WEBVTT

00:00:00.000 --> 00:00:03.109
I'm going to talk about what I think of as a US problem,

00:00:03.109 --> 00:00:04.678
which is point-of-sale attacks.

00:00:04.678 --> 00:00:08.685
I call it a US problem because having worked in PCI in Europe,

00:00:08.685 --> 00:00:12.278
we don't tend to have people stealing magnetic stripe data

00:00:12.279 --> 00:00:15.479
because you can't really do that much with it.

00:00:15.479 --> 00:00:19.723
And yet, we sit in Europe looking that US with enormous,

00:00:19.723 --> 00:00:22.587
world-famous large-box retailers,

00:00:22.587 --> 00:00:27.521
DIY stores that had some of the biggest point-of-sale

00:00:27.521 --> 00:00:30.288
attacks with millions of cards taken in it.

00:00:30.288 --> 00:00:33.405
And obviously I don't want you to talk about any case

00:00:33.405 --> 00:00:36.280
you've been involved in yourself.

00:00:36.280 --> 00:00:37.879
In Europe, as soon as we moved to chip,

00:00:37.879 --> 00:00:40.336
that just went away because you can't clone a chip and

00:00:40.336 --> 00:00:41.754
make a clone card and go shopping.

00:00:41.754 --> 00:00:44.864
In the states, you can still clone a mag stripe card and go shopping,

00:00:44.864 --> 00:00:47.055
which is why criminals attack it.

00:00:47.055 --> 00:00:50.280
Criminals attack it because it's high-value data.

00:00:50.280 --> 00:00:52.935
So, you've seen quite a few of these, I know.

00:00:52.936 --> 00:00:55.560
We've talked previously.

00:00:55.560 --> 00:00:57.581
When point-of-sale attacks happen,

00:00:57.582 --> 00:01:03.036
is the criminal trying to breach into a payment switch somewhere

00:01:03.036 --> 00:01:07.648
in the middle to get the track data or are they going for each

00:01:07.648 --> 00:01:09.588
point of the sale system individually?

00:01:09.589 --> 00:01:10.983
It depends on the type of attack.

00:01:10.983 --> 00:01:12.220
We see both.

00:01:12.220 --> 00:01:15.023
A lot of times, they'll come in,

00:01:15.023 --> 00:01:19.319
and they'll want to either position their malware somewhere in that

00:01:19.320 --> 00:01:22.226
flow where they can get it from all of the individual systems that

00:01:22.226 --> 00:01:23.930
are going through that checkpoint.

00:01:23.930 --> 00:01:28.945
If they can't do that, they'll put it on every single terminal if they have to.

00:01:28.945 --> 00:01:34.028
That sounds to me like a lot of work, but it also sounds noisy.

00:01:34.029 --> 00:01:36.825
I mean, surely the retailer,

00:01:36.826 --> 00:01:40.734
I can understand the retailer not detecting while attack on a PC infrastructure,

00:01:40.734 --> 00:01:44.905
but every single point of sales, somebody must notice.

00:01:44.906 --> 00:01:45.968
You would think,

00:01:45.968 --> 00:01:50.026
but the truth is we've seen malware running on individual point

00:01:50.026 --> 00:01:54.302
of sales that has been there many months,

00:01:54.303 --> 00:01:56.821
and it goes by undetected.

00:01:56.821 --> 00:01:58.109
The attackers are good.

00:01:58.110 --> 00:01:59.352
They know what they're doing.

00:01:59.352 --> 00:02:03.321
They know where to put the malware so that it looks like another

00:02:03.321 --> 00:02:07.456
system process so that it doesn't raise red flags.

00:02:07.456 --> 00:02:09.289
And this is a logical attack.

00:02:09.289 --> 00:02:12.695
They're not going to every single store and plugging a USB in, are they?

00:02:12.696 --> 00:02:13.342
No, no.

00:02:13.342 --> 00:02:18.857
This is usually they're coming in through a remote access point any

00:02:18.857 --> 00:02:22.320
number of ways into the point-of-sale systems.

00:02:22.321 --> 00:02:25.286
We've seen them come in through guest wireless networks

00:02:25.286 --> 00:02:29.389
that didn't have adequate security.

00:02:29.389 --> 00:02:33.455
I think what you just said was somebody had a guest network --- Yes.

00:02:33.455 --> 00:02:34.056
We've actually seen that.

00:02:34.056 --> 00:02:36.376
--- that was connected to their point-of-sale system.

00:02:36.376 --> 00:02:36.780
Yeah.

00:02:36.780 --> 00:02:37.588
Not directly.

00:02:37.588 --> 00:02:40.677
It was a very sneaky attack.

00:02:40.677 --> 00:02:46.295
The merchant wanted to offer wireless guest services to their clientele.

00:02:46.296 --> 00:02:47.965
It's a good move.

00:02:47.965 --> 00:02:49.217
People appreciate that.

00:02:49.217 --> 00:02:52.654
However, with the way the router was configured,

00:02:52.654 --> 00:02:58.406
the attacker was able to get an IP address in the guest network,

00:02:58.406 --> 00:03:01.548
get on to the router, and because the router wasn't configured correctly,

00:03:01.548 --> 00:03:04.226
they were able to use the router's IP address,

00:03:04.226 --> 00:03:08.798
which was a privileged IP, to get back into the card data environment.

00:03:08.798 --> 00:03:10.930
And we've seen, wireless was one of the biggest,

00:03:10.930 --> 00:03:16.005
the first to have a big breach with card holder data at their fashion retailer.

00:03:16.006 --> 00:03:17.395
Six years ago, yeah?

00:03:17.395 --> 00:03:17.958
Yes.

00:03:17.958 --> 00:03:19.155
I mean that's quite a common thing.

00:03:19.156 --> 00:03:23.673
But, when I was doing an assessing job and an advising job,

00:03:23.673 --> 00:03:25.614
it's like, this is like, you never do this.

00:03:25.614 --> 00:03:27.356
You have two, you don't even risk it.

00:03:27.356 --> 00:03:29.044
You have two wireless networks.

00:03:29.045 --> 00:03:31.055
Yeah, and that's one of our recommendations.

00:03:31.055 --> 00:03:34.150
If you're going to have guest wireless,

00:03:34.150 --> 00:03:37.711
get it away from any and all privileged data.

00:03:37.712 --> 00:03:38.064
In fact,

00:03:38.064 --> 00:03:42.841
do a separate network and outsource it to the people who do guest networks.

00:03:42.842 --> 00:03:46.686
So, this can be an attack against every single point of the sale.

00:03:46.686 --> 00:03:48.139
It can.

00:03:48.139 --> 00:03:50.559
That's astounds me.

00:03:50.560 --> 00:03:51.628
What about infrastructure attacks?

00:03:51.629 --> 00:03:54.605
What about attacks against anywhere in the payment flow?

00:03:54.605 --> 00:03:56.486
Is that a thing as well?

00:03:56.486 --> 00:04:00.094
Any point that the attackers could attack,

00:04:00.094 --> 00:04:04.000
in theory, they're probably attacking in reality.

00:04:04.001 --> 00:04:08.094
If they can get --- a prime example is getting a piece of

00:04:08.094 --> 00:04:13.322
malware on a back of house server that is handling traffic for

00:04:13.322 --> 00:04:16.059
all the individual POS terminals.

00:04:16.060 --> 00:04:19.172
They love to do that because that's a whole lot less work,

00:04:19.172 --> 00:04:22.213
and the chance of being detected is so much lower.

00:04:22.213 --> 00:04:24.384
If you're running malware on a POS terminal,

00:04:24.384 --> 00:04:27.341
it might bog down that machine and cause somebody to say,

00:04:27.342 --> 00:04:28.586
hey, what's wrong with this machine.

00:04:28.587 --> 00:04:33.558
And so if they can get it on a back of house server that has more resources,

00:04:33.558 --> 00:04:36.734
it can go that much longer without being detected.

00:04:36.734 --> 00:04:39.537
So both the common viable attacks.

00:04:39.538 --> 00:04:42.492
Now you talked about the way in because I'm sitting here

00:04:42.492 --> 00:04:44.835
looking incredulous that this happens,

00:04:44.835 --> 00:04:48.936
but knowing full well from talking to my friends in

00:04:48.936 --> 00:04:56.246
forensics and at the other card brands, that this is run-of-the-mill.