Forgot your password?
typodupeerror
Books Security Book Reviews

Book Review: Hacking Point of Sale 56

Posted by samzenpus
from the read-all-about-it dept.
benrothke (2577567) writes "The only negative thing to say about Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions is its title. A cursory look at it may lead the reader that this is a book for a script kiddie, when it is in fact a necessary read for anyone involved with payment systems. The book provides a wealth of information that is completely pragmatic and actionable. The problem is, as the book notes in many places, that one is constantly patching a system that is inherently flawed and broken." Keep reading for the rest of Ben's review.
Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions
author Slava Gomzin
pages 312
publisher Wiley
rating 10/10
reviewer Ben Rothke
ISBN 978-1118810118
summary Superb book on POS, PCI and payment security
Often after a major information security breach incidents, a public official (always in front of cameras and with many serious looking people standing in the wings) will go on TV and say something akin to "we have to make sure this never happens again".

Last year, Target was the major victim. This month, it's eBay. But after hundreds of millions of records breached, it's not that anyone is saying it won't happen again. Rather, it's inevitable it will happen many more times.

There are a number of good books on PCI, but this is the first one that looks at the entire spectrum of credit card processing. Author Slava Gomzin is a security and payments technologist at HP and as evident in the book, he lives and breathes payment technology and his expert knowledge is manifest in every chapter. His technical expertise is certain to make the reader much better informed and understand the myriad issues involved.

The book provides an excellent overview to the workings of payment systems and Gomzin is not shy about showing how insecure many payment systems are. Its 9 chapters provide a good combination of deep technical and general detail.

The reader comes out with a very good overview of how payment systems work and what the various parts of it are. For many people, this may be the first time they are made aware of entities such as processors, acquirers and gateways.

An interesting point the book raises is that it has been observed there are less breaches in Europe since they use EMV (also known as chip and pin) instead of insecure magnetic-stripe cards which are used in the US. This leads to a perception that EMV is by default much stronger. But the book notes that EMV was never designed to secure the cardholder data after the point of sale. The recent breaches at Target and Neiman Marcus were such that cardholder data was pilfered after it was in the system.

Another major weakness with EMV is it doesn't provide added security to web and online transactions. When a customer goes to a site and makes a transaction with an EMV card, it is fundamentally the same as if they would have used a magnetic stripe card. What many people don't realize also is that EMV is not some new technology. It's been around for a while. What it did was reduce the amount of fraud for physical use amongst European merchants. But the unintended consequence was that it simply moved the fraud online, where EMV is powerless.

As noted, the book provides the details and vulnerabilities of every aspect of the life of a payment card, including physical security. In chapter 4, he notes that there are numerous features that are supposed to distinguish between a genuine payment card from a counterfeited one. These include logo, embossed primary account number (PAN), card verification values and ultraviolet (UV) marks. Each one of them has their own set of limits. For the supposed security of UV marks, these are relatively easily replicated by a regular inkjet printer with UV ink.

In fact, Gomzin writes that all payment cards as they are in use today are insecure by design due to the fact that there are multiple physical security features that don't provide adequate protection from theft, and that the sensitive cardholder data information is encoded on a magnetic strip in clear text.

Gomzin has numerous PCI certifications and with all that, doesn't see PCI as the boon to payment card security as many do. He astutely observes that PCI places a somewhat myopic approach that data at rest is all that matters. Given that PCI doesn't require payment software vendors or users to encrypt application configuration data, which is usually stored in plaintext and opened to uncontrolled modification; this can allow payment application to be compromised through misconfiguration.

Even with PCI, Gomzin shows that credit card numbers are rather predictable in that their number space is in truth rather small, even though they may be 15-19 digits in length. This is due to the fact that PCI allows the first 6 and last 4 digits to be exposed in plaintext, so it's only 6 digits that need to be guessed. This enables a relatively easy brute force attack, and even easier if rainbow tables are used.

The Target breach was attributed to memory scraping and the book notes that as devastating an attack memory scraping is, there are no existing reliable security mechanisms that would prevent memory scraping.

The appendix includes a POS vulnerability rank calculator which can provide a quick and dirty risk assessment of the POS and associated payments application and hardware. The 20 questions in the calculator can't replace a formal assessment. But the initial results would likely mimic what that formal assessment would enumerate.

So what will it take to fix the mess that POS and payment systems are in now? The book notes that the system has to be completely overhauled for POS security to truly work. He notes that point-to-point encryption is one of the best ways to do that. What is stopping that is the huge costs involved in redoing the payment infrastructure. But until then, breaches will be daily news.

Hacking Point of Sale is an invaluable resource that it highly relevant to a wide audience. Be it those in compliance, information security, development, research or in your payment security group. If you are involved with payment systems, this is a necessary book.

When an expert like Slava Gomzin writes, his words should be listened to. He knows that payment breaches are inevitable. But he also shows you how to potentially avoid that tidal wave of inevitability.

Reviewed by Ben Rothke."

You can purchase Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page.
This discussion has been archived. No new comments can be posted.

Book Review: Hacking Point of Sale

Comments Filter:
  • by Anonymous Coward

    It used to be quite a 'closed' field, but there are now more and more open source tools to 'hack' and 'explore' payment systems.

    Get a card reader and check out cardpeek [pannetrat.com]: a tool that will read every detail of a PIN and Chip card. It also works with NFC cards, work on Linux like a charm (and Win7 and OsX).

  • ...making something functional with less than optimum resources (cf MacGyver, bodge-up, gerryrig, uzw). which preceded the notion of "one who gains unauthorized access to computers" by oh... perhaps a whole !@#n seven years.

    here's another current worthy tome which supports that earlier notion, and thus causes undue confusion: Hacker's Delight [hackersdelight.org], which gets down to the hardware bits with some amazing cycle optimizations

  • If the NSA hadn't broken encryption while still in the box, there would be less low hanging fruit. If the POS industry didn't hold such high expectation of a $10-$15/HR techs, the deployments would be much more secure. I don't believe there has been enough attention placed upon the banks and the processors, and for the most part the one's that can actually afford to upgrade their systems a couple times a year, instead they push the cost to the end user and laugh all the way back to their office while the

  • I'm all in favor of security, but before we rip stores for bad security, I think we need to understand that many stores don't spend a fortune on security for the same reason we don't hire armed guards for our home. The cost simply isn't worth the decreased risk. And quite frankly, if we received a $100 bill for every credit card we owned to pay for that security, people would have a fit.

    We'll get high security once the public is willing to pay for it, and not a moment sooner. Until that point, stores wil

  • All of this can be simplified by architecting purpose designed networks, and for a minimum of cost. You have a firewall (and possibly switch). There are 2 VLANS. On one (let's say VLAN 100) is the free Wifi, Pandora feed to the house audio, and internet connection at the workstations the managers blow time at. On the other (let's call it VLAN 222) are the network connections for the POS equipment. On VLAN 222, the firewall allows no inbound connections with the slim exception of VPN secured traffic. O
    • I agree with you.

      The issue thought is that these ‘purpose designed networks’ can at limited times, be created with a small set of requirements (purposes).

      But in large e-commerce settings, with multiple suppliers, inputs, etc., the purpose expands significantly, with complexity that quickly becomes unmanageable; and quickly insecure.

      • True, but inventory management and reporting don't have any need to coexist on the same network. It's easy enough to have the POS side running on one VLAN and a one-way replication of aggregate sales numbers pushed to the inventory management and reporting side. Heck, just replicate a copy of the database with all of the customer's personal information and CC#'s stripped out.

        An odd angle to why Target got hit with such a huge data loss breach was the fact that they were getting too nosy about their custom
        • Excellent points.

          When it comes to targeted advertising and big data analytics, seems like security will always get the short shrift.

  • For every good soul who buys this to strengthen their systems, how many scammers will use this as a guidebook for looting?
    • Interesting point.

      But that is the same admonition was used when the first ‘Hacking Exposed’ book came out. Which is similar to the argument that terrorists will use strong encryption.

      Ultimately, it simply makes it that the white hats should read these books more of an imperative.

      Full list of the series here:

      http://www.amazon.com/s/?_enco... [amazon.com]

    • >> how many scammers will use this as a guidebook for looting

      Probably zero.

      >> Gomzin shows that credit card numbers are rather predictable in that their number space is in truth rather small, even though they may be 15-19 digits in length. This is due to the fact that PCI allows the first 6 and last 4 digits to be exposed in plaintext, so it's only 6 digits that need to be guessed. This enables a relatively easy brute force attack, and even easier if rainbow tables are used.

      Yeah...try brute for

If a camel is a horse designed by a committee, then a consensus forecast is a camel's behind. -- Edgar R. Fiedler

Working...