showmecon2016 - show me your credit card tokens
TRANSCRIPT
![Page 1: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/1.jpg)
ShowMeCon 2016@malcomvetter
![Page 2: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/2.jpg)
About Me: Tim MalcomVetter (@malcomvetter)
• Local: Born & Raised in STL
![Page 3: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/3.jpg)
About Me: Tim MalcomVetter (@malcomvetter)
• 15 Years in IT: Defender, Builder, Breaker
![Page 4: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/4.jpg)
About Me: Tim MalcomVetter (@malcomvetter)
• Director, Red Team @ Fortune 1 (a.k.a. APT in 25th largest economy in the world)
![Page 5: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/5.jpg)
About Me: Tim MalcomVetter (@malcomvetter)
• Presenter: BlackHat Arsenal, BSides, ArchC0N, Secure World Expo, Developer Conferences, etc.
![Page 6: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/6.jpg)
About Me: Tim MalcomVetter (@malcomvetter)
• Spent too much time in school• (including a couple Univ of MO campuses)
![Page 7: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/7.jpg)
About Me: Tim MalcomVetter (@malcomvetter)
• CVEs and ABC Soup
![Page 8: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/8.jpg)
Disclaimer #1
• All content derives from my own opinions and does not represent my employer’s views or opinions.
@malcomvetter
![Page 9: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/9.jpg)
Disclaimer #2
• All example requests/responses are sanitized examples observed from consulting clients from my prior life as a security consultant.
@malcomvetter
![Page 10: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/10.jpg)
Agenda
• Refresher: Truncation vs. Tokenization• Tokenization Attacks:• Malicious Insiders vs. Tokenization Flaws• Side Channel Attacks• Careless Tokenization Software Bugs• DevOps, Tokenization, & You• RAM Scraping Servers
@malcomvetter
![Page 11: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/11.jpg)
Quick Poll
How many Defenders?
@malcomvetter
![Page 12: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/12.jpg)
Quick Poll
How many Builders?
@malcomvetter
![Page 13: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/13.jpg)
Quick Poll
How many Breakers?
@malcomvetter
![Page 14: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/14.jpg)
Quick Poll
How many Implemented Credit Card Tokenization?
@malcomvetter
![Page 15: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/15.jpg)
Quick Poll
How many unsure if your transactions are tokenized?
@malcomvetter
![Page 16: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/16.jpg)
Truncation vs Tokenization
@malcomvetter
![Page 17: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/17.jpg)
Credit Card Truncation
@malcomvetter
![Page 18: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/18.jpg)
Credit Card Truncation
6 digits in the middle
@malcomvetter
![Page 19: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/19.jpg)
Credit Card Truncation
PAN: 4111-1111-1111-1111
Truncated: 4111-11XX-XXXX-1111
4 111 11 11 1111 111 1
Issuer Bank ID Account # Check Digit
@malcomvetter
![Page 20: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/20.jpg)
Computational Complexity for Truncation
So how hard is it to guess the missing digits?
@malcomvetter
![Page 21: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/21.jpg)
Computational Complexity for Truncation
106 = 1 Million Guesses (worst case)
@malcomvetter
![Page 22: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/22.jpg)
Computational Complexity for Truncation
500K guesses (average case)
@malcomvetter
![Page 23: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/23.jpg)
Computational Complexity for Truncation
Luhn Algorithm(a.k.a. “Mod 10” rule)
@malcomvetter
![Page 24: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/24.jpg)
PAN: 4111-1111-1111-1111
Truncated: 4111-11XX-XXXX-1111
4 111 11 11 1111 111 1
Issuer Bank ID Account # Check Digit
@malcomvetter
Computational Complexity for Truncation
Last Digit is Check Digit(Luhn/Mod 10)
![Page 25: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/25.jpg)
Computational Complexity for Truncation
So actually 105 = 100,000 Guesses (worst case)
@malcomvetter
![Page 26: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/26.jpg)
Computational Complexity for Truncation
50,000 Guesses (average case)
@malcomvetter
![Page 27: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/27.jpg)
Computational Complexity for Truncation
Easy to brute force offline!
@malcomvetter
![Page 28: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/28.jpg)
PAN: 4111-1111-1111-1111
Truncated: 4111-11XX-XXXX-1111
4 111 11 11 1111 111 1
Issuer Bank ID Account # Check Digit
@malcomvetter
Computational Complexity for Truncation
PCI Allows Storage of Truncated PANs
![Page 29: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/29.jpg)
PAN: 4111-1111-1111-1111
Truncated: 4111-11XX-XXXX-1111
4 111 11 11 1111 111 1
Issuer Bank ID Account # Check Digit
@malcomvetter
Computational Complexity for Truncation
PCI DSS 3.4 Warning(homework for later)
![Page 30: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/30.jpg)
Credit Card Tokens
So what do tokens look like?
@malcomvetter
![Page 31: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/31.jpg)
Credit Card Tokens
Tokens are typically derived values
@malcomvetter
![Page 32: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/32.jpg)
Credit Card Tokens
hash68bfb396f35af3876fc509665b3dc23a0930aab1
@malcomvetter
![Page 33: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/33.jpg)
Credit Card Tokens
subsitution4716-6290-9207-1441
(legacy systems)
@malcomvetter
![Page 34: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/34.jpg)
Credit Card Tokens
Database ID or GUID4b3f7ce6-2228-4df8-adcd-8f807a4b37f6
@malcomvetter
![Page 35: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/35.jpg)
Credit Card Tokens
EncryptedaL+zlvNa84dvxQlmWz3COgkwqrE=
(base64)@malcomvetter
![Page 36: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/36.jpg)
Credit Card Tokens
Encrypted? Where are the keys??
@malcomvetter
![Page 37: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/37.jpg)
Our Discussion Scope Today
Enterprise Targets
@malcomvetter
![Page 38: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/38.jpg)
Our Discussion Scope Today
DIY / Self-hosted Tokenization
@malcomvetter
![Page 39: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/39.jpg)
Our Discussion Scope Today
Large Scale Retail or eCommerce
@malcomvetter
![Page 40: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/40.jpg)
Our Discussion Scope Today
Not Payment Gateways or Clearinghouses
@malcomvetter
![Page 41: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/41.jpg)
Our Discussion Scope Today
(Although some principles carry over to service providers)
@malcomvetter
![Page 42: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/42.jpg)
Our Discussion Scope Today
Not Attacking the Crypto!
@malcomvetter
![Page 43: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/43.jpg)
Our Discussion Scope Today
Attacking the “seams” between payment & commerce
@malcomvetter
![Page 44: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/44.jpg)
Our Discussion Scope Today
Be careful rolling your own tokenization
@malcomvetter
![Page 45: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/45.jpg)
Malicious Insiders vs. Tokenization Flaws
@malcomvetter
![Page 46: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/46.jpg)
A Malicious Insider …
Probably IT Support Personnel
@malcomvetter
![Page 47: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/47.jpg)
A Malicious Insider …
(System/Network/DB Administrator or Developer)
@malcomvetter
![Page 48: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/48.jpg)
A Malicious Insider …
Has access to Commerce App’s DB
@malcomvetter
![Page 49: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/49.jpg)
A Malicious Insider …
Access to: Customer Billing Info
@malcomvetter
![Page 50: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/50.jpg)
A Malicious Insider …
Access to: Truncated Credit Cards
@malcomvetter
![Page 51: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/51.jpg)
A Malicious Insider …
Access to: Tokens
@malcomvetter
![Page 52: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/52.jpg)
A Malicious Insider …
Has knowledge of Tokenization Architecture
@malcomvetter
![Page 53: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/53.jpg)
A Malicious Insider …
Knowledge of: Web Service APIs
@malcomvetter
![Page 54: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/54.jpg)
A Malicious Insider …
Knowledge of: URLs
@malcomvetter
![Page 55: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/55.jpg)
A Malicious Insider …
Access to: Request Logs
@malcomvetter
![Page 56: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/56.jpg)
Best Case Scenario
A Malicious Insider must…
@malcomvetter
![Page 57: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/57.jpg)
Best Case Scenario
Enumerate Credit Cards == Truncation
@malcomvetter
![Page 58: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/58.jpg)
Best Case Scenario
50,000 guesses (average case) per Credit Card record
@malcomvetter
![Page 59: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/59.jpg)
Best Case Scenario
But Validation is Online, not Offline
@malcomvetter
![Page 60: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/60.jpg)
Best Case Scenario
Live Transactions against Credit Card Auth Server
@malcomvetter
![Page 61: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/61.jpg)
Best Case Scenario
Fraud Detection/Throttling Saves the Day
@malcomvetter
![Page 62: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/62.jpg)
Worst Case Scenario
Tokenization URL is Internet Facing
@malcomvetter
![Page 63: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/63.jpg)
Worst Case Scenario
Commerce App Performs Auth, but…
@malcomvetter
![Page 64: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/64.jpg)
Worst Case Scenario
Payment Service Does NOT Auth Requests!
@malcomvetter
![Page 65: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/65.jpg)
Worst Case Scenario
Payment Service Does NOT Auth Requests!
(Actually Quite Typical)
@malcomvetter
![Page 66: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/66.jpg)
Worst Case Scenario
Why?
@malcomvetter
![Page 67: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/67.jpg)
Worst Case Scenario
Payment Server Physically Separatedin PCI DMZ
@malcomvetter
![Page 68: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/68.jpg)
Worst Case Scenario
@malcomvetter
![Page 69: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/69.jpg)
Worst Case Scenario
Payment Server Physically Separatedin PCI DMZ
@malcomvetter
![Page 70: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/70.jpg)
Worst Case Scenario
Payment Server Physically Separatedin PCI DMZ
(no sharing of session state)
@malcomvetter
![Page 71: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/71.jpg)
Worst Case Scenario
Different DNS Domain for Payment Server
@malcomvetter
![Page 72: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/72.jpg)
Worst Case Scenario
Different DNS Domain for Payment Server
(Session Cookies do not interchange)
@malcomvetter
![Page 73: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/73.jpg)
Worst Case Scenario
No Request Throttling on Payment Service!
@malcomvetter
![Page 74: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/74.jpg)
Worst Case Scenario
No Request Throttling on Payment Service!
(also quite typical)
@malcomvetter
![Page 75: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/75.jpg)
Worst Case Scenario
No Request Throttling on Payment Service!
(Identifying abusers is difficult)
@malcomvetter
![Page 76: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/76.jpg)
Worst Case Scenario
Sort of a Design Flaw 0Day…
@malcomvetter
![Page 77: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/77.jpg)
Worst Case Example(based on actual retailers)
@malcomvetter
![Page 78: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/78.jpg)
Worst Case Example
1. Customer checking out from store.example.com
@malcomvetter
![Page 79: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/79.jpg)
Worst Case Example
2. Browser places payment request
(based on actual retailers)
@malcomvetter
![Page 80: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/80.jpg)
Worst Case Example
POST /api/generateCcToken HTTP/1.1Host: payment.example.comConnection: keep-aliveAccept: */*Content-Type: application/jsonContent-Length: 51Cookies: […Session Cookies Here...] {"cc":"4111111111111111", "expmm":"12", "expyy":”17"}
@malcomvetter
![Page 81: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/81.jpg)
Worst Case Example
Send it again, this time no cookies!
@malcomvetter
![Page 82: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/82.jpg)
Worst Case Example
POST /api/generateCcToken HTTP/1.1Host: payment.example.comConnection: keep-aliveAccept: */*Content-Type: application/jsonContent-Length: 51 {"cc":"4111111111111111","expmm":"12","expyy":”17"}
@malcomvetter
![Page 83: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/83.jpg)
Worst Case Example
Server Response (again, based on actual retailers)
@malcomvetter
![Page 84: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/84.jpg)
Worst Case Example
HTTP/1.1 200 OKContent-Type: application/json {"token": "4a680016becd130b717e2f72562ceaadc9a1a5358578add7a68e4001df8416f6"}
@malcomvetter
![Page 85: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/85.jpg)
Worst Case Example
No “Access Denied” response
@malcomvetter
![Page 86: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/86.jpg)
Worst Case Example
No “Access Denied” response(even though no cookies)
@malcomvetter
![Page 87: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/87.jpg)
Worst Case Example
Server just takes a PAN, gives you a token.
@malcomvetter
![Page 88: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/88.jpg)
Worst Case Example
No cookies required.
@malcomvetter
![Page 89: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/89.jpg)
Worst Case Example
No cookies required. (Why?)
@malcomvetter
![Page 90: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/90.jpg)
Worst Case Example
Different Servers.Different Domain.
@malcomvetter
![Page 91: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/91.jpg)
Worst Case Example
No sharing of data.
@malcomvetter
![Page 92: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/92.jpg)
Worst Case Example
PCI Cooties.
@malcomvetter
![Page 93: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/93.jpg)
Worst Case Example
Malicious Insider can …
@malcomvetter
![Page 94: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/94.jpg)
A Malicious Insider Can …
1. Compute all PANs
@malcomvetter
![Page 95: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/95.jpg)
A Malicious Insider Can …
1. Compute all PANs(based on truncated PANs)
@malcomvetter
![Page 96: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/96.jpg)
A Malicious Insider Can …
1. Compute all PANs(50K guesses average case)
@malcomvetter
![Page 97: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/97.jpg)
A Malicious Insider Can …
1. Compute all PANs2. Iterate through each
@malcomvetter
![Page 98: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/98.jpg)
A Malicious Insider Can …
1. Compute all PANs2. Iterate through each
3. Submit Requests Anonymously
@malcomvetter
![Page 99: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/99.jpg)
A Malicious Insider Can …
1. Compute all PANs2. Iterate through each
3. Submit Requests Anonymously(bonus points for botnet/mining/randomizing requests)
@malcomvetter
![Page 100: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/100.jpg)
A Malicious Insider Can …
1. Compute all PANs2. Iterate through each
3. Submit Requests Anonymously4. If (response == token): Win!
@malcomvetter
![Page 101: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/101.jpg)
A Malicious Insider Can …
You sunk my battleship!@malcomvetter
![Page 102: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/102.jpg)
Worst Case Example
Throttling on the Payment Server is Difficult.
@malcomvetter
![Page 103: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/103.jpg)
Worst Case Example
no unique cookies
@malcomvetter
![Page 104: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/104.jpg)
Worst Case Example
no unique cookies(attacker could throw them away anyway)
@malcomvetter
![Page 105: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/105.jpg)
Worst Case Example
Blocking by IP Address?
@malcomvetter
![Page 106: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/106.jpg)
Worst Case Example
What about NAT’ed customers?
@malcomvetter
![Page 107: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/107.jpg)
Worst Case Example
What about cloud/botnet attackers?
@malcomvetter
![Page 108: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/108.jpg)
Worst Case Example
Split the load like bitcoin mining.
@malcomvetter
![Page 109: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/109.jpg)
Worst Case Example
“Slow cook” the Payment Server
@malcomvetter
![Page 110: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/110.jpg)
Potential Solution
How to solve this?
@malcomvetter
![Page 111: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/111.jpg)
Potential Solution
Authentication Hand-off across domain boundaries
@malcomvetter
![Page 112: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/112.jpg)
Potential Solution
Authentication Hand-off across domain boundaries
(a.k.a. federated authentication)
@malcomvetter
![Page 113: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/113.jpg)
Potential Solution
POST /api/generateCcToken HTTP/1.1Host: payment.example.comConnection: keep-aliveAccept: */*Content-Type: application/jsonContent-Length: 161
{"authToken":"VGhpcyBpcyBqdXN0IGFuIGV4YW1wbGUuIEEgcmVhbCBvbmUgd291bGQgYmUgYmV0dGVyLg==", "cc":"4111111111111111","expmm":"12","expyyyy":"2017"}
@malcomvetter
![Page 114: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/114.jpg)
Potential Solution
AuthToken must be generated by Commerce App Server
@malcomvetter
![Page 115: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/115.jpg)
Potential Solution
(similar to Commercial Payment Processors which “sign” data elements)
@malcomvetter
![Page 116: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/116.jpg)
Potential Solution
Don’t implement in JavaScript!
@malcomvetter
![Page 117: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/117.jpg)
Potential Solution
Don’t implement in JavaScript!(attackers can unravel/replicate that logic)
@malcomvetter
![Page 118: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/118.jpg)
Side Channel Attacks
@malcomvetter
![Page 119: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/119.jpg)
Side Channel Attacks
My Favorite Variety of Attacks
@malcomvetter
![Page 120: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/120.jpg)
Side Channel is:
Unintended Channels of Information Flow
@malcomvetter
![Page 121: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/121.jpg)
Side Channel is:
Find a 1 or 0 in the Noise
@malcomvetter
![Page 122: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/122.jpg)
Side Channel Attacks
Extra Credit Homework: Refer to Shannon’s Law
@malcomvetter
![Page 123: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/123.jpg)
Side Channel Attacks
Side Channel #1: Timing Attacks
@malcomvetter
![Page 124: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/124.jpg)
1. Timing Attacks
Very Difficult to Prevent
@malcomvetter
![Page 125: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/125.jpg)
1. Timing Attacks
Seldom Considered by Developers
@malcomvetter
![Page 126: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/126.jpg)
1. Timing Attacks
Inspiration comes from:
@malcomvetter
![Page 127: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/127.jpg)
1. Timing Attacks
Inspiration comes from:1) Malicious Insiders with Truncated PANs
@malcomvetter
![Page 128: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/128.jpg)
1. Timing Attacks
Inspiration comes from:2) Attackers who access a customer’s account
and view saved Credit Cards
@malcomvetter
![Page 129: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/129.jpg)
The Trick:
Step 1: Submit previously unused PANs, record response times
@malcomvetter
![Page 130: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/130.jpg)
The Trick:
Step 2: Submit a repeat batch, compare response times.
@malcomvetter
![Page 131: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/131.jpg)
The Trick:
Step 3: Observe predictable deltas in response times.
@malcomvetter
![Page 132: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/132.jpg)
Timing Attack Example
@malcomvetter
![Page 133: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/133.jpg)
1. Timing Attacks
Previously Tokenized PANs take half as long to process
@malcomvetter
![Page 134: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/134.jpg)
Timing Attack Example - Pseudocode
hash := sha256(Credit Card)dbResults := sql(select * from CC if hash=hash)if (dbResults > 0):
return dbResults[0]else:
sql(insert into CC (CreditCard))return hash
@malcomvetter
![Page 135: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/135.jpg)
1. Timing Attacks
Did you catch the flaw?
@malcomvetter
![Page 136: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/136.jpg)
1. Timing Attacks
New Tokens hit the DB twice, slows down response times
@malcomvetter
![Page 137: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/137.jpg)
Timing Attack Example - Pseudocode
hash := sha256(Credit Card)dbResults := sql(select * from CC if hash=hash)if (dbResults > 0):
return dbResults[0]else:
sql(insert into CC (CreditCard))return hash
@malcomvetter
![Page 138: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/138.jpg)
1. Timing Attacks
Response ~100ms == Actual Credit Card
@malcomvetter
![Page 139: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/139.jpg)
Side Channel Attacks
Side Channel #2: MyProfile Attacks
@malcomvetter
![Page 140: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/140.jpg)
2. MyProfile Attacks
Attacker steals customer’s session cookies or credentials
@malcomvetter
![Page 141: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/141.jpg)
2. MyProfile Attacks
Attacker observes Truncated PANs
in “Saved Credit Cards”@malcomvetter
![Page 142: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/142.jpg)
2. MyProfile Attacks
Developers: “But, our Commerce App does not even have Credit
Card data in it, just tokens!”
@malcomvetter
![Page 143: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/143.jpg)
2. MyProfile Attacks
Okay.
@malcomvetter
![Page 144: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/144.jpg)
2. MyProfile Attacks
(This affects literally hundreds of eCommerce applications right now.)
@malcomvetter
![Page 145: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/145.jpg)
The Trick
Step 1: Submit a possible PAN to match a Truncated PAN
@malcomvetter
![Page 146: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/146.jpg)
The Trick
Step 1: Submit a possible PAN to match a Truncated PAN
(using same billing information shown in profile)
@malcomvetter
![Page 147: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/147.jpg)
The Trick
Step 2: Observe how many saved payment methods in “MyProfile”
@malcomvetter
![Page 148: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/148.jpg)
The Trick
If count increased by 1, the Attacker guessed wrong.
@malcomvetter
![Page 149: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/149.jpg)
The Trick
Bonus Points:
Delete the wrong credit card from the profile
(Automation)
@malcomvetter
![Page 150: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/150.jpg)
The Trick
If count is the same, the Attacker wins!
@malcomvetter
![Page 151: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/151.jpg)
The Trick
You sunk my battleship!@malcomvetter
![Page 152: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/152.jpg)
The Trick
Force the server to provide a boolean logic response.
@malcomvetter
![Page 153: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/153.jpg)
MyProfile Attack – Solutions
How to solve this?
@malcomvetter
![Page 154: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/154.jpg)
MyProfile Attack – Solutions
Always add a new saved payment method
@malcomvetter
![Page 155: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/155.jpg)
MyProfile Attack – Solutions
Always add a new saved payment method
(even if the billing info and PAN match previous)
@malcomvetter
![Page 156: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/156.jpg)
MyProfile Attack – Solutions
This often has to be implemented on the Tokenization Server
@malcomvetter
![Page 157: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/157.jpg)
MyProfile Attack – Solutions
(send the Commerce App a new token– don’t worry about token record
efficiency!)
@malcomvetter
![Page 158: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/158.jpg)
Side Channel Attacks
Side Channel #3:Helpful Headers
@malcomvetter
![Page 159: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/159.jpg)
3. Helpful Headers
Got RESTful G33ks?
@malcomvetter
![Page 160: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/160.jpg)
3. Helpful Headers
RESTful G33ks ❤ Status Codes
@malcomvetter
![Page 161: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/161.jpg)
3. Helpful Headers200 OK
201 Created202 Accepted
301 Moved Permanently302 Found
304 Not Modified400 Bad Request401 Unauthorized
404 Not Foundetc.
@malcomvetter
![Page 162: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/162.jpg)
3. Helpful Headers
What if a token request results in:HTTP/1.1 201 CreatedContent-Type: application/json […snip…]
@malcomvetter
![Page 163: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/163.jpg)
3. Helpful Headers
Instead of:HTTP/1.1 200 OKContent-Type: application/json […snip…]
@malcomvetter
![Page 164: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/164.jpg)
3. Helpful Headers
Status codes indicate a token match, just like with MyProfile Attacks.
@malcomvetter
![Page 165: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/165.jpg)
3. Helpful Headers
201 Created == NEW PAN/Token200 OK == PAN Hit!
@malcomvetter
![Page 166: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/166.jpg)
Careless Tokenization Software Bugs
@malcomvetter
![Page 167: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/167.jpg)
Oops!
Customer’s browsers accidentally sent PANs to the Commerce Server!
@malcomvetter
![Page 168: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/168.jpg)
Oops!
How can this happen?
@malcomvetter
![Page 169: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/169.jpg)
Tokenization Software Bugs
1) JavaScript bugs
@malcomvetter
![Page 170: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/170.jpg)
Tokenization Software Bugs
2) Misunderstood Widgets in the Code Pile
@malcomvetter
![Page 171: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/171.jpg)
Tokenization Software Bugs
3) Logic Edge Cases Not Tested in QA
@malcomvetter
![Page 172: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/172.jpg)
Tokenization Software Bugs
Common in ASP.NET Web Forms(*.aspx)
@malcomvetter
![Page 173: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/173.jpg)
Tokenization Software Bugs
Notorious for AJAX-ish “controls” and Partial Page Updates
@malcomvetter
![Page 174: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/174.jpg)
Tokenization Software Bugs
Sends EVERYTHING in the form!
@malcomvetter
![Page 175: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/175.jpg)
Tokenization Software Bugs
Example based on an actual retailer:
@malcomvetter
![Page 176: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/176.jpg)
Tokenization Software Bugs
POST /CreditCardPayment.aspx?c29tZXBhcnRpYWx1cGRhdGVzdHJpbmdnb2VzaGVyZS1rdWRvc3RveW91Zm9yZGVjb2Rpbmd0aGlzIQ== HTTP/1.1Host: store.example.com:443X-Requested-With: XMLHttpRequestX-MicrosoftAjax: Delta=true[…snip…]ScriptManager1=upCcNumber&txtboxfname=Tim&cardNumber=4111111111111111&securityCodeNumber=123&txtboxlname=MalcomVetter&ddlExpMM=01&ddlExpYYYY=2017[…snip…]
@malcomvetter
![Page 177: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/177.jpg)
Tokenization Software Bugs
Oops.
@malcomvetter
![Page 178: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/178.jpg)
Solution is Simple
Don’t mix AJAX controls on Payment Pages
@malcomvetter
![Page 179: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/179.jpg)
JavaScript Tokenization Bugs
Example listening to onkeypress()
@malcomvetter
![Page 180: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/180.jpg)
JavaScript Tokenization Bugs
Intent: determine card type (e.g. Visa, MasterCard, etc.)
as the first 4-6 digits are typed
@malcomvetter
![Page 181: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/181.jpg)
JavaScript Tokenization Bugs
POST /api/ccType HTTP/1.1Host: store.example.comConnection: keep-aliveAccept: */*Content-Type: application/jsonContent-Length: 55 {"ccPrefix":"41111111"}
@malcomvetter
![Page 182: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/182.jpg)
JavaScript Tokenization Bugs
The JS accidentally sent a request after EACH KEY PRESS!
@malcomvetter
![Page 183: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/183.jpg)
JavaScript Tokenization Bugs
4…
@malcomvetter
![Page 184: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/184.jpg)
JavaScript Tokenization Bugs
41…
@malcomvetter
![Page 185: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/185.jpg)
JavaScript Tokenization Bugs
411…
@malcomvetter
![Page 186: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/186.jpg)
JavaScript Tokenization Bugs
4111…
@malcomvetter
![Page 187: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/187.jpg)
JavaScript Tokenization Bugs
41111…
@malcomvetter
![Page 188: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/188.jpg)
JavaScript Tokenization Bugs
411111…
@malcomvetter
![Page 189: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/189.jpg)
JavaScript Tokenization Bugs
eventually...
@malcomvetter
![Page 190: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/190.jpg)
JavaScript Tokenization Bugs
4111111111111111boom.
@malcomvetter
![Page 191: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/191.jpg)
JavaScript Bugs
Another Example:
@malcomvetter
![Page 192: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/192.jpg)
JavaScript Bugs
Commerce App set generic <form> tag on Payment Page
@malcomvetter
![Page 193: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/193.jpg)
JavaScript Bugs
JS sets target to Payment Server
@malcomvetter
![Page 194: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/194.jpg)
JavaScript Bugs
JS fails to load/execute
@malcomvetter
![Page 195: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/195.jpg)
JavaScript Bugs
PANs sent to Commerce Server instead of Payment Server
@malcomvetter
![Page 196: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/196.jpg)
JavaScript Bugs
Oops.
@malcomvetter
![Page 197: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/197.jpg)
DevOps, Tokenization, & You…
@malcomvetter
![Page 198: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/198.jpg)
Malicious DevOps Admins
Tokenization often relies on JS in the Browser
to Direct PANs to the Payment Server
@malcomvetter
![Page 199: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/199.jpg)
Malicious DevOps Admins
JS doesn’t require a build/deploy
@malcomvetter
![Page 200: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/200.jpg)
Malicious DevOps Admins
What if your DevOps admin edits the JS files on the web server?
@malcomvetter
![Page 201: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/201.jpg)
Malicious DevOps Admins
Got integrity checking on JS files in webroot?
@malcomvetter
![Page 202: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/202.jpg)
Malicious DevOps Admins
Got integrity checking on JS files in webroot?
(I’ve yet to see anyone do that.)
@malcomvetter
![Page 203: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/203.jpg)
Malicious DevOps Admins
For example, modify JS tosend a copy of PANs to evil.com
@malcomvetter
![Page 204: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/204.jpg)
Malicious DevOps Admins
Then redirect to payment.example.com
@malcomvetter
![Page 205: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/205.jpg)
Malicious DevOps Admins
With JS, no Continuous Integration Builds Required!
@malcomvetter
![Page 206: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/206.jpg)
Malicious DevOps Admins
What about intentional JS defects that leak PANs to the Commerce Server the
DevOps Admins can access?
@malcomvetter
![Page 207: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/207.jpg)
Malicious DevOps Admins
What logging is in place on your web servers?
@malcomvetter
![Page 208: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/208.jpg)
RAM Scraping Web Servers
@malcomvetter
![Page 209: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/209.jpg)
A Note on RAM Scraping
Not just for Point of Sale Systems
@malcomvetter
![Page 210: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/210.jpg)
A Note on RAM Scraping
If your Web Server accepts PANs, orIf your Web Server decrypts PANs
Then PANs are in Web Server’s RAM
@malcomvetter
![Page 211: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/211.jpg)
A Note on RAM Scraping
(probably for several minutes or hours)
@malcomvetter
![Page 212: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/212.jpg)
RAM Scraping
DevOps Admin: “I need to profile this service.”
@malcomvetter
![Page 213: ShowMeCon2016 - Show Me Your Credit Card Tokens](https://reader035.vdocument.in/reader035/viewer/2022062902/58eed09c1a28ab78398b4639/html5/thumbnails/213.jpg)
Q&A
Twitter: @malcomvetterlinkedin.com/in/malcomvetter