Recent Payment Card Industry HacksTechniques used; & possible Defense

Muhammad Faisal NaqviCISSP, CISA, ISO27K LA & MI, ISO20K I, AMBCI

ACMA inter, MS E-Commerce (Gold)

Agenda

• MOM Analysis (Motives, Opportunities & Means)• International Incidents• Regional Incidents

• Statistics about Payment Card Industry Hacks• Who are the Culprits?• What are the Motives?• What are the Means?• Which Assets are under Attack?

• What could be Possible Defense?

International Incidents

Banking data stolen from Millions

• News Date: 04 April 2012• Country: UK• Means: Trojans e.g. Zeus & Spyeye to collect personal

details• Opportunity: Social Engineering• Motive: Fun, curiosity, or pride ($3,800 in 20 Months)• Source: www.theregister.co.uk

Attack on one-time-passwords on mobile

• News Date: 15 March 2012  • Country: USA• Means:

1. Used Gozi Trojan to steal IMEI # of Account Holder

2. Report about lost/ stolen device & new SIM request

3. All one-time-passwords will come on new SIM• Opportunity: partner’s weak processes• Source: www.computerworld.com

Millions customers of famous Bank at risk NFC attack

• News Date: 23 March 2012• Country: UK• Means: Contactless readers in mobile phones

to extract card data even through wallets or bags• Opportunity:

• Excessive card details• Weak merchant process

• Motive: Online Shopping• Source: www.channel4.com

Gang of 50 steals at least $7 million

• News Date: 11 May 2012• Country: Canada• Means: Installing Skimmers on stolen POS Machines in

< 1 Hr.• Opportunity:

• Physical Security• Lack of Monitoring

• Motive: $7 million• Source: www.wired.com

111 Arrested In Identity Theft Probe

• News Date: 10 October 2011• Country: USA• Means: bank tellers, retail workers, waiters• Opportunity: Weak processes• Motive: $13m in 16 Months• Source: www.bbc.co.uk

Thermal Image showing sequence of keys pressed

Hackers Skim Customers’ Credit Cards via Self-Checkout

• News Date: 7 December 2011• Country: USA• Means: Skimmers• Opportunity: Physical Security• Motive: Financial gain• Source: news.cnet.com

Gang Used 3D Printers for Skimmers

• News Date: 20 September 2011• Country: USA• Means: 3D Printed Skimmers• Opportunity: Physical Security• Motive: $400,000• Source: krebsonsecurity.com

Adult web site breached 40,000 Cards data

• News Date: 12 March 2012• Country: USA• Means: Server Hack• Opportunity: ?• Motive: 40,000 CC numbers, expiry dates, security

codes along with user IDs, email addresses, passwords. • Source: www.scmagazine.com

More than 10 million cards may have been compromised

• News Date: 30 March 2012• Country: USA• Means: Servers Hacked• Opportunity: ?• Motive: Track 2 data (card's primary account number,

expiration date, service code, PIN and CVV number)• Source: www.bbc.com

Gang stole $13 million in a day

• News Date: 26 August 2011• Country: USA, Greece, Russia, Spain, Sweden,

Ukraine, UK• Means: Remote Access to prepaid cards database

update cards set bal = 10000 where ccno=12345678910

• Opportunity: Stolen credentials• Motive: $13 million• Source: www.msnbc.msn.com

Simple URL manipulation affected over 360,000 cards & $2.7M

• News Date: 27 June 2011• Country: USA• Means: script• Opportunity: Insecure Direct Object References

https://www.onlinebank.com/user?acct=6065• Motive: $2.7M• Source: www.informationweek.com

Regional Incidents

Saudi (claimed) Hackers Expose 15,000 Israelis' Credit Cards

• News Date: 01 January 2012• Country: Israel• Means: Sports Web Site• Opportunity: ?• Motive: Hacktivism • Source: www.israelnationalnews.com • Hacker died just after 2 days of getting Govt. Job• www.emirates247.com

Two hospital employees arrested on credit card fraud charges

• News Date: April 10, 2012• Country: UAE• Means: Online Shopping• Opportunity: Visible Credit Card Information• Motive: Dh9,300• Source: gulfnews.com

Police arrest suspect for credit card forgery

• News Date: 26 April 2011• Country: UAE• Means: Expired cards, card copier, card data from web• Opportunity: • Motive: Financial• Source: gulfnews.com

Statistics about Payment Card Industry HacksSource: 2012 Data Breach Investigation Report

Culprits

Source: 2012 Data Breach Investigation Report

External Culprits

Source: 2012 Data Breach Investigation Report

Internal Culprits

Source: 2012 Data Breach Investigation Report

Motives

Source: 2012 Data Breach Investigation Report

Means

Source: 2012 Data Breach Investigation Report

Assets

Source: 2012 Data Breach Investigation Report

Hacks

• Social engineering

• Fake Online Transactions

• POS Skimming

• ATM Skimming

• Servers/Applications/DBs

Possible Defense

• Automated social pen testing

• Balance between Business & Security

• Disconnection logsBar-coded tamper evident seals

• Anti skimming solutions

• Information Security, Pen testing & Audits

Questionsfaisal.naqvi@msn.com

http://ae.linkedin.com/in/mfaisalnaqvi

ThankYou