Hacker Factor Solutions
Dr. Neal Krawetz Hacker Factor Solutions White Paper
Copyright 2006-2007 Hacker Factor All rights reserved FOIA Exempt
Document history: Version 1.0: Initial draft. Version 1.1: Incorporated feedback from reviewers. Version 1.2: Incorporated additional feedback. Version 1.3: Limited release. Version 2.0: Public release.
Hacker Factor P.O. Box 270033 Fort Collins, CO 80527-0033 http://www.hackerfactor.com/
Page 1 of 17
Hacker Factor Solutions
There are many issues related to the disclosure of the vulnerabilities described in this document. Ideally this document should be quietly distributed to the impacted companies. Unfortunately, there are too many vendors and retailers impacted by these risks; a small company such as Hacker Factor Solutions does not have the resources necessary to contact each of these companies. Instead, reporting attempts were limited to a small sample of representative companies, of which, few responded. The standard practice in the security community is to publicly release information when the vendor(s) is nonresponsive. However, the vulnerabilities disclosed in this document denote a set of fundamental flaws in the pointof-sale process. Even if a solution were available today, it would take years to be fully deployed. Given that a full disclosure of these vulnerabilities would unlikely lead to a rapid deployment and adoption of more secure systems, this public disclosure was delayed. It was hoped that the credit card industry would respond and address some of the more significant issues. Although a few of the issues appear to have been addressed (see Section 10: Addendum), there has not been any direct response or acknowledgement from the major credit card providers and processors. It is important to recognize that nothing in this paper is new or novel. In most cases, these risks have been known to the credit card industry for more than a decade, however little has been done to address these risks. In this paper, all exploits are discussed in high-level terms, with only specific examples offering implementation details. Generally speaking, all vendors and providers are equally vulnerable, but specific attack details may vary by vendor. As a compromise between the need for full disclosure and desire for responsible reporting, this document was initially provided under a limited release. Only entities with a need to know were provided copies of this paper. The recipients included law enforcement agencies, financial institutions, card providers, credit card clearinghouses, point-of-sale manufacturers, large retailers, and related businesses. Each of the recipients had the option to discuss these issues and request that this document remain as a limited distribution. However, only one recipient had any comments on this paper (and that feedback was incorporated) and one other recipient requested a delay in the release of this paper. The delay was set for one year. Since there has been no additional discussion and no additional requests for a delay, this paper has now been released publicly. The differences between this public release and the limited release are as follows: 1. 2. 3. This section, “Public Release”, has been modified. The limited release had distribution restrictions. The Reporting History has been updated to reflect dates after April 2006. An Addendum has been added that lists events that followed the limited release.
Because this paper is over a year old, some of the hyperlinks to references may no longer be available online. However, no attempt has been made to update the body of this document; Sections 1 through 8 have not been modified. Readers of this public release will see the same text as the limited release recipients. This document is distributed under the following terms: 1. Only Hacker...