WEBVTT

00:00:00.114 --> 00:00:03.166
Many merchants --- and you know I'm slightly,

00:00:03.166 --> 00:00:06.602
partly responsible for this because Visa Europe was one of the big

00:00:06.602 --> 00:00:08.980
proponents to the point-to-point encryption standard.

00:00:08.981 --> 00:00:12.117
So many merchants have moved to point-to-point encryption where the card

00:00:12.117 --> 00:00:14.999
data is encrypted in the secure point-of-sale device,

00:00:14.999 --> 00:00:17.145
so it's not running through the till,

00:00:17.145 --> 00:00:20.983
but it's running through a dedicated reader strongly encrypted all the

00:00:20.983 --> 00:00:24.052
way back to either the processor or the merchant.

00:00:24.052 --> 00:00:27.375
So that means the card data's not accessible.

00:00:27.375 --> 00:00:32.311
Has that had an effect on your work and on what merchants are doing?

00:00:32.311 --> 00:00:32.769
Yes.

00:00:32.769 --> 00:00:35.972
It's had a profound effect on it.

00:00:35.972 --> 00:00:44.260
We have yet to see a properly implemented P2PE solution that has been breached.

00:00:44.260 --> 00:00:48.260
Now we do see where the attackers have come in and taken

00:00:48.260 --> 00:00:50.930
advantage of improperly configured P2PE solutions.

00:00:50.931 --> 00:00:54.817
Tell me about that then because that should be quite given.

00:00:54.817 --> 00:00:56.794
I'm pretty familiar with the standard.

00:00:56.794 --> 00:00:59.191
That should be pretty hard for someone to do.

00:00:59.191 --> 00:01:00.689
What did they do wrong?

00:01:00.689 --> 00:01:05.365
Well, the merchant did everything right except for one thing.

00:01:05.364 --> 00:01:10.104
They set up their P2PE solution, tested it,

00:01:10.104 --> 00:01:15.185
did everything perfect, and then they left it in debug mode.

00:01:15.186 --> 00:01:16.343
And so the cards,

00:01:16.343 --> 00:01:20.337
even though the solution was there to prevent those cards from leaking,

00:01:20.337 --> 00:01:23.664
the attacker was able to come in and look at plain text

00:01:23.664 --> 00:01:27.112
credit card data going across the wire.

00:01:27.112 --> 00:01:28.725
That's awesome.

00:01:28.725 --> 00:01:31.951
That really is awesome.

00:01:31.951 --> 00:01:33.631
And it --- I'm going to stop,

00:01:33.631 --> 00:01:36.828
I want to stop you there because that's like the second big learning point.

00:01:36.828 --> 00:01:41.341
If you put in a P2PE, then make sure it's turned on and working, yeah?

00:01:41.341 --> 00:01:41.761
Yes.

00:01:41.761 --> 00:01:43.442
And not just working,

00:01:43.442 --> 00:01:46.959
but make sure it's absolutely encrypting those cards

00:01:46.959 --> 00:01:48.027
because it can look like it's working.

00:01:48.028 --> 00:01:50.423
Hey, did you swipe a card there?

00:01:50.423 --> 00:01:51.548
Did it come out on that end?

00:01:51.549 --> 00:01:51.810
Yes.

00:01:51.810 --> 00:01:53.381
Well what happened in the middle?

00:01:53.382 --> 00:01:55.300
So put a network analyzer on there.

00:01:55.300 --> 00:01:56.955
Catch some data from it.

00:01:56.955 --> 00:01:57.839
Look at the packets.

00:01:57.839 --> 00:02:00.033
Make sure there's no encrypted card data.

00:02:00.033 --> 00:02:00.955
Unencrypted card data.

00:02:00.956 --> 00:02:02.184
Unencrypted data card, yeah.

00:02:02.184 --> 00:02:02.740
Absolutely.

00:02:02.740 --> 00:02:07.025
When I go onsite, I always test the P2PE solution,

00:02:07.026 --> 00:02:08.577
and I'll download memory,

00:02:08.577 --> 00:02:12.116
and I'll scan that memory for any unencrypted card data going through there.

00:02:12.116 --> 00:02:16.241
And every so often, we still find it even when merchants say, yeah, we're good.

00:02:16.241 --> 00:02:18.056
We're running P2PE.

00:02:18.056 --> 00:02:26.626
But if it is put in and running correctly, it is a very, very big deterrent.

00:02:26.627 --> 00:02:32.492
Right, and I guess then the merchant doesn't have to do PCI DSS.

00:02:32.492 --> 00:02:34.832
So that must be a pretty big thing for them.

00:02:34.832 --> 00:02:37.671
I mean that was one of the drives of P2PE.

00:02:37.672 --> 00:02:43.120
It can bite you if you don't use it correctly.

00:02:43.120 --> 00:02:48.378
It is not the end of security, end of your security efforts.

00:02:48.378 --> 00:02:50.593
Your network is still your network,

00:02:50.593 --> 00:02:53.929
and it still presents a valuable target to the attackers.

00:02:53.930 --> 00:02:57.711
We had one recent case, a very large merchant,

00:02:57.711 --> 00:03:04.215
a multibillion-dollar merchant, that put in a fantastic P2PE solution.

00:03:04.216 --> 00:03:06.702
They had it verified.

00:03:06.702 --> 00:03:09.883
They were doing great with it.

00:03:09.884 --> 00:03:11.045
They still got hit by attackers.

00:03:11.045 --> 00:03:13.715
Now the attackers did not get any credit card data.

00:03:13.715 --> 00:03:15.236
The cards were safe.

00:03:15.236 --> 00:03:18.021
They did not leak any cards, but the attackers went in,

00:03:18.021 --> 00:03:22.793
and they put ransomware and just encrypted the POS terminals.

00:03:22.793 --> 00:03:23.927
On all the POS terminals?

00:03:23.927 --> 00:03:25.995
Yeah, on all the POS terminals.

00:03:25.995 --> 00:03:26.533
Okay, so that's good.

00:03:26.533 --> 00:03:30.505
So they're not leaking any card holder data, but they're not trading.

00:03:30.506 --> 00:03:31.357
So the card brands,

00:03:31.357 --> 00:03:33.235
even actually the card brands are not going to be happy

00:03:33.235 --> 00:03:34.492
because they're not making money either.

00:03:34.492 --> 00:03:35.924
No one's happy now.

00:03:35.924 --> 00:03:39.158
And you have your employees standing around at a machine that says,

00:03:39.158 --> 00:03:42.963
please send your bitcoins here to restore this machine.

00:03:42.964 --> 00:03:44.311
That's across your entire network.

00:03:44.312 --> 00:03:47.221
I'm mean, talk about an expensive bill.

00:03:47.222 --> 00:03:51.934
You've got to pay an attacker to get all of your POS machines back up.

00:03:51.935 --> 00:03:54.097
You might as well just wipe everything and start over.

00:03:54.097 --> 00:03:56.243
That's a tremendous bill.

00:03:56.243 --> 00:03:57.497
Yeah, what about cryptominers?

00:03:57.497 --> 00:04:00.482
You see any of those, those things that mine for bitcoins?

00:04:00.482 --> 00:04:03.299
Because that's a way of monetizing access as well.

00:04:03.299 --> 00:04:06.666
Yeah, the attackers, even if they can't get your cards,

00:04:06.666 --> 00:04:11.138
they're going to make that access, all the work they did to access that network,

00:04:11.138 --> 00:04:12.843
they're going to make it pay for itself somehow.

00:04:12.843 --> 00:04:16.309
Yeah, because I guess they came expecting to steal the card data,

00:04:16.309 --> 00:04:19.147
they're seeing just encrypted card data,

00:04:19.147 --> 00:04:21.707
they are quite cross,

00:04:21.708 --> 00:04:24.056
and so they want to monetize their access because they might have

00:04:24.056 --> 00:04:27.775
spent three or four weeks breaking into this merchant.

00:04:27.775 --> 00:04:31.835
Yeah, and so they're going to take advantage of those CPU resources.

00:04:31.835 --> 00:04:35.479
They can do cryptominers, they can put ransomware on there,

00:04:35.479 --> 00:04:40.225
they can steal other corporate secrets that you have,

00:04:40.225 --> 00:04:44.976
and they can make your network part of their bot network.

00:04:44.976 --> 00:04:48.015
Okay, so I think that's the big, the third learning point for merchants.

00:04:48.015 --> 00:04:49.621
If you put P2PE in,

00:04:49.621 --> 00:04:53.102
don't then forget to do security for the rest of your network

00:04:53.102 --> 00:04:55.905
because you have other valuable assets that aren't --- so they

00:04:55.905 --> 00:04:57.678
don't concern people like you and me.

00:04:57.678 --> 00:04:58.701
It's not a PFI.

00:04:58.701 --> 00:05:03.558
It's not a card data issue, but it's an issue of their trading as a merchant.

00:05:03.558 --> 00:05:03.867
Right.

00:05:03.867 --> 00:05:04.177
Yeah.

00:05:04.177 --> 00:05:06.212
You still have to protect your network.

00:05:06.212 --> 00:05:07.670
Your network is still your network.

00:05:07.671 --> 00:05:09.861
There's still value in that network,

00:05:09.861 --> 00:05:14.513
and you can't just do P2PE and wash your hands of all security concerns.

00:05:14.513 --> 00:05:17.958
I think every P2PE manual should come with a big health

00:05:17.958 --> 00:05:24.199
warning at the beginning that says, this fixes one problem,

00:05:24.199 --> 00:05:28.199
but not the others.