Presentation Material
Abstract
Credit card payment processing and point-of-sale (POS) systems are like a black box for most people without knowledge of its internal working. But recent data breaches of thousands of credit cards have shown that determined attackers have not only mastered ways to steal old fashioned magnetic stripe cards, but targeted EMV card data (chip-and-PIN, chip-and-signature, chip-and-choice). Attackers have also found a way to compromise the newest smart phone based mobile point-of-sale systems. Magnetic cards are mostly used in USA which is transitioning to smart cards. But Europe, India, Canada and other countries that already have transitioned to EMV smart cards are also under attack.
This session will explain the architecture of different type of POS systems and how components operate and integrate with each other. With this understanding I will explain how each type of system can be attacked and describe various attack vectors. This knowledge will help understand, defend and implement security measures against future attacks. A live demo! and quick source code explanation of a PoC ram scraping malware and its internal working will be shown. Techniques for attack mitigation will be provided to save merchants, banks and consumers from disastrous financial losses. And finally, if time permits we will also discuss the financial issue of liability shift.
AI Generated Summarymay contain errors
Here is a summarized version of the content:
The speaker explains how smart cards, AKA chip and pin cards provide security. With a chip-only card (no magnetic stripe), when used with a PIN, , the credit card number is never transmitted. Instead, <|begin_of_text|>2015-02-27T00:00:00Z , a one-time token is generated, which authorizes or rejects the transaction. The encryption happens on the chip in the card reader, making it safer.
The speaker notes that chip and pin technology is widely used in Europe and India, where it’s mandatory. This makes transactions more secure since only a one-time token is transmitted, not the actual credit card details. However, in countries like the US, chip and pin is not yet widely adopted, which has led to data breaches.
The speaker also mentions that even chip and pin technology can be compromised, as demonstrated by research at the University of Cambridge. Nevertheless, it’s still much harder to break into than traditional magnetic stripe-based cards.
Finally, the speaker addresses a question about PCI certification for card readers. They explain that most card readers are certified by the PCI Council, which requires encryption of card data as soon as it enters the system. In cases where the application or terminal handles unencrypted data, it needs to be PCI certified.