestadofpolis/1919/EST19191164.pdf · sem1?J'e; ninguAm mais . 014 . ... Meu . relatorio como Nuperill- ]....orça Publica

Zaštita od buke ostakljenih pročelja - nZEB.hrMlazni avioni 100 Pa 130 dB Prag boli 20 Pa 120 dB Elisni avioni 6,3 Pa 110 dB Pneumatski čekić 2 Pa 100 dB Motorna pila mPa 90 dB

Leaflet Dahua SD5A Series V2.0 EN 202006(4P)...2020/07/09 · Lp (dB) Le (dB) Right (dB) Front (dB) Back (dB) Up (dB) Background Tour Pa ern 1 Pa ern 2 Pa ern 3 17.02 140 130 120

Suleyman ari ram pa pa pam

(TH 94) STATE PROJ. NO. · r amp b {bus ram pb {ram pa {ram pa {ram pb 27812 br no hen nep in cou nty mi n eap oli s cit y of hen epi n 0c oun ty mi n eap oli s cit y of 4th stc onn

RAM 744 - GfG Instrumentationgoodforgas.com/wp-content/uploads/2013/12/RAM_744... · The RAM 744 is the ideal monitor for Respiratory air specifications ... External alarm 90 dB at

INCORRECT INVERSE PROBLEM SOLUTION METHOD ......prox i ma tions of the pa ram e ter val ues and the reg u lar iza tion pa ram e ter val - ues have been in ves ti gated. A sta tis ti

50 dB GSM PA Controller AD8311 - analog.com · 50 dB GSM PA Controller AD8311 Rev. A Information furnished by Analog Devices is believed to be accurate and reliable. However, no responsibility

Copyright© 2003 Empress Software, Inc. All Rights Reserved....EMPRESS DB ENGINE WIN 2000 INTEL X86 /256 MB RAM. 30 EMPRESS DB ENGINE TOMCAT JSP Server Internet Explorer Browser. 31

Measurement Microphone - Onosokki site · PDF fileMeasurement Microphone Speciﬁcation ... ・Space-saving design-48 ± 3 dB re. 1 V/Pa 4 mV/Pa (250 Hz) ... Cable Weight Accessory

einfach. bequem. einkaufen....MSE 141 C-Q: L pA/L WA=90/101 dB(A); a hw=3,3/4,2 (m/s²) / MS 170: L pA/L WA=100/111 dB(A); a hw=5,2/5,5 (m/s²) / MS 211: L pA/L WA=100/113 dB(A); a

PA-100 RP-10 RAM R-200 … · Tuesday, December 27, 2016 PA-100 RP-10 RAM R-200 Report on the inspection for compliance with United States Military Standards MIL-STD-810E MIL-STD-462

Operator’s Manual - airhyd.com.au · presión máx. 6,3 bar (90 psi) a hd:Nivel de vibración, k Incertidumbre ; L pA Nivel de presión sonora dB(A), K pA = K WA = 3 dB Incertidumbre

BLUE PILING - IHC IQIP...> in dB re 1 µ Pa 2.s 1k 2k 4k 8k 16k 120 130 140 150 160 170 180 = 155.4 dB BLUE Piling@750m = 170.7 dB Q7@750m = 179.9 dB GEMINI@750m Figure 1: Offshore

A Sub-6 GHz Compact GaN MMIC Doherty PA with a 49.5% 6 dB ... papers... · A Sub-6 GHz Compact GaN MMIC Doherty PA with a 49.5% 6 dB back-off PAE for 5G Communications Sih-Han Li1,2

SMART Box - Airflow Lufttechnik GmbHSMART Box Arbeitspunkt Schallleistungspegel L WA (dB) L WA (dB) Druckverlust (Pa) Luftvolumenstrom (m3/h) 63 125 250 500 1000 2000 4000 8000 125

PRODUCT DESCRIPTION FEATURES · -0.1 to +5.6 91 86 90 100 2.1 4 75 64 84 95 4.5 74 64 81 90 4.75 73 63 80 88 5 72.5 62 72 77 mV pA pA V dB dB dB dB µV/℃ MAX TYP TYP TYP MIN MIN

PA RAM 07 PARTIE 1-2 (conception exploitation des aérodromes)guide mali

Solar energy is our future. before m3 KWh M Kg °C Pa dB …… before m3 KWh M Kg °C Pa dB …… now W/m² Wh/m² ……