Slashdot Mirror
Book Review: Hacking Point of Sale
benrothke (2577567) writes "The only negative thing to say about Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions is its title. A cursory look at it may lead the reader that this is a book for a script kiddie, when it is in fact a necessary read for anyone involved with payment systems. The book provides a wealth of information that is completely pragmatic and actionable. The problem is, as the book notes in many places, that one is constantly patching a system that is inherently flawed and broken." Keep reading for the rest of Ben's review.
Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions
author
Slava Gomzin
pages
312
publisher
Wiley
rating
10/10
reviewer
Ben Rothke
ISBN
978-1118810118
summary
Superb book on POS, PCI and payment security
Often after a major information security breach incidents, a public official (always in front of cameras and with many serious looking people standing in the wings) will go on TV and say something akin to "we have to make sure this never happens again".
Last year, Target was the major victim. This month, it's eBay. But after hundreds of millions of records breached, it's not that anyone is saying it won't happen again. Rather, it's inevitable it will happen many more times.
There are a number of good books on PCI, but this is the first one that looks at the entire spectrum of credit card processing. Author Slava Gomzin is a security and payments technologist at HP and as evident in the book, he lives and breathes payment technology and his expert knowledge is manifest in every chapter. His technical expertise is certain to make the reader much better informed and understand the myriad issues involved.
The book provides an excellent overview to the workings of payment systems and Gomzin is not shy about showing how insecure many payment systems are. Its 9 chapters provide a good combination of deep technical and general detail.
The reader comes out with a very good overview of how payment systems work and what the various parts of it are. For many people, this may be the first time they are made aware of entities such as processors, acquirers and gateways.
An interesting point the book raises is that it has been observed there are less breaches in Europe since they use EMV (also known as chip and pin) instead of insecure magnetic-stripe cards which are used in the US. This leads to a perception that EMV is by default much stronger. But the book notes that EMV was never designed to secure the cardholder data after the point of sale. The recent breaches at Target and Neiman Marcus were such that cardholder data was pilfered after it was in the system.
Another major weakness with EMV is it doesn't provide added security to web and online transactions. When a customer goes to a site and makes a transaction with an EMV card, it is fundamentally the same as if they would have used a magnetic stripe card. What many people don't realize also is that EMV is not some new technology. It's been around for a while. What it did was reduce the amount of fraud for physical use amongst European merchants. But the unintended consequence was that it simply moved the fraud online, where EMV is powerless.
As noted, the book provides the details and vulnerabilities of every aspect of the life of a payment card, including physical security. In chapter 4, he notes that there are numerous features that are supposed to distinguish between a genuine payment card from a counterfeited one. These include logo, embossed primary account number (PAN), card verification values and ultraviolet (UV) marks. Each one of them has their own set of limits. For the supposed security of UV marks, these are relatively easily replicated by a regular inkjet printer with UV ink.
In fact, Gomzin writes that all payment cards as they are in use today are insecure by design due to the fact that there are multiple physical security features that don't provide adequate protection from theft, and that the sensitive cardholder data information is encoded on a magnetic strip in clear text.
Gomzin has numerous PCI certifications and with all that, doesn't see PCI as the boon to payment card security as many do. He astutely observes that PCI places a somewhat myopic approach that data at rest is all that matters. Given that PCI doesn't require payment software vendors or users to encrypt application configuration data, which is usually stored in plaintext and opened to uncontrolled modification; this can allow payment application to be compromised through misconfiguration.
Even with PCI, Gomzin shows that credit card numbers are rather predictable in that their number space is in truth rather small, even though they may be 15-19 digits in length. This is due to the fact that PCI allows the first 6 and last 4 digits to be exposed in plaintext, so it's only 6 digits that need to be guessed. This enables a relatively easy brute force attack, and even easier if rainbow tables are used.
The Target breach was attributed to memory scraping and the book notes that as devastating an attack memory scraping is, there are no existing reliable security mechanisms that would prevent memory scraping.
The appendix includes a POS vulnerability rank calculator which can provide a quick and dirty risk assessment of the POS and associated payments application and hardware. The 20 questions in the calculator can't replace a formal assessment. But the initial results would likely mimic what that formal assessment would enumerate.
So what will it take to fix the mess that POS and payment systems are in now? The book notes that the system has to be completely overhauled for POS security to truly work. He notes that point-to-point encryption is one of the best ways to do that. What is stopping that is the huge costs involved in redoing the payment infrastructure. But until then, breaches will be daily news.
Hacking Point of Sale is an invaluable resource that it highly relevant to a wide audience. Be it those in compliance, information security, development, research or in your payment security group. If you are involved with payment systems, this is a necessary book.
When an expert like Slava Gomzin writes, his words should be listened to. He knows that payment breaches are inevitable. But he also shows you how to potentially avoid that tidal wave of inevitability.
Reviewed by Ben Rothke."
You can purchase Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page.
Last year, Target was the major victim. This month, it's eBay. But after hundreds of millions of records breached, it's not that anyone is saying it won't happen again. Rather, it's inevitable it will happen many more times.
There are a number of good books on PCI, but this is the first one that looks at the entire spectrum of credit card processing. Author Slava Gomzin is a security and payments technologist at HP and as evident in the book, he lives and breathes payment technology and his expert knowledge is manifest in every chapter. His technical expertise is certain to make the reader much better informed and understand the myriad issues involved.
The book provides an excellent overview to the workings of payment systems and Gomzin is not shy about showing how insecure many payment systems are. Its 9 chapters provide a good combination of deep technical and general detail.
The reader comes out with a very good overview of how payment systems work and what the various parts of it are. For many people, this may be the first time they are made aware of entities such as processors, acquirers and gateways.
An interesting point the book raises is that it has been observed there are less breaches in Europe since they use EMV (also known as chip and pin) instead of insecure magnetic-stripe cards which are used in the US. This leads to a perception that EMV is by default much stronger. But the book notes that EMV was never designed to secure the cardholder data after the point of sale. The recent breaches at Target and Neiman Marcus were such that cardholder data was pilfered after it was in the system.
Another major weakness with EMV is it doesn't provide added security to web and online transactions. When a customer goes to a site and makes a transaction with an EMV card, it is fundamentally the same as if they would have used a magnetic stripe card. What many people don't realize also is that EMV is not some new technology. It's been around for a while. What it did was reduce the amount of fraud for physical use amongst European merchants. But the unintended consequence was that it simply moved the fraud online, where EMV is powerless.
As noted, the book provides the details and vulnerabilities of every aspect of the life of a payment card, including physical security. In chapter 4, he notes that there are numerous features that are supposed to distinguish between a genuine payment card from a counterfeited one. These include logo, embossed primary account number (PAN), card verification values and ultraviolet (UV) marks. Each one of them has their own set of limits. For the supposed security of UV marks, these are relatively easily replicated by a regular inkjet printer with UV ink.
In fact, Gomzin writes that all payment cards as they are in use today are insecure by design due to the fact that there are multiple physical security features that don't provide adequate protection from theft, and that the sensitive cardholder data information is encoded on a magnetic strip in clear text.
Gomzin has numerous PCI certifications and with all that, doesn't see PCI as the boon to payment card security as many do. He astutely observes that PCI places a somewhat myopic approach that data at rest is all that matters. Given that PCI doesn't require payment software vendors or users to encrypt application configuration data, which is usually stored in plaintext and opened to uncontrolled modification; this can allow payment application to be compromised through misconfiguration.
Even with PCI, Gomzin shows that credit card numbers are rather predictable in that their number space is in truth rather small, even though they may be 15-19 digits in length. This is due to the fact that PCI allows the first 6 and last 4 digits to be exposed in plaintext, so it's only 6 digits that need to be guessed. This enables a relatively easy brute force attack, and even easier if rainbow tables are used.
The Target breach was attributed to memory scraping and the book notes that as devastating an attack memory scraping is, there are no existing reliable security mechanisms that would prevent memory scraping.
The appendix includes a POS vulnerability rank calculator which can provide a quick and dirty risk assessment of the POS and associated payments application and hardware. The 20 questions in the calculator can't replace a formal assessment. But the initial results would likely mimic what that formal assessment would enumerate.
So what will it take to fix the mess that POS and payment systems are in now? The book notes that the system has to be completely overhauled for POS security to truly work. He notes that point-to-point encryption is one of the best ways to do that. What is stopping that is the huge costs involved in redoing the payment infrastructure. But until then, breaches will be daily news.
Hacking Point of Sale is an invaluable resource that it highly relevant to a wide audience. Be it those in compliance, information security, development, research or in your payment security group. If you are involved with payment systems, this is a necessary book.
When an expert like Slava Gomzin writes, his words should be listened to. He knows that payment breaches are inevitable. But he also shows you how to potentially avoid that tidal wave of inevitability.
Reviewed by Ben Rothke."
You can purchase Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page.
Is that the system that Microsoft is now patching until 2019?
It used to be quite a 'closed' field, but there are now more and more open source tools to 'hack' and 'explore' payment systems.
Get a card reader and check out cardpeek: a tool that will read every detail of a PIN and Chip card. It also works with NFC cards, work on Linux like a charm (and Win7 and OsX).
...making something functional with less than optimum resources (cf MacGyver, bodge-up, gerryrig, uzw). which preceded the notion of "one who gains unauthorized access to computers" by oh... perhaps a whole !@#n seven years.
here's another current worthy tome which supports that earlier notion, and thus causes undue confusion: Hacker's Delight, which gets down to the hardware bits with some amazing cycle optimizations
If the NSA hadn't broken encryption while still in the box, there would be less low hanging fruit. If the POS industry didn't hold such high expectation of a $10-$15/HR techs, the deployments would be much more secure. I don't believe there has been enough attention placed upon the banks and the processors, and for the most part the one's that can actually afford to upgrade their systems a couple times a year, instead they push the cost to the end user and laugh all the way back to their office while the business attrition rate rockets.
what do you mean by 'nsa broke encryption'?
Broke what encryption?
AES for example is secure.
I saw an interview with him and he is very smart. The interview is here http://www.creditcards.com/credit-card-news/slava_gomzin-safest-way-pay-1282.php
I know this has to be a good book if he wrote it.
He doesn't saw as much, but he infers that PCI is a huge pile of garbage.
The only value it provides it that it gives company's like Trustwave and Pricewaterhouse tons of consulting business.
I am a midsize merchant.
I spend way too much on PCI and all I get for it is scan report and a hearty bill.
I have a good sysadmin, I do not need PCI.
Where are the POS problems - with the makers of the hardware and software!!
Not with us merchants!!!!
Take a close look at the RSA not so random number generator while understanding these are very thorough people acting under orders, and not just FBI type orders as there is a distinct difference between DOD and DOJ, drink in what happened to Phillip Zimmerman with the FBI and PGP, realize we ants are not allowed to have encryption unless it is broken. It hasn't worked out so well for bank cards, but it would seem it has done wonders for the black budget. There really isn't any way around it with the fear mongered and hyped terrorism market, kind of like when they were selling gas masks to the public back in WWII or iodine pills during the cold war era. Understand that lying, cheating and stealing is part of standard business today, think about how that might be reflected in the business of war.
I'm all in favor of security, but before we rip stores for bad security, I think we need to understand that many stores don't spend a fortune on security for the same reason we don't hire armed guards for our home. The cost simply isn't worth the decreased risk. And quite frankly, if we received a $100 bill for every credit card we owned to pay for that security, people would have a fit.
We'll get high security once the public is willing to pay for it, and not a moment sooner. Until that point, stores will only pay enough to avoid being especially vulnerable. After all, in crime, all that usually matters is not being the *weakest* link.
All of this can be simplified by architecting purpose designed networks, and for a minimum of cost. You have a firewall (and possibly switch). There are 2 VLANS. On one (let's say VLAN 100) is the free Wifi, Pandora feed to the house audio, and internet connection at the workstations the managers blow time at. On the other (let's call it VLAN 222) are the network connections for the POS equipment. On VLAN 222, the firewall allows no inbound connections with the slim exception of VPN secured traffic. Outbound connections on VLAN 222 are restricted to OS/AV/POS update hosts on SSL or similar and CC auth processors. Generic internet access is banned on VLAN 222. The back office POS software runs in a VM that only has access to VLAN 222. The manager workstation runs the VM if necessary as well as has it's own access to the internet (if necessary). The POS terminals, even if they are those hip, all the rage, iPads, do not have internet access.
This is more or less (minus VMs, DSL, and iPads, and replace VPN with dedicated password protected dial-in) the way we designed POS security in the late 90's when I was doing POS. As far as I can tell, it is mostly PCI compliant.
The issues we're seeing is people getting all manner of malware (from pr0n/etc.) on the manager back office workstation, similar from the POS terminals, and using Logmein / Teamviewer with weak passwords on the back office server. We knew better 15 years ago, so anyone who is getting hit by such garbage is a lame hack.
For every good soul who buys this to strengthen their systems, how many scammers will use this as a guidebook for looting?
Interesting point.
But that is the same admonition was used when the first ‘Hacking Exposed’ book came out. Which is similar to the argument that terrorists will use strong encryption.
Ultimately, it simply makes it that the white hats should read these books more of an imperative.
Full list of the series here:
http://www.amazon.com/s/?_enco...
>> how many scammers will use this as a guidebook for looting
Probably zero.
>> Gomzin shows that credit card numbers are rather predictable in that their number space is in truth rather small, even though they may be 15-19 digits in length. This is due to the fact that PCI allows the first 6 and last 4 digits to be exposed in plaintext, so it's only 6 digits that need to be guessed. This enables a relatively easy brute force attack, and even easier if rainbow tables are used.
Yeah...try brute forcing credit card numbers through a provider from a single (even small number) of terminals and see what happens to you.
If you're interested in grabbing credit cards, walking through an outdoor cafe with a video camera, hacking ATM OS'es (maybe through a "hidden" USB), and looking at trace log files on obscure web servers (especially those that log everything coming through as they're talking to remote providers) are still probably more effective methods than what's covered in the book.