Credit Card Compromise - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

Credit Card Compromise

Description:

Client calls says they have an issue. They have been notified by the USSS they have had credit cards compromised ... Additonal Ports Open remote control programs ... – PowerPoint PPT presentation

Number of Views:56
Avg rating:3.0/5.0
Slides: 24
Provided by: mcsfo
Category:

less

Transcript and Presenter's Notes

Title: Credit Card Compromise


1
Credit Card Compromise
  • Case Scenario by John Mallery

2
Scenario
  • Client calls says they have an issue
  • They have been notified by the USSS they have had
    credit cards compromised through a common point
    of purchase investigation
  • They provide you with a hard drive only
  • They want to identify if a hack has taken place
  • What do you do?

3
Process
  • Initial Issues and Questions
  • How do you know whether you have the correct
    drive?
  • What about date and time stamps? Are they valid?
  • Why or why not?

4
Process
  • Where do you begin?
  • Forensically image drive
  • Develop an approach
  • What do you look for?

5
Investigation
  • Forensically copy drive
  • Run Searches on the following
  • Credit card numbers identify if they are in
    plain text
  • IP addresses of System
  • Logs
  • Software installed
  • Internet History

6
Investigation
  • On line storage sites
  • Removable drives
  • Test SAM database for missing passwords

7
Credit Card Numbers
  • Grep Expression
  • Identifies possible credit card numbers
  • How can they be validated?
  • Which one is a valid credit card number?
  • 4012 8888 8888 1881
  • 5432 1234 5411 1111
  • 5454 5454 5454 5454

8
Credit Card Numbers
  • Adhere to a strict format

9
Luhn Algorithm (Mod10)
  • Starting with the rightmost digit (which is the
    check digit) and moving left, double the value of
    every second digit.
  • If a product results in two digits, subtract 9
  • Add all numbers together.
  • The result should be divisible by 10

10
An example
  • 4012 8888 8888 1881
  • 4 0 1 2 8 8 8 8 8 8 8 8 1 8 8 1
  • Multiply by 2
  • 8 0 2 2 16 8 16 8 16 8 16 8 2 8 16 1
  • Double Digits (Subtract Nine)
  • 8 0 2 2 7 8 7 8 7 8 7 8 2 8 7 1
  • Sum equals 90
  • Valid Number
  • Who is the issuer?

11
Online Credit Card Validator would you use it?
12
Credit Card Validator
  • Credit Card Verifier Software
  • Test and verify its functionality before using on
    suspect credit card numbers.
  • Disconnect from Internet
  • Start Process Monitorhttp//www.microsoft.com/tec
    hnet/sysinternals/ProcessesAndThreads/processmonit
    or.mspx
  • Test on dummy CCNs

13
Initial Results
  • Found numerous numeric strings in plain text that
    appeared to be credit card numbers
  • Publicly routable IP Address
  • Nothing of relevance in logs
  • No functioning antivirus applications
  • PCAnywhere

14
Initial Results
  • Internet History lots of visits to non-business
    sites YouTube, MySpace, eBay and personal
    surfing.
  • Removable drives had been used.
  • Administrator account with no password.

15
Answer Found?
  • Have we identified whether the system had been
    hacked?
  • What is the next step?

16
Boot the Image
  • Boot the image
  • How?
  • LiveView - http//liveview.sourceforge.net/

17
LiveView
  • Live View is a Java-based graphical forensics
    tool that creates a VMware virtual machine out of
    a raw (dd-style) disk image or physical disk.
    This allows the forensic examiner to "boot up"
    the image or disk and gain an interactive,
    user-level perspective of the environment, all
    without modifying the underlying image or disk.

18
LiveView
  • What Do I Need To Run Live View?
  • VMware Server Full Install (Free Download) or
    VMware Workstation 5.5 (30 Day Trial)
  • Java Runtime Environment (http//www.java.com/getj
    ava/)
  • VMware Disk Mount Utility (http//www.vmware.com/d
    ownload/eula/diskmount_ws_v55.html)
  • A Microsoft Windows Machine (XP, 2000, or 2003)
  • Some Bit-for-Bit Disk Images

19
LiveView
  • Demo (Maybe)

20
VFC Virtual Forensic Computing
  • Commercial Product
  • VFC
  • Mount Image Pro
  • http//www.mountimage.com/
  • VMWare Player, Workstation or Server
  • Demo

21
Benefits of Booting Image
  • Identify Open portsnetstat and fport
  • Identify running processesPslist
  • Identify servicesPsservice
  • Programs scheduled to run at startupAutoruns and
    msconfig

22
Additional Results
  • Port 80 open
  • Additonal Ports Open remote control programs
  • Opened PC Anywhere identified configuration
    settings and cracked passwordno security
    mechanisms implemented
  • In addition no firewall on system or on network
  • Router default username and password.

23
End Result
  • 18,880 credit card numbers compromised
  • POS application known to have stored CCNs in
    plain text. Patch existed, vendor never applied
    patch.
  • Costs fines, investigation, legal fees
  • Client hopes to recover costs from vendors
    insurance company.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Credit Card Compromise" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!