Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Book Review: Hacking Point of Sale

samzenpus posted about a month ago | from the read-all-about-it dept.

Books 56

benrothke (2577567) writes "The only negative thing to say about Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions is its title. A cursory look at it may lead the reader that this is a book for a script kiddie, when it is in fact a necessary read for anyone involved with payment systems. The book provides a wealth of information that is completely pragmatic and actionable. The problem is, as the book notes in many places, that one is constantly patching a system that is inherently flawed and broken." Keep reading for the rest of Ben's review.Often after a major information security breach incidents, a public official (always in front of cameras and with many serious looking people standing in the wings) will go on TV and say something akin to "we have to make sure this never happens again".

Last year, Target was the major victim. This month, it's eBay. But after hundreds of millions of records breached, it's not that anyone is saying it won't happen again. Rather, it's inevitable it will happen many more times.

There are a number of good books on PCI, but this is the first one that looks at the entire spectrum of credit card processing. Author Slava Gomzin is a security and payments technologist at HP and as evident in the book, he lives and breathes payment technology and his expert knowledge is manifest in every chapter. His technical expertise is certain to make the reader much better informed and understand the myriad issues involved.

The book provides an excellent overview to the workings of payment systems and Gomzin is not shy about showing how insecure many payment systems are. Its 9 chapters provide a good combination of deep technical and general detail.

The reader comes out with a very good overview of how payment systems work and what the various parts of it are. For many people, this may be the first time they are made aware of entities such as processors, acquirers and gateways.

An interesting point the book raises is that it has been observed there are less breaches in Europe since they use EMV (also known as chip and pin) instead of insecure magnetic-stripe cards which are used in the US. This leads to a perception that EMV is by default much stronger. But the book notes that EMV was never designed to secure the cardholder data after the point of sale. The recent breaches at Target and Neiman Marcus were such that cardholder data was pilfered after it was in the system.

Another major weakness with EMV is it doesn't provide added security to web and online transactions. When a customer goes to a site and makes a transaction with an EMV card, it is fundamentally the same as if they would have used a magnetic stripe card. What many people don't realize also is that EMV is not some new technology. It's been around for a while. What it did was reduce the amount of fraud for physical use amongst European merchants. But the unintended consequence was that it simply moved the fraud online, where EMV is powerless.

As noted, the book provides the details and vulnerabilities of every aspect of the life of a payment card, including physical security. In chapter 4, he notes that there are numerous features that are supposed to distinguish between a genuine payment card from a counterfeited one. These include logo, embossed primary account number (PAN), card verification values and ultraviolet (UV) marks. Each one of them has their own set of limits. For the supposed security of UV marks, these are relatively easily replicated by a regular inkjet printer with UV ink.

In fact, Gomzin writes that all payment cards as they are in use today are insecure by design due to the fact that there are multiple physical security features that don't provide adequate protection from theft, and that the sensitive cardholder data information is encoded on a magnetic strip in clear text.

Gomzin has numerous PCI certifications and with all that, doesn't see PCI as the boon to payment card security as many do. He astutely observes that PCI places a somewhat myopic approach that data at rest is all that matters. Given that PCI doesn't require payment software vendors or users to encrypt application configuration data, which is usually stored in plaintext and opened to uncontrolled modification; this can allow payment application to be compromised through misconfiguration.

Even with PCI, Gomzin shows that credit card numbers are rather predictable in that their number space is in truth rather small, even though they may be 15-19 digits in length. This is due to the fact that PCI allows the first 6 and last 4 digits to be exposed in plaintext, so it's only 6 digits that need to be guessed. This enables a relatively easy brute force attack, and even easier if rainbow tables are used.

The Target breach was attributed to memory scraping and the book notes that as devastating an attack memory scraping is, there are no existing reliable security mechanisms that would prevent memory scraping.

The appendix includes a POS vulnerability rank calculator which can provide a quick and dirty risk assessment of the POS and associated payments application and hardware. The 20 questions in the calculator can't replace a formal assessment. But the initial results would likely mimic what that formal assessment would enumerate.

So what will it take to fix the mess that POS and payment systems are in now? The book notes that the system has to be completely overhauled for POS security to truly work. He notes that point-to-point encryption is one of the best ways to do that. What is stopping that is the huge costs involved in redoing the payment infrastructure. But until then, breaches will be daily news.

Hacking Point of Sale is an invaluable resource that it highly relevant to a wide audience. Be it those in compliance, information security, development, research or in your payment security group. If you are involved with payment systems, this is a necessary book.

When an expert like Slava Gomzin writes, his words should be listened to. He knows that payment breaches are inevitable. But he also shows you how to potentially avoid that tidal wave of inevitability.

Reviewed by Ben Rothke."

You can purchase Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page.

cancel ×

56 comments

POS (0)

Anonymous Coward | about a month ago | (#47094547)

Is that the system that Microsoft is now patching until 2019?

Re:POS (1, Offtopic)

ArcadeMan (2766669) | about a month ago | (#47094633)

No idea, but the summary mentions PCI a number of times, so at least you know you can still use your old PCI cards with it. No idea if it supports AGP though.

Re:POS (1)

Anonymous Coward | about a month ago | (#47094675)

No idea, but the summary mentions PCI a number of times, so at least you know you can still use your old PCI cards with it. No idea if it supports AGP though.

PCI means PCI-Compliance, in the most regard, it is VERY strict but 95% of dealers refuse to follow it's laws and conduct.

Re:POS (1)

ArcadeMan (2766669) | about a month ago | (#47094883)

I still don't know what "PCI" means in this context.

Re:POS (0)

Anonymous Coward | about a month ago | (#47095015)

Payment Card Industry

Re:POS (1)

Anonymous Coward | about a month ago | (#47095047)

Payment Card Industry [wikipedia.org]

Re:POS (0)

Anonymous Coward | about a month ago | (#47095405)

PLEASE CALL IGNATIUS.

Re:POS (0)

Anonymous Coward | about 2 months ago | (#47099193)

Pretty Cool Idea. It's how companies without any real security measure the success of untested security they've implemented. if the Idea seems cool.. it's good.

Re:POS (1)

Anonymous Coward | about a month ago | (#47094885)

The usage of the apostrophe is VERY complicated, and 95% of people refuse to understand that it's means it is.

Re:POS (1)

dargaud (518470) | about 2 months ago | (#47097793)

It's been good reading you.

Re:POS (3, Insightful)

mjwx (966435) | about 2 months ago | (#47096087)

No idea, but the summary mentions PCI a number of times, so at least you know you can still use your old PCI cards with it. No idea if it supports AGP though.

PCI means PCI-Compliance, in the most regard, it is VERY strict but 95% of dealers refuse to follow it's laws and conduct.

Whooosh.

That was the sound of you failing joke compliance.

The article never explains what PCI is, so to the average reader it could be Peripheral Component Interconnect, the Presbyterian Church in Ireland, the Pharmacy Council of India or maybe, just maybe Payment Card Industry.

Re:POS (1)

luis_a_espinal (1810296) | about 2 months ago | (#47099177)

No idea, but the summary mentions PCI a number of times, so at least you know you can still use your old PCI cards with it. No idea if it supports AGP though.

PCI means PCI-Compliance, in the most regard, it is VERY strict but 95% of dealers refuse to follow it's laws and conduct.

Whooosh. That was the sound of you failing joke compliance. The article never explains what PCI is, so to the average reader it could be Peripheral Component Interconnect, the Presbyterian Church in Ireland, the Pharmacy Council of India or maybe, just maybe Payment Card Industry.

The title "Hacking POS" should give a hint to the intended audience who would (or dare I say should) not confuse POS (Point-of-Sale) with you know what.

Hacking, in particular when discussed on a news-for-nerds site, should evoke the notion of a broad topic known as "computer security". That should lead the intended average reader (or one with google-fu skills) to know (or find) that POS stands for Point-of-Sale. 2+2=4 and the intended average reader (or one with sufficient technical acumen, like the ones that supposedly visit this site), to find out what PCI means in this context.

PCI in this context should be spelled when discussed to, I dunno, someone's grandma. It should not be so to people who are in tech. A quick google on hack POS PCI should provide enough clue...

Or maybe your post was a joke, and my internet sarcasm'o'meter is broken or something.

Re:POS (1)

ArcadeMan (2766669) | about 2 months ago | (#47099551)

Never, ever make your reader search for information. If you use acronyms, define what it is the first time you use it, such as "Point of sale (POS)".

What's better: having the author take two more seconds to do that, or let your thousands or readers search for the information?

Re:POS (0)

Anonymous Coward | about a month ago | (#47095665)

If you don't know what PCI stands for...then it is not relevant for you.

Sorry for the tough love...but that's reality!

Re:POS (0)

Anonymous Coward | about a month ago | (#47094763)

The POS in both stories are the same. Microsoft doesn't make the only POS system though. This has nothing to do with the hack listed a few stories earlier.

Re:POS (1)

margeman2k3 (1933034) | about a month ago | (#47094861)

POS = Any point of sale (eg. cash register) system.
Windows POSReady = A version of Windows meant for a POS system (usually XP or 7).
PCI = Security guidelines that are supposed to protect debit/credit card information.

Re:POS (1)

Anonymous Coward | about a month ago | (#47095367)

POS = Any point of sale (eg. cash register) system.

And in terms of current implementations, there is the more well-known usage of these letters: POS=Piece of S***

Re:POS (1)

plopez (54068) | about a month ago | (#47095369)

You forgot the other definition of POS, the one that always pops into my mind before the others :)

Re:POS (1)

mjwx (966435) | about 2 months ago | (#47096129)

POS = Any point of sale (eg. cash register) system.
Windows POSReady = A version of Windows meant for a POS system (usually XP or 7).
PCI = Security guidelines that are supposed to protect debit/credit card information.

Having dealt with a lot of POS systems including Windows POSReady, the other definition, Piece Of Shit is also applicable.

In my experience, you dont need to bother trying to crack a 6 digit code on a credit card in order to get the number, most stores dont bother following any security guidelines, let alone strict ones like PCI (Payment Card Industry, not Peripheral Component Interconnect).

The worst I've seen is PCEFTPOS on an unpatched Windows XP machine (this was in 2012, they're probably still running them) that was also used by the staff to browse the internet and check their email. It wouldn't surprise me to find a lot of small chain stores to have similar setups completely swimming with malware.

Having worked with EFTPOS systems in small business, there are very good reasons why I prefer to make purchases in cash. The risk of me being robbed for the $100 I have on me is now less than the risk of me losing money due to card fraud.

Re:POS (1)

plopez (54068) | about a month ago | (#47095349)

I know one POS system used by a big box home hardware and home remodeling corporation was using TSO while I was shoulder surfing the clerk. Which I found interesting as I assume it must be running a Z series on the back end. Since TSO and Z series information is very specialized I assume few would actually know how to crack it. Security through obscurity. Others from the UI I have seen looked like MS UI or a Gnome variants.

Sucking cocks for Allah (-1)

Anonymous Coward | about a month ago | (#47094563)

Muslims are faggots who follow a child molester who worshiped his own thoughts.

Re:Sucking cocks for Allah (-1)

Anonymous Coward | about a month ago | (#47094611)

I heard that Abu al-Qasim Muhammad liked to have Jews fuck him up the ass after he sucked their dick until it was nice and hard.

Re:Sucking cocks for Allah (-1)

Anonymous Coward | about a month ago | (#47095035)

Who doesn't?

Re:Sucking cocks for Allah (-1, Flamebait)

Jmc23 (2353706) | about a month ago | (#47094697)

Christians are faggots who follow the son of a molested child who worshiped his own thoughts.

Come to think of it, since pretty much every single civilization in existence had no problem with marriage at birth and consummation at puberty or earlier...

We're all faggots descended from child molesters!! Some, like the parent, obviously subjected to more inbreeding.

Oh, for the blind ignorance to judge past civilizations through the skewed zeitgeist of the day.

Re:Sucking cocks for Allah (-1)

Anonymous Coward | about a month ago | (#47095415)

dear moderator - please remove this...it encourages racism!

Re:Sucking cocks for Allah (-1)

Anonymous Coward | about a month ago | (#47095739)

Good. Fuck Muslims and their pedo prophet.

Open-source tool to read PIN and Chip (1)

Anonymous Coward | about a month ago | (#47094607)

It used to be quite a 'closed' field, but there are now more and more open source tools to 'hack' and 'explore' payment systems.

Get a card reader and check out cardpeek [pannetrat.com] : a tool that will read every detail of a PIN and Chip card. It also works with NFC cards, work on Linux like a charm (and Win7 and OsX).

Re:Open-source tool to read PIN and Chip (0)

Anonymous Coward | about a month ago | (#47095413)

NFC. This is what *really* feeds my unhappiness over the big push for EMV cards over here. At least with the magnetic strip, the attacker has to get the card out of my wallet. My bet is that the big sweetener to get merchants and banks to switch to EMV is NFC also in our cards. I'd call that a net loss.

Re:Open-source tool to read PIN and Chip (1)

rickb928 (945187) | about 2 months ago | (#47097075)

EMV doesn't require NFC. I'm unaware of any EMV implemented using NFC, in fact. EMV uses a chip that requires physical contacts.

And EMV terminals can be circumvented with a shim, fooling the acquirer into treating the transaction as genuine while faking the chip into offline mode. Overly simplified, but the result is the same.

And as is pointed out elsewhere on this thread, EMV solved nothing for internet transactions, all card -not-present environments. And once the data is on the merchant or acquirer system, it's fair game.

EMV solves most frauds at the terminal. Most.

Re:Open-source tool to read PIN and Chip (0)

Anonymous Coward | about 2 months ago | (#47097861)

>

EMV doesn't require NFC. I'm unaware of any EMV implemented using NFC, in fact.

Ouch. You have never heard of VISA paywave or MasterCard PayPass?
NFC EMV payment has existed all across Europe for a few years already. It has some fun privacy and security implication as you can imagine...

i'm so *old* i recall when hacking meant... (1)

smoothnorman (1670542) | about a month ago | (#47094813)

...making something functional with less than optimum resources (cf MacGyver, bodge-up, gerryrig, uzw). which preceded the notion of "one who gains unauthorized access to computers" by oh... perhaps a whole !@#n seven years.

here's another current worthy tome which supports that earlier notion, and thus causes undue confusion: Hacker's Delight [hackersdelight.org] , which gets down to the hardware bits with some amazing cycle optimizations

Re:i'm so *old* i recall when hacking meant... (-1, Flamebait)

DogDude (805747) | about a month ago | (#47094827)

Oh, get off your high horse and come out of your mom's basement. Language changes.

Re:i'm so *old* i recall when hacking meant... (1)

smoothnorman (1670542) | about a month ago | (#47095025)

man, where did that come from? cuz my horse could hardly be lower. (my offhand remark even included the notion that "Language Changes". which couldn't be more true)

Re:i'm so *old* i recall when hacking meant... (0)

Anonymous Coward | about a month ago | (#47095753)

Go back to bed, grandpa.

PCI Standards... heh. (1)

MobSwatter (2884921) | about a month ago | (#47095087)

If the NSA hadn't broken encryption while still in the box, there would be less low hanging fruit. If the POS industry didn't hold such high expectation of a $10-$15/HR techs, the deployments would be much more secure. I don't believe there has been enough attention placed upon the banks and the processors, and for the most part the one's that can actually afford to upgrade their systems a couple times a year, instead they push the cost to the end user and laugh all the way back to their office while the business attrition rate rockets.

Re:PCI Standards... heh. (0)

Anonymous Coward | about a month ago | (#47095455)

what do you mean by 'nsa broke encryption'?

Broke what encryption?

AES for example is secure.

Re:PCI Standards... heh. (1)

MobSwatter (2884921) | about 2 months ago | (#47095975)

Take a close look at the RSA not so random number generator while understanding these are very thorough people acting under orders, and not just FBI type orders as there is a distinct difference between DOD and DOJ, drink in what happened to Phillip Zimmerman with the FBI and PGP, realize we ants are not allowed to have encryption unless it is broken. It hasn't worked out so well for bank cards, but it would seem it has done wonders for the black budget. There really isn't any way around it with the fear mongered and hyped terrorism market, kind of like when they were selling gas masks to the public back in WWII or iodine pills during the cold war era. Understand that lying, cheating and stealing is part of standard business today, think about how that might be reflected in the business of war.

Author Slava Gomzin (0)

Anonymous Coward | about a month ago | (#47095481)

I saw an interview with him and he is very smart. The interview is here http://www.creditcards.com/credit-card-news/slava_gomzin-safest-way-pay-1282.php

I know this has to be a good book if he wrote it.

He doesn't saw as much, but he infers that PCI is a huge pile of garbage.

The only value it provides it that it gives company's like Trustwave and Pricewaterhouse tons of consulting business.

PCI won't help...but will cost (0)

Anonymous Coward | about a month ago | (#47095645)

I am a midsize merchant.

I spend way too much on PCI and all I get for it is scan report and a hearty bill.

I have a good sysadmin, I do not need PCI.

Where are the POS problems - with the makers of the hardware and software!!

Not with us merchants!!!!

Re:PCI won't help...but will cost (0)

Anonymous Coward | about a month ago | (#47095829)

Yes, I'm a large scale aggregator, we pay in excess of $1m a year in PCI/DSS audits. Having to deal with weak PCI scopes is a pain, even with companies like StrongAuth who flout 'military' grade encryption for their key and data stores, the transient data is still there. Sure, it's in PCI scope and reduces risk, but all the out of scope hardware has to deal with the PAN in transit. Even if you went with something like UniPay you still need the merchant application or even their customer portal to work with out-of-scope PAN's. Where are these hosted? Public servers, co-located, VPS, shared hosting?!. Sheesh.

How about eCommerce sites which talk to gateways through API's? I've seen scores of them. Sites that store PAN, expiry and CCV without any encryption? Yep, they're out there...

Re:PCI won't help...but will cost (1)

west (39918) | about 2 months ago | (#47096141)

PCI isn't the be-all and end-all, but I have to say that it's a set of metrics that a least prevent stores from assuming that everyone else is storing their PAN's in plaintext, etc.

I consider it like restaurant health inspections. Doesn't mean the restaurant can't poison you, but a lot less food poisoning occurs because of it.

Re:PCI won't help...but will cost (0)

Anonymous Coward | about 2 months ago | (#47096393)

It's kind of like that, except you don't pay for the health inspectors to inspect your restaurant. I think if PCI was enforced and random inspections occurred things would change. The PCI item list would probably decrease in size for a start, otherwise a lot of eCommerce sites would just be taken down.

Re:PCI won't help...but will cost (0)

Anonymous Coward | about 2 months ago | (#47096679)

Great point!!

tell it to the QSA!

Re:PCI won't help...but will cost (0)

Anonymous Coward | about 2 months ago | (#47096737)

there ain't no such thing as'military' grade encryption!!!!

let me say it again:there ain't no such thing as'military' grade encryption!!!!there ain't no such thing as'military' grade encryption!!!!there ain't no such thing as'military' grade encryption!!!!

Re:PCI won't help...but will cost (0)

Anonymous Coward | about 2 months ago | (#47096753)

it is sooooooooooooo important...got to sey it again:

there ain't no such thing as'military' grade encryption!!!!

Re:PCI won't help...but will cost (0)

Anonymous Coward | about 2 months ago | (#47105463)

I guess the quotes around 'military' kind of give that away. But you've made your point...

Security isn't always worth it... (1)

west (39918) | about 2 months ago | (#47096133)

I'm all in favor of security, but before we rip stores for bad security, I think we need to understand that many stores don't spend a fortune on security for the same reason we don't hire armed guards for our home. The cost simply isn't worth the decreased risk. And quite frankly, if we received a $100 bill for every credit card we owned to pay for that security, people would have a fit.

We'll get high security once the public is willing to pay for it, and not a moment sooner. Until that point, stores will only pay enough to avoid being especially vulnerable. After all, in crime, all that usually matters is not being the *weakest* link.

Re:Security isn't always worth it... (0)

Anonymous Coward | about 2 months ago | (#47096713)

thanks...but i don't exactly get your point...can u expand on it?

I am a PCI QSA...and it is of value (-1)

Anonymous Coward | about 2 months ago | (#47096791)

Hi - I am a PCI QSA for a Big 4 consulting firm.

While everyone likes to bash PCI, we can quantitatively show via our analysis that PCI has reduced breaches by 81%, increased overall security by 71%, increased overall privacy by 91%, and in fact, driven processing costs DOWN by 8%.

PCI is not perfect, but it is working.

Reach out to me off-line and more than happy to share them via NDA.

Very Easy (1)

aaronb1138 (2035478) | about 2 months ago | (#47097347)

All of this can be simplified by architecting purpose designed networks, and for a minimum of cost. You have a firewall (and possibly switch). There are 2 VLANS. On one (let's say VLAN 100) is the free Wifi, Pandora feed to the house audio, and internet connection at the workstations the managers blow time at. On the other (let's call it VLAN 222) are the network connections for the POS equipment. On VLAN 222, the firewall allows no inbound connections with the slim exception of VPN secured traffic. Outbound connections on VLAN 222 are restricted to OS/AV/POS update hosts on SSL or similar and CC auth processors. Generic internet access is banned on VLAN 222. The back office POS software runs in a VM that only has access to VLAN 222. The manager workstation runs the VM if necessary as well as has it's own access to the internet (if necessary). The POS terminals, even if they are those hip, all the rage, iPads, do not have internet access.

This is more or less (minus VMs, DSL, and iPads, and replace VPN with dedicated password protected dial-in) the way we designed POS security in the late 90's when I was doing POS. As far as I can tell, it is mostly PCI compliant.

The issues we're seeing is people getting all manner of malware (from pr0n/etc.) on the manager back office workstation, similar from the POS terminals, and using Logmein / Teamviewer with weak passwords on the back office server. We knew better 15 years ago, so anyone who is getting hit by such garbage is a lame hack.

Re:Very Easy (1)

benrothke (2577567) | about 2 months ago | (#47098607)

I agree with you.

The issue thought is that these ‘purpose designed networks’ can at limited times, be created with a small set of requirements (purposes).

But in large e-commerce settings, with multiple suppliers, inputs, etc., the purpose expands significantly, with complexity that quickly becomes unmanageable; and quickly insecure.

Re:Very Easy (1)

aaronb1138 (2035478) | about 2 months ago | (#47105313)

True, but inventory management and reporting don't have any need to coexist on the same network. It's easy enough to have the POS side running on one VLAN and a one-way replication of aggregate sales numbers pushed to the inventory management and reporting side. Heck, just replicate a copy of the database with all of the customer's personal information and CC#'s stripped out.

An odd angle to why Target got hit with such a huge data loss breach was the fact that they were getting too nosy about their customer habits. They used analytics to tell when individual customers were pregnant and send targeted advertising (pun not intended): http://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/

These kinds of data leaks occur because they were playing the big data game and combing obsessively over personally identifiable data repeatedly to create better consumers. How much harder is it for the admin to secure the network when the folks in marketing want giant swaths of data they lack the responsibility to handle. The data breaches at Target were easy, because it had become too much of a hassle to try to secure data half the company was rooting through. I doubt eBay was any different, and if anything had an even more haphazard attitude given their model is not be responsible for the products they sell.

Re:Very Easy (1)

benrothke (2577567) | about 2 months ago | (#47120341)

Excellent points.

When it comes to targeted advertising and big data analytics, seems like security will always get the short shrift.

Torching the house rather than lighting a candle.. (1)

jaeztheangel (2644535) | about 2 months ago | (#47098467)

For every good soul who buys this to strengthen their systems, how many scammers will use this as a guidebook for looting?

Re:Torching the house rather than lighting a candl (1)

benrothke (2577567) | about 2 months ago | (#47098595)

Interesting point.

But that is the same admonition was used when the first ‘Hacking Exposed’ book came out. Which is similar to the argument that terrorists will use strong encryption.

Ultimately, it simply makes it that the white hats should read these books more of an imperative.

Full list of the series here:

http://www.amazon.com/s/?_enco... [amazon.com]

Re:Torching the house rather than lighting a candl (1)

xxxJonBoyxxx (565205) | about 2 months ago | (#47099741)

>> how many scammers will use this as a guidebook for looting

Probably zero.

>> Gomzin shows that credit card numbers are rather predictable in that their number space is in truth rather small, even though they may be 15-19 digits in length. This is due to the fact that PCI allows the first 6 and last 4 digits to be exposed in plaintext, so it's only 6 digits that need to be guessed. This enables a relatively easy brute force attack, and even easier if rainbow tables are used.

Yeah...try brute forcing credit card numbers through a provider from a single (even small number) of terminals and see what happens to you.

If you're interested in grabbing credit cards, walking through an outdoor cafe with a video camera, hacking ATM OS'es (maybe through a "hidden" USB), and looking at trace log files on obscure web servers (especially those that log everything coming through as they're talking to remote providers) are still probably more effective methods than what's covered in the book.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...