ffirs.indd
02:15:28:PM 01/08/2014
Page ii
Hacking Point of Sale
ffirs.indd
02:15:28:PM 01/08/2014
Page i
ffirs.indd
02:15:28:PM 01/08/2014
Page ii
Hacking Point of Sale
Payment Application Secrets,
Threats, and Solutions
Slava Gomzin
ffirs.indd
02:15:28:PM 01/08/2014
Page iii
Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions
Published by
John Wiley & Sons, Inc.
10475 Crosspoint Boulevard
Indianapolis, IN 46256
www.wiley.com
Copyright © 2014 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-118-81011-8
ISBN: 978-1-118-81010-1 (ebk)
ISBN: 978-1-118-81007-1 (ebk)
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any
means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections
107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or
authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood
Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be
addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011,
fax (201) 748-6008, or online at />Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties
with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties,
including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended
by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation.
This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other
professional services. If professional assistance is required, the services of a competent professional person should be
sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization
or Web site is referred to in this work as a citation and/or a potential source of further information does not mean
that the author or the publisher endorses the information the organization or website may provide or recommendations it may make. Further, readers should be aware that Internet websites listed in this work may have changed or
disappeared between when this work was written and when it is read.
For general information on our other products and services please contact our Customer Care Department within the
United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with
standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media
such as a CD or DVD that is not included in the version you purchased, you may download this material at http:
//booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 2013954096
Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or
its affi liates, in the United States and other countries, and may not be used without written permission. All other
trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product
or vendor mentioned in this book.
ffirs.indd
02:15:28:PM 01/08/2014
Page iv
To all of us who pay and get paid with plastic.
ffirs.indd
02:15:28:PM 01/08/2014
Page v
ffirs.indd
02:15:28:PM 01/08/2014
Page vi
About the Author
Slava Gomzin is a Security and Payments Technologist at
Hewlett-Packard, where he helps create products that are
integrated into modern payment processing ecosystems
using the latest security and payments technologies. Prior
to joining Hewlett-Packard, Slava was a security architect,
corporate product security officer, R & D and application
security manager, and development team leader at Retalix,
a Division of NCR Retail. As PCI ISA, he focused on security and PA-DSS, PCI DSS, and PCI P2PE compliance of POS systems, payment applications, and gateways. Before moving into security, Slava worked in
R & D on design and implementation of new products including next-generation
POS systems and various interfaces to payment gateways and processors. He
currently holds CISSP, PCIP, ECSP, and Security+ certifications. Slava blogs about
payment and technology security at www.gomzin.com.
vii
ffirs.indd
02:15:28:PM 01/08/2014
Page vii
ffirs.indd
02:15:28:PM 01/08/2014
Page viii
About the Technical Editor
Rob Shimonski (www.shimonski.com) is an experienced entrepreneur and an
active participant in the business community. Rob is a best-selling author and
editor with over 15 years of experience developing, producing, and distributing print media in the form of books, magazines, and periodicals. To date, Rob
has successfully created over 100 books that are currently in circulation. Rob
has worked for countless companies including CompTIA, Wiley, Microsoft,
McGraw-Hill Education, Elsevier, Cisco, the National Security Agency, and
Digidesign. Rob has over 20 years of experience working in IT, networking, systems, and security. He is a veteran of the U.S. military and has been entrenched
in security topics for his entire professional career. Rob has an extremely diverse
background in security and networking and has successfully helped over a
dozen major companies get on track with PCI.
ix
ffirs.indd
02:15:28:PM 01/08/2014
Page ix
ffirs.indd
02:15:28:PM 01/08/2014
Page x
Credits
Executive Editor
Carol Long
Business Manager
Amy Knies
Senior Project Editor
Adaobi Obi Tulton
Vice President and Executive
Group Publisher
Richard Swadley
Technical Editor
Rob Shimonski
Production Editor
Daniel Scribner
Copy Editor
Christina Haviland
Editorial Manager
Mary Beth Wakefield
Freelancer Editorial Manager
Rosemarie Graham
Associate Director of Marketing
David Mayhew
Marketing Manager
Ashley Zurcher
Associate Publisher
Jim Minatel
Project Coordinator, Cover
Katie Crocker
Proofreader
Sarah Kaikini, Word One
Indexer
Robert Swanson
Cover Designer
Ryan Sneed/Wiley
Cover Image
© defun/iStockphoto.com
xi
ffirs.indd
02:15:28:PM 01/08/2014
Page xi
ffirs.indd
02:15:28:PM 01/08/2014
Page xii
Acknowledgments
First, I would like to thank Wiley for providing me with this unique authorship
opportunity. Thanks to my editor, Adaobi Obi Tulton, for her patience, attention, and support throughout the entire publishing process. Special thanks to
Carol Long who believed in this book and made it possible. Thanks also to my
first editor, Jeannette de Beauvoir, who helped me to polish and promote my
book proposal.
Writing a book like this wouldn’t be possible without gaining experience and
learning from other professionals over the years. I would like to thank my former
coworkers. Special thanks to Shmuel Witman, Doug McClellan, Sagi Zagagi,
and Ofer Nimtsovich, who influenced me at different stages of my career by
sharing their knowledge and vision, and helped me to survive in this industry
and develop myself professionally.
Finally, special credit goes to my wife, Svetlana, and my daughters, Alona,
Aliza, and Arina, for understanding the reasons for my absence from their
lives on countless weekends and evenings while I was working on this book.
xiii
ffirs.indd
02:15:28:PM 01/08/2014
Page xiii
ffirs.indd
02:15:28:PM 01/08/2014
Page xiv
Contents at a Glance
Introduction
xxiii
Part I
Anatomy of Payment Application Vulnerabilities
1
Chapter 1
Processing Payment Transactions
3
Chapter 2
Payment Application Architecture
25
Chapter 3
PCI
55
Part II
Attacks on Point of Sale Systems
91
Chapter 4
Turning 40 Digits into Gold
93
Chapter 5
Penetrating Security Free Zones
125
Chapter 6
Breaking into PCI-protected Areas
147
Part III
Defense
165
Chapter 7
Cryptography in Payment Applications
167
Chapter 8
Protecting Cardholder Data
195
Chapter 9
Securing Application Code
219
Conclusion
249
Appendix A POS Vulnerability Rank Calculator
251
Appendix B Glossary
257
Index
265
xv
ffirs.indd
02:15:28:PM 01/08/2014
Page xv
ffirs.indd
02:15:28:PM 01/08/2014
Page xvi
Contents
Introduction
xxiii
Part I
Anatomy of Payment Application Vulnerabilities
1
Chapter 1
Processing Payment Transactions
Payment Cards
Card Entry Methods
3
3
5
MSR
Pinpad
5
6
Key Players
6
Consumer (Cardholder)
Merchant
Acquirer
Issuer
Card Brands
7
7
7
7
8
More Players
8
Payment Processor
Payment Gateway
8
9
Even More Players
11
Payment Software Vendors
Hardware Manufacturers
11
11
Payment Stages
12
Authorization
Settlement
12
13
Payment Transactions
16
Sale vs. PreAuth/Completion
Void and Return
Fallback Processing
16
16
17
xvii
ftoc.indd 02:20:50:PM 01/09/2014
Page xvii
xviii
Contents
Timeout Reversals
Special Transaction Types
Chapter 2
Key Areas of Payment Application Vulnerabilities
Summary
19
22
Payment Application Architecture
Essential Payment Application Blocks
25
25
Interfaces
Processing Modules
Data Storage
Typical Payment Transaction Flow
25
28
31
32
Communication Between Modules
Physical Connections
Communication Protocols
Local Communication
Message Protocols
Internal Protocols
Communication Summary
Deployment of Payment Applications
The Concept of EPS
Payment Switch
Comparing Deployment Models
Store EPS Deployment Model
POS EPS Deployment Model
Hybrid POS/Store Deployment Model
Gas Station Payment Systems
Mobile Payments
Chapter 3
18
18
34
34
35
36
36
38
38
39
39
40
41
43
44
46
46
48
Summary
50
PCI
What is PCI?
PCI Standards
55
56
57
PA-DSS vs. PCI DSS
PA-DSS
PCI DSS
Comparing PA-DSS and PCI DSS Requirements
PTS
P2PE
PCI Guidelines
Fallacy of Tokenization
EMV Guidance
Mobile Payments Guidelines for Developers
Summary
ftoc.indd 02:20:50:PM 01/09/2014
59
59
67
77
80
81
83
83
85
86
86
Page xviii
Contents
Part II
Attacks on Point-of-Sale Systems
91
Chapter 4
Turning 40 Digits into Gold
Magic Plastic
Physical Structure and Security Features
93
93
94
Why Security Features Fail
97
Inside the Magnetic Stripe
98
Track 1
Track 2
PAN
Expiration Date
ISO Prefix and BIN Ranges
PAN Check Digit
Service Code
Card Verification Values
98
100
101
102
103
105
106
107
Regular Expressions
Getting the Dumps: Hackers
110
111
Security Breach
Largest Point-of-sale Breach
112
113
Converting the Bits into Cash: Carders
Monetization Strategies: Cashers
Producing Counterfeit Cards
Encoders
Printers
Chapter 5
114
115
116
118
120
Summary
121
Penetrating Security Free Zones
Payment Application Memory
125
125
RAM Scraping
WinHex
MemoryScraper Utility
Windows Page File
126
126
127
134
Sniffing
134
Traffic on Local Networks
Network Sniffers
NetScraper Utility
More Communication Vulnerability Points
Exploiting Other Vulnerabilities
135
135
136
139
140
Tampering With the Application
Tampering With the Hardware
Targeting New Technologies
Attacks on Integrity and Availability
Summary
140
141
142
143
144
ftoc.indd 02:20:50:PM 01/09/2014
Page xix
xix
xx
Contents
Chapter 6
Breaking into PCI-protected Areas
PCI Areas of Interest
Data at Rest: The Mantra of PCI
147
147
148
Temporary Storage
Application Logs
Hashed PAN
Insecure Storage of Encryption Keys
DiskScraper Utility
149
150
152
153
157
Data in Transit: What is Covered by PCI?
160
SSL Vulnerabilities
Man-in-the-Middle
160
161
Summary
162
Part III
Defense
165
Chapter 7
Cryptography in Payment Applications
The Tip of the Iceberg
Symmetric, Asymmetric, or One-way?
Does Size Matter?
167
167
168
170
Key Entropy
Key Stretching
Symmetric Encryption
Strong Algorithms
EncryptionDemo
Implementing Symmetric Encryption
Generating the Key
Blocks, Padding, and Initialization Vectors
Encryption and Decryption
Asymmetric Encryption
Implementing Public-key Encryption
Generating the Keys
Self-signed Certificate
PFX Certificate File
Encryption
Decryption
One-way Encryption
Implementing One-way Encryption
Salting Tokens
Salting Passwords
Validating Passwords
Digital Signatures
Attached vs. Detached Signatures
Code and Configuration Signing
Data File and Message Signing
ftoc.indd 02:20:50:PM 01/09/2014
Page xx
170
171
172
173
173
174
174
175
175
176
177
178
178
179
180
180
181
181
182
184
184
186
186
187
187
Contents
Cryptographic Hardware
Cryptographic Standards
188
188
NIST and FIPS
ANSI
PKCS
Chapter 8
189
191
191
Summary
191
Protecting Cardholder Data
Data in Memory
195
195
Minimizing Data Exposure
Encrypting Data End to End
196
196
Data in Transit
197
Implementing SSL
Using Encrypted Tunnels
197
206
Data at Rest
207
Secure Key Management
Multiple Key Components
KEK and DEK
Key Rotation
207
207
208
209
Point-to-point Encryption
209
What Point-to-point Really Means
Levels of P2PE
Hardware P2PE
DUKPT Key Management
Chapter 9
209
209
210
211
EMV
Mobile and Contactless Payments
Summary
214
215
215
Securing Application Code
Code Signing
219
219
Authenticode
Code Signing Certificates
Creating the Root CA Using OpenSSL
Certificate Formats
Creating a Production-grade Code Signing Certificate
Timestamp
Implementing Code Signing
220
220
221
222
223
226
227
Signing Configuration and Data Files
229
Attached or Detached?
Data Signing Certificate
Certificate Store
Implementing Detached Signature
Attached Signatures
Signing XML Files
Implementing Attached Signature
229
230
231
232
235
235
235
ftoc.indd 02:20:50:PM 01/09/2014
Page xxi
xxi
xxii
Contents
Code Obfuscation
237
Reverse Engineering
Obfuscating the Code
237
240
Secure Coding Guidelines
242
OWASP Top 10
CWE/SANS Top 25
Language-specific Guidelines
Summary
242
243
245
246
Conclusion
249
Appendix A POS Vulnerability Rank Calculator
Security Questionnaire and Vulnerability Rank
The Scoring System
Instructions
POS Security Questionnaire
Decoding the Results
251
251
252
252
252
255
Appendix B Glossary of Terms and Abbreviations
257
Index
265
ftoc.indd 02:20:50:PM 01/09/2014
Page xxii
Introduction
False facts are highly injurious to the progress of science, for they often long endure; but false
views, if supported by some evidence, do little harm, as everyone takes a salutary pleasure in
providing their falseness; and when this is done, one path towards error is closed and the road
to truth is often at the same time opened.
—Charles Darwin
Nearly five million point-of-sale (POS) terminals process about 1,500 credit
and debit card transactions every second in the United States alone.1, 2, 3 Most
of these systems, regardless of their formal compliance with industry security
standards, potentially expose millions of credit card records—including those
being processed in memory, transmitted between internal servers, sent for
authorization or settlement, and accumulated on hard drives. This sensitive data
is often weakly protected or not protected at all. It is just a matter of time before
someone comes along and takes it away. Valuable cardholder information can
be stolen from many places in a merchant’s POS system, such as unprotected
memory, unencrypted network transmission, poorly encrypted disk storage,
card reader interface, or compromised pinpad device.
There are more than one billion active credit and debit card accounts in the
United States.4 It is not surprising that such cards have become an attractive
target for hackers. In 2011, payment card information was involved in 48% of
security breaches—more than any other data type.5 In 2012, POS terminals and
payment data were record breakers in three different categories: The variety of
compromised assets, the variety of compromised data, and the breach count
by data variety.6
Information about breaches and new types of malware aimed specifically at
payment systems is popping up in the mass media almost every day, and yet
we’re seeing only the tip of the iceberg since many incidents aren’t reported to
the public. In such a critical situation, it’s very important to assess the balance of
power between offensive and defensive sides in order to decide what to do next.
PCI standards provide a great security baseline, but they still don’t protect
electronic payments adequately. Once merchants and software vendors achieve
xxiii
flast.indd
02:22:54:PM 01/08/2014
Page xxiii