Comments on: Thinking About Security ROI From The Thief’s Perspective http://storefrontbacktalk.com/securityfraud/thinking-about-security-roi-from-the-thiefs-perspective/ Techniques, Tools and Tirades about Retail Technology and E-Commerce Wed, 08 Feb 2012 16:02:40 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: A Reader http://storefrontbacktalk.com/securityfraud/thinking-about-security-roi-from-the-thiefs-perspective/comment-page-1/#comment-76114 A Reader Thu, 01 Jul 2010 13:58:09 +0000 http://www.storefrontbacktalk.com/?p=5603#comment-76114 Read the POS PED requirements, specifically A6 and A7. "To determine any PIN-security-related cryptographic key resident in the PED or ICC reader, by penetration of the PED or ICC reader and/or by monitoring emanations from the PED or ICC reader (including power fluctuations), requires an attack potential of at least 35 for identification and initial exploitation as defined in Appendix B of the PCI POS PED DTRs." It's a pretty clear requirement that a compliant pad should not leak energy traces. But to your point, it's probably treated like anything else PCI related. Certify everything, and if there's a leak, claim it was out of compliance. Read the POS PED requirements, specifically A6 and A7. “To determine any PIN-security-related cryptographic key resident in the PED or ICC reader, by penetration of the PED or ICC reader and/or by monitoring emanations from the PED or ICC reader (including power fluctuations), requires an attack potential of at least 35 for identification and initial exploitation as defined in Appendix B of the PCI POS PED DTRs.”

It’s a pretty clear requirement that a compliant pad should not leak energy traces. But to your point, it’s probably treated like anything else PCI related. Certify everything, and if there’s a leak, claim it was out of compliance.

]]> By: Retail CSO http://storefrontbacktalk.com/securityfraud/thinking-about-security-roi-from-the-thiefs-perspective/comment-page-1/#comment-75718 Retail CSO Sun, 27 Jun 2010 20:54:09 +0000 http://www.storefrontbacktalk.com/?p=5603#comment-75718 The quote from the "retail security cryptographer" sounds just like what people were saying about skimming a few years ago (i.e., it's one card at a time and requires sophisticated knowledge about magnetic fields). I was at a hacker conference, where I saw a demo of power analysis with really cheap hardware done by hobbyists -- and the key recovery was basically instantaneous too. I'm sure it takes some knowledge to figure out the first attack on a given device, but the attack I watched was just about instantaneous. Some of the testing labs charge a lot for DPA testing, so they have a vested interest in making DPA look difficult... but if the chain-smoking hacker kids can do it, I'm sure the guys who are doing skimming today could too if they tried. I'm also interested in the reader comment that "all PCI-PED certified terminals are strongly protected against attacks, including DPA". I don't know how well they are protected against DPA, but the I've seen some pretty scary vulnerabilities in PCI-certified terminals. The smart card guys do seem to have their act together pretty well on the security front nowadays, but terminal makers have a history of cutting corners and I don't ever recall seeing PED vendors advertising DPA protection. The quote from the “retail security cryptographer” sounds just like what people were saying about skimming a few years ago (i.e., it’s one card at a time and requires sophisticated knowledge about magnetic fields).

I was at a hacker conference, where I saw a demo of power analysis with really cheap hardware done by hobbyists — and the key recovery was basically instantaneous too. I’m sure it takes some knowledge to figure out the first attack on a given device, but the attack I watched was just about instantaneous.

Some of the testing labs charge a lot for DPA testing, so they have a vested interest in making DPA look difficult… but if the chain-smoking hacker kids can do it, I’m sure the guys who are doing skimming today could too if they tried.

I’m also interested in the reader comment that “all PCI-PED certified terminals are strongly protected against attacks, including DPA”. I don’t know how well they are protected against DPA, but the I’ve seen some pretty scary vulnerabilities in PCI-certified terminals. The smart card guys do seem to have their act together pretty well on the security front nowadays, but terminal makers have a history of cutting corners and I don’t ever recall seeing PED vendors advertising DPA protection.

]]> By: A Reader http://storefrontbacktalk.com/securityfraud/thinking-about-security-roi-from-the-thiefs-perspective/comment-page-1/#comment-75401 A Reader Thu, 24 Jun 2010 13:05:41 +0000 http://www.storefrontbacktalk.com/?p=5603#comment-75401 Actually, all PCI-PED certified payment terminals are strongly protected against attacks, including DPA. Actually, all PCI-PED certified payment terminals are strongly protected against attacks, including DPA.

]]>