Post on 27-Jan-2015
description
Recent Payment Card Industry HacksTechniques used; & possible Defense
Muhammad Faisal NaqviCISSP, CISA, ISO27K LA & MI, ISO20K I, AMBCI
ACMA inter, MS E-Commerce (Gold)
Agenda
• MOM Analysis (Motives, Opportunities & Means)• International Incidents• Regional Incidents
• Statistics about Payment Card Industry Hacks• Who are the Culprits?• What are the Motives?• What are the Means?• Which Assets are under Attack?
• What could be Possible Defense?
International Incidents
Banking data stolen from Millions
• News Date: 04 April 2012• Country: UK• Means: Trojans e.g. Zeus & Spyeye to collect personal
details• Opportunity: Social Engineering• Motive: Fun, curiosity, or pride ($3,800 in 20 Months)• Source: www.theregister.co.uk
Attack on one-time-passwords on mobile
• News Date: 15 March 2012 • Country: USA• Means:
1. Used Gozi Trojan to steal IMEI # of Account Holder
2. Report about lost/ stolen device & new SIM request
3. All one-time-passwords will come on new SIM• Opportunity: partner’s weak processes• Source: www.computerworld.com
Millions customers of famous Bank at risk NFC attack
• News Date: 23 March 2012• Country: UK• Means: Contactless readers in mobile phones
to extract card data even through wallets or bags• Opportunity:
• Excessive card details• Weak merchant process
• Motive: Online Shopping• Source: www.channel4.com
Gang of 50 steals at least $7 million
• News Date: 11 May 2012• Country: Canada• Means: Installing Skimmers on stolen POS Machines in
< 1 Hr.• Opportunity:
• Physical Security• Lack of Monitoring
• Motive: $7 million• Source: www.wired.com
111 Arrested In Identity Theft Probe
• News Date: 10 October 2011• Country: USA• Means: bank tellers, retail workers, waiters• Opportunity: Weak processes• Motive: $13m in 16 Months• Source: www.bbc.co.uk
Thermal Image showing sequence of keys pressed
Hackers Skim Customers’ Credit Cards via Self-Checkout
• News Date: 7 December 2011• Country: USA• Means: Skimmers• Opportunity: Physical Security• Motive: Financial gain• Source: news.cnet.com
Gang Used 3D Printers for Skimmers
• News Date: 20 September 2011• Country: USA• Means: 3D Printed Skimmers• Opportunity: Physical Security• Motive: $400,000• Source: krebsonsecurity.com
Adult web site breached 40,000 Cards data
• News Date: 12 March 2012• Country: USA• Means: Server Hack• Opportunity: ?• Motive: 40,000 CC numbers, expiry dates, security
codes along with user IDs, email addresses, passwords. • Source: www.scmagazine.com
More than 10 million cards may have been compromised
• News Date: 30 March 2012• Country: USA• Means: Servers Hacked• Opportunity: ?• Motive: Track 2 data (card's primary account number,
expiration date, service code, PIN and CVV number)• Source: www.bbc.com
Gang stole $13 million in a day
• News Date: 26 August 2011• Country: USA, Greece, Russia, Spain, Sweden,
Ukraine, UK• Means: Remote Access to prepaid cards database
update cards set bal = 10000 where ccno=12345678910
• Opportunity: Stolen credentials• Motive: $13 million• Source: www.msnbc.msn.com
Simple URL manipulation affected over 360,000 cards & $2.7M
• News Date: 27 June 2011• Country: USA• Means: script• Opportunity: Insecure Direct Object References
https://www.onlinebank.com/user?acct=6065• Motive: $2.7M• Source: www.informationweek.com
Regional Incidents
Saudi (claimed) Hackers Expose 15,000 Israelis' Credit Cards
• News Date: 01 January 2012• Country: Israel• Means: Sports Web Site• Opportunity: ?• Motive: Hacktivism • Source: www.israelnationalnews.com • Hacker died just after 2 days of getting Govt. Job• www.emirates247.com
Two hospital employees arrested on credit card fraud charges
• News Date: April 10, 2012• Country: UAE• Means: Online Shopping• Opportunity: Visible Credit Card Information• Motive: Dh9,300• Source: gulfnews.com
Police arrest suspect for credit card forgery
• News Date: 26 April 2011• Country: UAE• Means: Expired cards, card copier, card data from web• Opportunity: • Motive: Financial• Source: gulfnews.com
Statistics about Payment Card Industry HacksSource: 2012 Data Breach Investigation Report
Culprits
Source: 2012 Data Breach Investigation Report
External Culprits
Source: 2012 Data Breach Investigation Report
Internal Culprits
Source: 2012 Data Breach Investigation Report
Motives
Source: 2012 Data Breach Investigation Report
Means
Source: 2012 Data Breach Investigation Report
Assets
Source: 2012 Data Breach Investigation Report
Hacks
• Social engineering
• Fake Online Transactions
• POS Skimming
• ATM Skimming
• Servers/Applications/DBs
Possible Defense
• Automated social pen testing
• Balance between Business & Security
• Disconnection logsBar-coded tamper evident seals
• Anti skimming solutions
• Information Security, Pen testing & Audits
Questionsfaisal.naqvi@msn.com
http://ae.linkedin.com/in/mfaisalnaqvi
ThankYou