ffirs.indd

02:15:28:PM 01/08/2014

Page ii


Hacking Point of Sale

ffirs.indd

02:15:28:PM 01/08/2014

Page i


ffirs.indd

02:15:28:PM 01/08/2014

Page ii


Hacking Point of Sale
Payment Application Secrets,
Threats, and Solutions

Slava Gomzin

ffirs.indd

02:15:28:PM 01/08/2014

Page iii


Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions
Published by
John Wiley & Sons, Inc.
10475 Crosspoint Boulevard
Indianapolis, IN 46256
www.wiley.com
Copyright © 2014 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-118-81011-8
ISBN: 978-1-118-81010-1 (ebk)
ISBN: 978-1-118-81007-1 (ebk)
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any
means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections
107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or
authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood
Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be
addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011,
fax (201) 748-6008, or online at />Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties
with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties,
including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended
by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation.
This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other

professional services. If professional assistance is required, the services of a competent professional person should be
sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization
or Web site is referred to in this work as a citation and/or a potential source of further information does not mean
that the author or the publisher endorses the information the organization or website may provide or recommendations it may make. Further, readers should be aware that Internet websites listed in this work may have changed or
disappeared between when this work was written and when it is read.
For general information on our other products and services please contact our Customer Care Department within the
United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with
standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media
such as a CD or DVD that is not included in the version you purchased, you may download this material at http:
//booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 2013954096
Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or
its affi liates, in the United States and other countries, and may not be used without written permission. All other
trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product
or vendor mentioned in this book.

ffirs.indd

02:15:28:PM 01/08/2014

Page iv


To all of us who pay and get paid with plastic.

ffirs.indd

02:15:28:PM 01/08/2014


Page v


ffirs.indd

02:15:28:PM 01/08/2014

Page vi


About the Author

Slava Gomzin is a Security and Payments Technologist at
Hewlett-Packard, where he helps create products that are
integrated into modern payment processing ecosystems
using the latest security and payments technologies. Prior
to joining Hewlett-Packard, Slava was a security architect,
corporate product security officer, R & D and application
security manager, and development team leader at Retalix,
a Division of NCR Retail. As PCI ISA, he focused on security and PA-DSS, PCI DSS, and PCI P2PE compliance of POS systems, payment applications, and gateways. Before moving into security, Slava worked in
R & D on design and implementation of new products including next-generation
POS systems and various interfaces to payment gateways and processors. He
currently holds CISSP, PCIP, ECSP, and Security+ certifications. Slava blogs about
payment and technology security at www.gomzin.com.

vii

ffirs.indd

02:15:28:PM 01/08/2014


Page vii


ffirs.indd

02:15:28:PM 01/08/2014

Page viii


About the Technical Editor

Rob Shimonski (www.shimonski.com) is an experienced entrepreneur and an
active participant in the business community. Rob is a best-selling author and
editor with over 15 years of experience developing, producing, and distributing print media in the form of books, magazines, and periodicals. To date, Rob
has successfully created over 100 books that are currently in circulation. Rob
has worked for countless companies including CompTIA, Wiley, Microsoft,
McGraw-Hill Education, Elsevier, Cisco, the National Security Agency, and
Digidesign. Rob has over 20 years of experience working in IT, networking, systems, and security. He is a veteran of the U.S. military and has been entrenched
in security topics for his entire professional career. Rob has an extremely diverse
background in security and networking and has successfully helped over a
dozen major companies get on track with PCI.

ix

ffirs.indd

02:15:28:PM 01/08/2014


Page ix


ffirs.indd

02:15:28:PM 01/08/2014

Page x


Credits

Executive Editor
Carol Long

Business Manager
Amy Knies

Senior Project Editor
Adaobi Obi Tulton

Vice President and Executive
Group Publisher
Richard Swadley

Technical Editor
Rob Shimonski
Production Editor
Daniel Scribner
Copy Editor

Christina Haviland
Editorial Manager
Mary Beth Wakefield
Freelancer Editorial Manager
Rosemarie Graham
Associate Director of Marketing
David Mayhew
Marketing Manager
Ashley Zurcher

Associate Publisher
Jim Minatel
Project Coordinator, Cover
Katie Crocker
Proofreader
Sarah Kaikini, Word One
Indexer
Robert Swanson
Cover Designer
Ryan Sneed/Wiley
Cover Image
© defun/iStockphoto.com

xi

ffirs.indd

02:15:28:PM 01/08/2014

Page xi



ffirs.indd

02:15:28:PM 01/08/2014

Page xii


Acknowledgments

First, I would like to thank Wiley for providing me with this unique authorship
opportunity. Thanks to my editor, Adaobi Obi Tulton, for her patience, attention, and support throughout the entire publishing process. Special thanks to
Carol Long who believed in this book and made it possible. Thanks also to my
first editor, Jeannette de Beauvoir, who helped me to polish and promote my
book proposal.
Writing a book like this wouldn’t be possible without gaining experience and
learning from other professionals over the years. I would like to thank my former
coworkers. Special thanks to Shmuel Witman, Doug McClellan, Sagi Zagagi,
and Ofer Nimtsovich, who influenced me at different stages of my career by
sharing their knowledge and vision, and helped me to survive in this industry
and develop myself professionally.
Finally, special credit goes to my wife, Svetlana, and my daughters, Alona,
Aliza, and Arina, for understanding the reasons for my absence from their
lives on countless weekends and evenings while I was working on this book.

xiii

ffirs.indd


02:15:28:PM 01/08/2014

Page xiii


ffirs.indd

02:15:28:PM 01/08/2014

Page xiv


Contents at a Glance

Introduction

xxiii

Part I

Anatomy of Payment Application Vulnerabilities

1

Chapter 1

Processing Payment Transactions

3


Chapter 2

Payment Application Architecture

25

Chapter 3

PCI

55

Part II

Attacks on Point of Sale Systems

91

Chapter 4

Turning 40 Digits into Gold

93

Chapter 5

Penetrating Security Free Zones

125


Chapter 6

Breaking into PCI-protected Areas

147

Part III

Defense

165

Chapter 7

Cryptography in Payment Applications

167

Chapter 8

Protecting Cardholder Data

195

Chapter 9

Securing Application Code

219


Conclusion

249

Appendix A POS Vulnerability Rank Calculator

251

Appendix B Glossary

257

Index

265

xv

ffirs.indd

02:15:28:PM 01/08/2014

Page xv


ffirs.indd

02:15:28:PM 01/08/2014

Page xvi



Contents

Introduction

xxiii

Part I

Anatomy of Payment Application Vulnerabilities

1

Chapter 1

Processing Payment Transactions
Payment Cards
Card Entry Methods

3
3
5

MSR
Pinpad

5
6


Key Players

6

Consumer (Cardholder)
Merchant
Acquirer
Issuer
Card Brands

7
7
7
7
8

More Players

8

Payment Processor
Payment Gateway

8
9

Even More Players

11


Payment Software Vendors
Hardware Manufacturers

11
11

Payment Stages

12

Authorization
Settlement

12
13

Payment Transactions

16

Sale vs. PreAuth/Completion
Void and Return
Fallback Processing

16
16
17

xvii


ftoc.indd 02:20:50:PM 01/09/2014

Page xvii


xviii

Contents
Timeout Reversals
Special Transaction Types

Chapter 2

Key Areas of Payment Application Vulnerabilities
Summary

19
22

Payment Application Architecture
Essential Payment Application Blocks

25
25

Interfaces
Processing Modules
Data Storage
Typical Payment Transaction Flow


25
28
31
32

Communication Between Modules
Physical Connections
Communication Protocols
Local Communication
Message Protocols
Internal Protocols
Communication Summary

Deployment of Payment Applications
The Concept of EPS
Payment Switch
Comparing Deployment Models
Store EPS Deployment Model
POS EPS Deployment Model
Hybrid POS/Store Deployment Model
Gas Station Payment Systems
Mobile Payments

Chapter 3

18
18

34
34

35
36
36
38
38

39
39
40
41
43
44
46
46
48

Summary

50

PCI
What is PCI?
PCI Standards

55
56
57

PA-DSS vs. PCI DSS
PA-DSS

PCI DSS
Comparing PA-DSS and PCI DSS Requirements
PTS
P2PE

PCI Guidelines
Fallacy of Tokenization
EMV Guidance
Mobile Payments Guidelines for Developers

Summary

ftoc.indd 02:20:50:PM 01/09/2014

59
59
67
77
80
81

83
83
85
86

86

Page xviii



Contents
Part II

Attacks on Point-of-Sale Systems

91

Chapter 4

Turning 40 Digits into Gold
Magic Plastic
Physical Structure and Security Features

93
93
94

Why Security Features Fail

97

Inside the Magnetic Stripe

98

Track 1
Track 2
PAN
Expiration Date

ISO Prefix and BIN Ranges
PAN Check Digit
Service Code
Card Verification Values

98
100
101
102
103
105
106
107

Regular Expressions
Getting the Dumps: Hackers

110
111

Security Breach
Largest Point-of-sale Breach

112
113

Converting the Bits into Cash: Carders
Monetization Strategies: Cashers
Producing Counterfeit Cards
Encoders

Printers

Chapter 5

114
115
116
118
120

Summary

121

Penetrating Security Free Zones
Payment Application Memory

125
125

RAM Scraping
WinHex
MemoryScraper Utility
Windows Page File

126
126
127
134


Sniffing

134

Traffic on Local Networks
Network Sniffers
NetScraper Utility
More Communication Vulnerability Points

Exploiting Other Vulnerabilities

135
135
136
139

140

Tampering With the Application
Tampering With the Hardware
Targeting New Technologies
Attacks on Integrity and Availability

Summary

140
141
142
143


144

ftoc.indd 02:20:50:PM 01/09/2014

Page xix

xix


xx

Contents
Chapter 6

Breaking into PCI-protected Areas
PCI Areas of Interest
Data at Rest: The Mantra of PCI

147
147
148

Temporary Storage
Application Logs
Hashed PAN
Insecure Storage of Encryption Keys
DiskScraper Utility

149
150

152
153
157

Data in Transit: What is Covered by PCI?

160

SSL Vulnerabilities
Man-in-the-Middle

160
161

Summary

162

Part III

Defense

165

Chapter 7

Cryptography in Payment Applications
The Tip of the Iceberg
Symmetric, Asymmetric, or One-way?
Does Size Matter?


167
167
168
170

Key Entropy
Key Stretching

Symmetric Encryption
Strong Algorithms
EncryptionDemo
Implementing Symmetric Encryption
Generating the Key
Blocks, Padding, and Initialization Vectors
Encryption and Decryption

Asymmetric Encryption
Implementing Public-key Encryption
Generating the Keys
Self-signed Certificate
PFX Certificate File
Encryption
Decryption

One-way Encryption
Implementing One-way Encryption
Salting Tokens
Salting Passwords
Validating Passwords


Digital Signatures
Attached vs. Detached Signatures
Code and Configuration Signing
Data File and Message Signing

ftoc.indd 02:20:50:PM 01/09/2014

Page xx

170
171

172
173
173
174
174
175
175

176
177
178
178
179
180
180

181

181
182
184
184

186
186
187
187


Contents
Cryptographic Hardware
Cryptographic Standards

188
188

NIST and FIPS
ANSI
PKCS

Chapter 8

189
191
191

Summary


191

Protecting Cardholder Data
Data in Memory

195
195

Minimizing Data Exposure
Encrypting Data End to End

196
196

Data in Transit

197

Implementing SSL
Using Encrypted Tunnels

197
206

Data at Rest

207

Secure Key Management
Multiple Key Components

KEK and DEK
Key Rotation

207
207
208
209

Point-to-point Encryption

209

What Point-to-point Really Means
Levels of P2PE
Hardware P2PE
DUKPT Key Management

Chapter 9

209
209
210
211

EMV
Mobile and Contactless Payments
Summary

214
215

215

Securing Application Code
Code Signing

219
219

Authenticode
Code Signing Certificates
Creating the Root CA Using OpenSSL
Certificate Formats
Creating a Production-grade Code Signing Certificate
Timestamp
Implementing Code Signing

220
220
221
222
223
226
227

Signing Configuration and Data Files

229

Attached or Detached?
Data Signing Certificate

Certificate Store
Implementing Detached Signature
Attached Signatures
Signing XML Files
Implementing Attached Signature

229
230
231
232
235
235
235

ftoc.indd 02:20:50:PM 01/09/2014

Page xxi

xxi


xxii

Contents
Code Obfuscation

237

Reverse Engineering
Obfuscating the Code


237
240

Secure Coding Guidelines

242

OWASP Top 10
CWE/SANS Top 25
Language-specific Guidelines

Summary

242
243
245

246

Conclusion

249

Appendix A POS Vulnerability Rank Calculator
Security Questionnaire and Vulnerability Rank
The Scoring System
Instructions
POS Security Questionnaire
Decoding the Results


251
251
252
252
252
255

Appendix B Glossary of Terms and Abbreviations

257

Index

265

ftoc.indd 02:20:50:PM 01/09/2014

Page xxii


Introduction
False facts are highly injurious to the progress of science, for they often long endure; but false
views, if supported by some evidence, do little harm, as everyone takes a salutary pleasure in
providing their falseness; and when this is done, one path towards error is closed and the road
to truth is often at the same time opened.
—Charles Darwin

Nearly five million point-of-sale (POS) terminals process about 1,500 credit
and debit card transactions every second in the United States alone.1, 2, 3 Most

of these systems, regardless of their formal compliance with industry security
standards, potentially expose millions of credit card records—including those
being processed in memory, transmitted between internal servers, sent for
authorization or settlement, and accumulated on hard drives. This sensitive data
is often weakly protected or not protected at all. It is just a matter of time before
someone comes along and takes it away. Valuable cardholder information can
be stolen from many places in a merchant’s POS system, such as unprotected
memory, unencrypted network transmission, poorly encrypted disk storage,
card reader interface, or compromised pinpad device.
There are more than one billion active credit and debit card accounts in the
United States.4 It is not surprising that such cards have become an attractive
target for hackers. In 2011, payment card information was involved in 48% of
security breaches—more than any other data type.5 In 2012, POS terminals and
payment data were record breakers in three different categories: The variety of
compromised assets, the variety of compromised data, and the breach count
by data variety.6
Information about breaches and new types of malware aimed specifically at
payment systems is popping up in the mass media almost every day, and yet
we’re seeing only the tip of the iceberg since many incidents aren’t reported to
the public. In such a critical situation, it’s very important to assess the balance of
power between offensive and defensive sides in order to decide what to do next.
PCI standards provide a great security baseline, but they still don’t protect
electronic payments adequately. Once merchants and software vendors achieve

xxiii

flast.indd

02:22:54:PM 01/08/2014


Page xxiii