[SecurityRatty] tag: pos

Knock, Knock, Knockin' on Carder's Door

Thu, 02 Oct 2008 06:59:00 +0000

This video of Cha0's bust earlier this month in Turkey, is a perfect example of what happens when someone starts over-performing in the field of carding.

Try counting the desktops, and notice the "full package" a carder can dream of - the box full of ATM skimmers, the holograms, the plastic cards machine, the suitcase with the POS (point of sale) terminals, the house and swimming pool, and, of course, the hard cash.

PCI V1.2, a good start but still not enough

Wed, 03 Sep 2008 12:56:31 +0000

Blogger: Randall Gamby

Two weeks ago the PCI Security Standards Council released the preliminary details of the PCI Data Security Standard (DSS) V1.2 that’s due out in October. While many Analysts and Reporters have already written on the topic (I’ll be releasing an extensive update on Burton Group’s PCI coverage around the October release date), they really haven’t commented on what’s still not been addressed by the standard for enterprises still working on attaining compliance.

While I applaud the PCI Security Standards Council in further clarifying and adjusting the standard, a lot of work still needs to be done. I receive about one or two PCI questions a week from our clients and they seem to revolve around a couple of topics I’ve yet to see addressed:

Guidelines for selecting a Qualified Security Assessor (QSA) – while there are a large number of QSA organizations listed on the PCI Security Standards Council web site; they can’t really recommend a particular QSA for an individual organization. This leads a lot of organizations to struggle with determining what criteria they should use in selecting a QSA for their certification.
The role of the QSA – organizations are also still trying to understand the role of a QSA. Should they get a QSA involved in the gap and remediation process in advance of certification? If so, should it be the same QSA that will do their certification (knowing there’s a risk that the QSA will be pre-disposed to only care about certain vulnerabilities)?
Industry-specific best practices – while each organization may have different infrastructures, in general, most industries try to be consistent with the major functions they perform. So are credit card transactions handled differently between say, a major retailer with 10,000 POS systems and an insurance company that has hundreds of independent agents receiving remittances? Probably, so what are best practices around these industry-specific configurations?
Virtualized environments – while the PCI Security Standards Council recognizes that some organizations have moved to virtual services for consolidation and management, the DSS really doesn’t provide guidelines for QSAs to evaluate and certify these environments.
Monitoring and audit – while the PCI DSS recommends minimum timeframes for scanning, doing pen tests, etc. what are the real levels of monitoring and audit needed for ensuring security? With the Hannaford and Okemo breaches that occurred (both where PCI compliant), neither discovered the problem until months after the breaches had happened. So identifying what should be scanned and tested and if some of this should be on a continuous basis still requires refinement.
PCI as part of an overall security model – what are the best practices around merging PCI security requirements into an enterprise’s overall security model? Should it be maintained separately? Should some components be integrated with similar security mechanisms? Should PCI be at the top of the security model and other configurations be based upon its requirements? There are really no answers coming forth on this topic and the other question is where will they come from? Surely enterprises won’t expect the PCI Security Standards Council to tell them how to run their security services.

I will be providing Burton Group’s perspective on most of these questions in my upcoming report, but rather than relying on third parties to resolve these, I’d hope that the PCI Security Standards Council will be able to continue to provide answers to the questions they can in future updates, and releases, of the PCI DSS.

PCI V1.2, a good start but still not enough

Wed, 03 Sep 2008 12:56:31 +0000

Blogger: Randall Gamby

Two weeks ago the PCI Security Standards Council released the preliminary details of the PCI Data Security Standard (DSS) V1.2 that???s due out in October. While many Analysts and Reporters have already written on the topic (I???ll be releasing an extensive update on Burton Group???s PCI coverage around the October release date), they really haven???t commented on what???s still not been addressed by the standard for enterprises still working on attaining compliance.

Guidelines for selecting a Qualified Security Assessor (QSA) ??? while there are a large number of QSA organizations listed on the PCI Security Standards Council web site; they can???t really recommend a particular QSA for an individual organization. This leads a lot of organizations to struggle with determining what criteria they should use in selecting a QSA for their certification.
The role of the QSA ??? organizations are also still trying to understand the role of a QSA. Should they get a QSA involved in the gap and remediation process in advance of certification? If so, should it be the same QSA that will do their certification (knowing there???s a risk that the QSA will be pre-disposed to only care about certain vulnerabilities)?
Industry-specific best practices ??? while each organization may have different infrastructures, in general, most industries try to be consistent with the major functions they perform. So are credit card transactions handled differently between say, a major retailer with 10,000 POS systems and an insurance company that has hundreds of independent agents receiving remittances? Probably, so what are best practices around these industry-specific configurations?
Virtualized environments ??? while the PCI Security Standards Council recognizes that some organizations have moved to virtual services for consolidation and management, the DSS really doesn???t provide guidelines for QSAs to evaluate and certify these environments.
Monitoring and audit ??? while the PCI DSS recommends minimum timeframes for scanning, doing pen tests, etc. what are the real levels of monitoring and audit needed for ensuring security? With the Hannaford and Okemo breaches that occurred (both where PCI compliant), neither discovered the problem until months after the breaches had happened. So identifying what should be scanned and tested and if some of this should be on a continuous basis still requires refinement.
PCI as part of an overall security model ??? what are the best practices around merging PCI security requirements into an enterprise???s overall security model? Should it be maintained separately? Should some components be integrated with similar security mechanisms? Should PCI be at the top of the security model and other configurations be based upon its requirements? There are really no answers coming forth on this topic and the other question is where will they come from? Surely enterprises won???t expect the PCI Security Standards Council to tell them how to run their security services.

I will be providing Burton Group???s perspective on most of these questions in my upcoming report, but rather than relying on third parties to resolve these, I???d hope that the PCI Security Standards Council will be able to continue to provide answers to the questions they can in future updates, and releases, of the PCI DSS.

Technology Tales from Thailand: KBank Fraud Management

Wed, 20 Aug 2008 03:16:51 +0000

In The Magical ATM Card and SMS Message in Thailand we talked about booking flights and securely paying using a SMS PayCode and ATM transfer, avoiding the possibility of on-line credit card fraud; and in Keyloggers: Why Banks Need Two-Factor Authentication I described how KBank uses SMS-based one-time-passwords (OTP) to authenticate transactions.

In addition to the above services, KBank offers a service that permits users to receive an SMS message that details any change in account balance and/or point-of-sale (POS) transaction with your debit card. I really like this service and the feeling of security knowing when, where and by how much my balance changes or my debit card is used in a transaction. The KBank POS SMS notification is so fast that when I present my card to a merchant I normally receive an SMS message detailing the transaction before the merchant returns for my signature. (There is an unfortunate lag in the balance change notification that can run minutes to hours behind real-time, but the POS VISA debit card notification is real-time).

As the story goes, I should have been using my KBank card and account a few weeks ago and not my US-based VISA debit dard. Why?

My US-based VISA debit card was cloned sometime on or before August 8th. I am really careful with this card, so I was surprised the magnetic strip was cloned at a POS merchant. The fraudster made 7 fraudulent transactions beginning on August 8th for a total of around $2500 USD, mostly on August 11th, before I discovered the fraudulent transactions viewing my account on-line.

This would not have happened with KBank SMS-based transaction notification services.

The first transaction with my cloned VISA debit card was less than $50 USD (I assume the fraudster was “testing the water”). If I was using my KBank card, I would have received an immediate SMS message detailing a POS transaction in Bangkok when I was physically far away from Bangkok in Chiang Mai. I could have immediately called the bank (or logged in) and blocked the debit card, limiting potential losses to the bank or the merchant to one fraudulent transaction, not seven.

In addition, KBank offers what they call a Web-Shopping VISA card, where you can go into your on-line account (verified by SMS OTP as mentioned) and request a VISA debit card number (with expiration date, CCV etc). You set the limit from 0 to 500,000 THB (Thai Baht) per day; and you can login to your account and change this anytime (authenticating your transaction with another SMS-based OTP). You can also block or cancel this number anytime and apply for another one.

I am amazed that in Thailand I receive much better anti-fraud prevention and detection services than with banks in the US. I know of no bank or brokerage in the US that offers the same quality of service and security as KBank in Thailand.

PC Universe is shrinking thanks to McAfee Secure's cluelessness

Fri, 27 Jun 2008 06:11:00 +0000

My web app sec friends know exactly how to push my red buttons. "Heh-heh, send it to Russ, he'll go off." Yep. ;-) Thanks, Rafal. Now I'm all spun up. I was sent two moronic gems this morning; one on the merits of McAfee Secure / Hacker Safe and the 109% sales increase it resulted in for PC Universe, the other an interview with the Internet's single biggest dillweed, Cresta Pillsbury. These articles are both a bit dated, but they equally embrace the premise of "trust" logos as a predominant sales driver, rather than any actual motivation to secure a site and protect consumers.
An example:
"If you’re doing conversion marketing and statistical testing on your website and you haven’t explored trust logos yet, then you’re missing out."
I must be the most naive person in the world; this enrages me. When will the idiots who write this crap get a clue? They've bought right into the hype the snake oil salesmen hoped they would and are now complicit in their failures.
Case in point, as seen in the Internet Retailer piece. By the way, I realize that Internet Retailer and basic web application security practices are completely at odds, but this one deserves direct abuse.
"PC Universe first tested Hacker Safe on its own site in an A/B split test in which half the visitors saw the Hacker Safe seal and half did not. During that test, 7.3% more orders came from Hacker Safe shoppers than from the control group. PC Universe, which operates on the web at PCUniverse.com, is No. 360 in the Internet Retailer Top 500 Guide."
Really? Let's see what McAfee Secure / Hacker Safe has done to actually provide any measurable security benefit.
How about absolutely nothing.
Here's PC Universe's very current, verified McAfee Hacker Safe cert.
Now, here are a few ridiculous examples of reality from the this universe as opposed to the McAfee-twisted alternate universe. Please note, this is the "accountid" variable, and the fact that the marquee is rendered no less than eight times.
1) Marquee
2) XSS Deface
3) Cookie
If you rather just see a video of these vulns, it's here.
PC Universe, rather than lauding your sales increases thanks to some POS logo, try securing your site code. I guarantee you have other issues.
McAfee Secure, once more, you are simply fraudulent to the core.

del.icio.us | digg

Data security and the "chasm of protection"

Tue, 17 Jun 2008 09:25:00 +0000

I was thinking a bit more about the notion of data-centric or information-centric security and why this is absolutely the future of data protection...

Say you are a retailer. You have data in your POS devices, encrypted with the POS application as cards are read in. As this data is required by another application, it has to be first decrypted so this in-store application can read it. It may then encrypt it again as it stores on in-store servers. Now assume you have another application in the data centers that is used for card settlement. Another decrypt-encrypt cycle from the store to the data-center!

This scenario is not limited to a retail environment. Consider a similar cycle repeating itself in most companies as data is moved from location to location, analyzed and processed by multiple applications and on multiple devices and multiple internal and external networks - each time being decrypted, stored or transfered in the clear till it gets encrypted again. Each time this cycle repeats, there is a weakness that can be exploited - since there is a gap in the consistent protection of data.

Being data-centric however, brings in persistence and consistency in the protection of that data element, thereby removing this "chasm".

The Other Certificate Lifecycle Management Companies

Sat, 31 May 2008 12:53:11 +0000

In my recent column on certificate lifecycle management I named three companies in the business (RSA, Microsoft and Venafi) and prodded other vendors to come forward and identify themselves. Only one has done so, confirming my suspicion that this is a small market. That vendor is Trustwave with their Certificate Lifecycle Manager. a fairly new product. It has discovery, analysis and management functions. Trustwave says it "...automates the entire SSL process and monitors deployed SSL certificates. Since its inception, we have more than 2,500 POS devices monitored by CLM."

New attack trend pushes POS encryption to the fore

Wed, 21 May 2008 20:00:00 +0000

The relatively scant attention that retailers have paid to securing their point-of-sale systems over the past few years is making the POS setups increasingly attractive targets for cybercrooks who are looking to steal payment card data.

New attack trend pushes POS encryption to the fore

Tue, 20 May 2008 03:23:13 +0000

The recent rash of data thefts from retail point-of-sale systems is prompting security vendors and payment processing firms to offer tools for encrypting POS information.

Security of "Rogue" or "Shadow" IT?

Thu, 03 Apr 2008 08:27:00 +0000

Here is a fun question: who is in charge of security of the IT products and services sold direct to users (bypassing the IT)?

Now, your first reaction is likely "Nobody, just ban it!" or "Let its users strangle themselves," but I think the reality is more compliance. This post raises some of the alarms with "shadow IT:"

"Both tools [iPhone and Google Apps] were marketed directly to the appeal of the end-user and made every effort to create a tool (or set of tools) which could be brought into the business environment by an end-user with as little effort as possible."

"Corporate IT is left fighting the new battle - unknown/untested/unvalidated technologies being marketed at their user base and making its way into the corporate environment. What can IT do? Nothing, as far as I can tell."

"Let's be honest with outselves. Corporate IT has a big problem. This problem will likely get bigger, and more menacing as more things are marketed to "get around IT bottlenecks". It all goes back to the image IT has of stiffling business and imposing harsh guidelines which don't enable businesses properly."

Just smth to think about...