BlackHat资料us-14-Zaichkowsky-Point-Of-Sale System-Architecture-And-Security.pdfVIP

Point of Sale System Architecture and Security Lucas Zaichkowsky lucas@ Twitter: @LucasErratus whoami • IT and InfoSec geek since mid-90s • Evangelist and researcher • Subject matter expert: • Electronic payment processing and PCI • Cyber espionage • Cybercrime • Enterprise IR Durango, CO Population: 17,557 Serious Texas Bar-B-Q POS breach, 2010 More than 270 of the stolen credit cards used for fraud nationally Mama’s Boy POS breach, 2011 Open since the 80s Closed 4 months later Iron Horse web site breach, 2013 2,500 web site registrations Unsure how many cards stolen Since the breach, they moved to a hosted checkout solution How many small business breaches? Probably thousands • In 2010, I personally saw several dozen POS breaches • 190+ POS breaches in 2013 Verizon DBIR • Verizon is 1 of 23 PCI Forensics Investigators • Breached small businesses sometimes notify customers o Post a notice on the store window • Small merchant breaches rarely make the news in larger cities o The media has “better” content (e.g. violent crime, celebrities) Small breaches are usually opportunistic Opportunistic POS Attack Methodology: 1. Scan internet for pcAnywhere, VNC, RDP ports 2. Exploit vulnerable versions, brute force password guessing 3. Instant admin access to entire POS environment 4. Drop keystroke recorders, network sniffers, RAM scrapers 5. Automatically transmits stolen card data Why so easy?! • Small business owners use remote desktop to work remotely o “The PO