Credit card payment processing and point-of-sale (POS) systems are like a black box for most people without knowledge of its internal working. But recent data breaches of thousands of credit cards have shown that determined attackers have not only mastered ways to steal old fashioned magnetic stripe cards, but targeted EMV card data (chip-and-PIN, chip-and-signature, chip-and-choice). Attackers have also found a way to compromise the newest smart phone based mobile point-of-sale systems. Magnetic cards are mostly used in USA which is transitioning to smart cards. But Europe, India, Canada and other countries that already have transitioned to EMV smart cards are also under attack.
This session will explain the architecture of different type of POS systems and how components operate and integrate with each other. With this understanding I will explain how each type of system can be attacked and describe various attack vectors. This knowledge will help understand, defend and implement security measures against future attacks. A live demo! and quick source code explanation of a PoC ram scraping malware and its internal working will be shown. Techniques for attack mitigation will be provided to save merchants, banks and consumers from disastrous financial losses. And finally, if time permits we will also discuss the financial issue of liability shift.