Credit card payment processing and point-of-sale (POS) systems are like a black box for most people without knowledge of its internal working. Recent data breaches of thousands of credit cards have shown that determined attackers have mastered ways to steal old fashioned magnetic stripe cards and are now targeting EMV card data (chip-and-PIN, chip-and-signature, chip-and-choice). Attackers have also found a way to compromise the newest smart phone based mobile point-of-sale systems. Magnetic cards are mostly used in the US, which is transitioning to smart cards, but Europe, Japan, Canada and other countries that already have transitioned to EMV smart cards are also under attack.
This session will explain the architecture of different type of POS systems and how components operate and integrate with each other. With this understanding I will explain how each type of system can be attacked and describe various attack vectors. This knowledge will help one to understand, defend and implement security measures against future attacks. A live demo and quick source code explanation of a PoC ram scraping malware and its internal working will be shown. Techniques for attack mitigation will be provided to save merchants, banks and consumers from disastrous financial losses. And finally, if time permits, we will also discuss the financial issue of liability shift.
October 21, 2014 | Tech 2 (801a) | 11:30 – 12:00