Book Review: "Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions"
This is a solid book on the process of auditing key parts within payment card industry; written by Slava Gomzin, this book provides fundamental and interesting information for auditing credit card processing systems. The book itself is a little pricy as a paperback from Wiley, although nearly half the price if you get the ebook (and 1/3 the price if you get it used) from Amazon. Overall, I give the book 7 / 10 stars and recommend the book to penetration testers or auditors involved with payment systems, as well as QSA's and PA-QSA's looking to expand their tool repertoire. It's a fairly short read in just about 300 pages, and provides broad look at all things related to payment systems, including the various phases of electronic payment, PCI-DSS, various attacks against payment systems, how carders make money off of stolen cards, how encryption is used throughout payment systems, and finally how to secure a payment system. The book is divided into 3 major sections: Anatomy of Payment Application Vulnerabilities, Attacks on Point of Sale Systems, and Defense. Each section of the book has 3 chapters within it, and a full list of chapters and my own summary of each chapter is included below.
Chapter 1 starts by describing the anatomy of modern electronic payments, including the players, their roles, types of payment systems, various transaction types, the stages of payment, and key areas where vulnerabilities could exist within this infrastructure. This is a useful chapter for those who are still trying to understand the electronic payment landscape, but will contain very broad and already understood information for anyone familiar with the payment card space (such as common definitions). This is a good introduction.
Chapter 2 begins by showing where payment applications fit into the picture, defining the processing options and transaction flow. It also covers common protocols and where the applications communicate in regard to the OSI model. Slava describes various architectural designs of common electronic payment system structures, in regards to being implemented by merchants. This is a great high level chapter for planning your architecture if you plan to implement such a system.
Chapter 3 takes a high level approach to both PCI-DSS and PA-DSS, and is recommended reading if your totally unfamiliar but need to get ready for a compliance audit. I really like the comparison of PCI-DSS and PA-DSS (Table 3-7), comparing how the two work together to secure the CC details throughout their lifecycle, emphasizing the security properties each requirement is supposed to provide. Chapter 3 also goes over the general validation process of PA-DSS standards, including a rough overview of 13 requirements. I really like this chapter because it explains the requirements in an easy to understand language, but if your really about to go for an audit, I suggest reading the real requirements from the PCI Council. Chapter 3 also briefly covers PTS, P2PE, and EMV guidance, but the book does a deeper dive on these topics later.
Chapter 4 initially starts by going over the physical structure of credit cards, including the data they hold; It examines the format of the PAN, Tack 1 and Track 2 data, including protocol structures, what each field represents and common values (such as BIN). This chapter also discuses the Luhn check, and even provides c code to verify credit card details pass the Luhn check. One of my favorite parts of this chapter, is when Slava provides a few regular expressions to catch various PAN and/or track 1/2 structures. Later in the chapter, Gomzinc overs the playbook of a finical breach, all the way up to monetization of the card data through money mules or cashers.
Chapter 5 is great, arguably my favorite chapter in the book. Gomzin dives right into it, starting almost immediately with scrapping RAM for track 1, track 2 and PAN data. Here he provides a good deal of C# code for a program he calls MemoryScraper. Later in the chapter, he repeats the process, only this time providing C# code for sniffing credit card details off of the wire; he calls this program NetScrapper. Finally the chapter ends by discussing many other vulnerabilities facing payment applications, such as tampering with the code of the application, tampering with the physical hardware, spoofing legitimate credentials, skimming POI devices, fake voice authentication, and even EMV attacks!
Chapter 6 is really interesting, as it begins by talking about the places PCI protects the card holder data, and then switches to attacking the places that are now inherently weaker due a lack of focus being put on non-PCI items. This includes locating log files, temporary storage locations, hashed CC data, DEK, KEK and key rotation in general. At the end of this chapter he includes more C# code, only this time the code scrapes the hard disk looking for CC data in many various forms.
Chapter 7 will bring the reader up to speed on the various forms of encryption, and specifically how they are used in the payment card systems. It goes through key generation, symmetric encryption, asymmetric encryption, hash functions, and generally strong algorithms. It also shows you how to implement a lot of this in C#, again with the code supposedly online. Of great relevance to the payment process, this chapter also shows how to sign data and applications to verify their integrity, as well as how to properly salt and generate tokens.
Chapter 8 shows demonstrates how to protect the card data, both in transit and at rest. It shows how to use SSL validation, custom validation, and even IPSec to validate authenticity of the parties communicating, which should help prevent the classic man in the middle attacks. It also puts a strong emphasis into P2PE, DUKPT, and EMV technologies, showing how leveraging these can provide additional security throughout.
Finally, chapter 9 shows how to use code signing with applications to verify their integrity, such that people can't modify the clients to steal card data. It also shows how to obfuscate code, specifically within .NET applications, which have always been easier to reverse engineer due to their use of an intermediate language as opposed to raw assembly code. Finally, Gomzin wraps it up recommending several secure coding guidelines and standards, such as OWASP top 10 and the SANS top 25, to help the application programmers avoid common mistakes.
Most of all, I really enjoyed the code provided throughout this book. Mr. Gomzin, constantly uses C# code to hammer home his points, giving them concrete implementation examples. Three key programs that I found especially useful throughout the book, are the ones that search for credit card data. One that scraps credit cards off of storage mediums, one that scrapes credit cards off of the network, and one that scrapes credit cards out of memory (their 'link'). The scrapper programs use regular expressions to match both ASCII and Unicode strings to match PAN and track protocols. They are able to do this fairly easy because the PAN has a known length, contains only digits, and uses special prefixes. The code even tries to reduce the number of false positives by running the numbers through a Luhn Test and excluding special test card patterns. Similarly, he includes REGEX that matches these same criteria throughout the book, so you could really implement similar searches in any language, for any purpose you want. You can also download the code from chapters 5 through 9 here, which are some of the best chapters in my opinion, and that should give you a good taste for the material. Slava also provides a scoring system for Payment Application security (in Appendix A of the book), which could help individuals or professionals asses their security posture, in that regard. I hope this book proves useful for you in understanding PCI-DSS and PA-DSS, or at the very least can assist you in building out your own repertoire of tools, to hunt for insecure credit card data.
Chapter 1 starts by describing the anatomy of modern electronic payments, including the players, their roles, types of payment systems, various transaction types, the stages of payment, and key areas where vulnerabilities could exist within this infrastructure. This is a useful chapter for those who are still trying to understand the electronic payment landscape, but will contain very broad and already understood information for anyone familiar with the payment card space (such as common definitions). This is a good introduction.
Chapter 2 begins by showing where payment applications fit into the picture, defining the processing options and transaction flow. It also covers common protocols and where the applications communicate in regard to the OSI model. Slava describes various architectural designs of common electronic payment system structures, in regards to being implemented by merchants. This is a great high level chapter for planning your architecture if you plan to implement such a system.
Chapter 3 takes a high level approach to both PCI-DSS and PA-DSS, and is recommended reading if your totally unfamiliar but need to get ready for a compliance audit. I really like the comparison of PCI-DSS and PA-DSS (Table 3-7), comparing how the two work together to secure the CC details throughout their lifecycle, emphasizing the security properties each requirement is supposed to provide. Chapter 3 also goes over the general validation process of PA-DSS standards, including a rough overview of 13 requirements. I really like this chapter because it explains the requirements in an easy to understand language, but if your really about to go for an audit, I suggest reading the real requirements from the PCI Council. Chapter 3 also briefly covers PTS, P2PE, and EMV guidance, but the book does a deeper dive on these topics later.
Chapter 4 initially starts by going over the physical structure of credit cards, including the data they hold; It examines the format of the PAN, Tack 1 and Track 2 data, including protocol structures, what each field represents and common values (such as BIN). This chapter also discuses the Luhn check, and even provides c code to verify credit card details pass the Luhn check. One of my favorite parts of this chapter, is when Slava provides a few regular expressions to catch various PAN and/or track 1/2 structures. Later in the chapter, Gomzinc overs the playbook of a finical breach, all the way up to monetization of the card data through money mules or cashers.
Chapter 5 is great, arguably my favorite chapter in the book. Gomzin dives right into it, starting almost immediately with scrapping RAM for track 1, track 2 and PAN data. Here he provides a good deal of C# code for a program he calls MemoryScraper. Later in the chapter, he repeats the process, only this time providing C# code for sniffing credit card details off of the wire; he calls this program NetScrapper. Finally the chapter ends by discussing many other vulnerabilities facing payment applications, such as tampering with the code of the application, tampering with the physical hardware, spoofing legitimate credentials, skimming POI devices, fake voice authentication, and even EMV attacks!
Chapter 6 is really interesting, as it begins by talking about the places PCI protects the card holder data, and then switches to attacking the places that are now inherently weaker due a lack of focus being put on non-PCI items. This includes locating log files, temporary storage locations, hashed CC data, DEK, KEK and key rotation in general. At the end of this chapter he includes more C# code, only this time the code scrapes the hard disk looking for CC data in many various forms.
Chapter 7 will bring the reader up to speed on the various forms of encryption, and specifically how they are used in the payment card systems. It goes through key generation, symmetric encryption, asymmetric encryption, hash functions, and generally strong algorithms. It also shows you how to implement a lot of this in C#, again with the code supposedly online. Of great relevance to the payment process, this chapter also shows how to sign data and applications to verify their integrity, as well as how to properly salt and generate tokens.
Chapter 8 shows demonstrates how to protect the card data, both in transit and at rest. It shows how to use SSL validation, custom validation, and even IPSec to validate authenticity of the parties communicating, which should help prevent the classic man in the middle attacks. It also puts a strong emphasis into P2PE, DUKPT, and EMV technologies, showing how leveraging these can provide additional security throughout.
Finally, chapter 9 shows how to use code signing with applications to verify their integrity, such that people can't modify the clients to steal card data. It also shows how to obfuscate code, specifically within .NET applications, which have always been easier to reverse engineer due to their use of an intermediate language as opposed to raw assembly code. Finally, Gomzin wraps it up recommending several secure coding guidelines and standards, such as OWASP top 10 and the SANS top 25, to help the application programmers avoid common mistakes.
Most of all, I really enjoyed the code provided throughout this book. Mr. Gomzin, constantly uses C# code to hammer home his points, giving them concrete implementation examples. Three key programs that I found especially useful throughout the book, are the ones that search for credit card data. One that scraps credit cards off of storage mediums, one that scrapes credit cards off of the network, and one that scrapes credit cards out of memory (their 'link'). The scrapper programs use regular expressions to match both ASCII and Unicode strings to match PAN and track protocols. They are able to do this fairly easy because the PAN has a known length, contains only digits, and uses special prefixes. The code even tries to reduce the number of false positives by running the numbers through a Luhn Test and excluding special test card patterns. Similarly, he includes REGEX that matches these same criteria throughout the book, so you could really implement similar searches in any language, for any purpose you want. You can also download the code from chapters 5 through 9 here, which are some of the best chapters in my opinion, and that should give you a good taste for the material. Slava also provides a scoring system for Payment Application security (in Appendix A of the book), which could help individuals or professionals asses their security posture, in that regard. I hope this book proves useful for you in understanding PCI-DSS and PA-DSS, or at the very least can assist you in building out your own repertoire of tools, to hunt for insecure credit card data.