Muutke küpsiste eelistusi

Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions [Pehme köide]

3.79/5 (38 hinnangut Goodreads-ist)
  • Formaat: Paperback / softback, 312 pages, kõrgus x laius x paksus: 234x188x15 mm, kaal: 544 g
  • Ilmumisaeg: 25-Mar-2014
  • Kirjastus: John Wiley & Sons Inc
  • ISBN-10: 1118810112
  • ISBN-13: 9781118810118
Teised raamatud teemal:
Hacking Point of Sale: Payment Application Secrets, Threats, and SolutionsSuurem pilt
  • Formaat: Paperback / softback, 312 pages, kõrgus x laius x paksus: 234x188x15 mm, kaal: 544 g
  • Ilmumisaeg: 25-Mar-2014
  • Kirjastus: John Wiley & Sons Inc
  • ISBN-10: 1118810112
  • ISBN-13: 9781118810118
Teised raamatud teemal:
Püsilink: https://www.kriso.ee/db/9781118810118.html
Märksõnad:

Must-have guide for professionals responsible for securing credit and debit card transactions

As recent breaches like Target and Neiman Marcus show, payment card information is involved in more security breaches than any other data type. In too many places, sensitive card data is simply not protected adequately. Hacking Point of Sale is a compelling book that tackles this enormous problem head-on. Exploring all aspects of the problem in detail - from how attacks are structured to the structure of magnetic strips to point-to-point encryption, and more – it's packed with practical recommendations. This terrific resource goes beyond standard PCI compliance guides to offer real solutions on how to achieve better security at the point of sale.

  • A unique book on credit and debit card security, with an emphasis on point-to-point encryption of payment transactions (P2PE) from standards to design to application
  • Explores all groups of security standards applicable to payment applications, including PCI, FIPS, ANSI, EMV, and ISO
  • Explains how protected areas are hacked and how hackers spot vulnerabilities
  • Proposes defensive maneuvers, such as introducing cryptography to payment applications and better securing application code

Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions is essential reading for security providers, software architects, consultants, and other professionals charged with addressing this serious problem.

Introduction xxiii
Part I Anatomy of Payment Application Vulnerabilities
1(90)
Chapter 1 Processing Payment Transactions
3(22)
Payment Cards
3(2)
Card Entry Methods
5(1)
MSR
5(1)
Pinpad
6(1)
Key Players
6(2)
Consumer (Cardholder)
7(1)
Merchant
7(1)
Acquirer
7(1)
Issuer
7(1)
Card Brands
8(1)
More Players
8(3)
Payment Processor
8(1)
Payment Gateway
9(2)
Even More Players
11(1)
Payment Software Vendors
11(1)
Hardware Manufacturers
11(1)
Payment Stages
12(4)
Authorization
12(1)
Settlement
13(3)
Payment Transactions
16(3)
Sale vs. PreAuth/Completion
16(1)
Void and Return
16(1)
Fallback Processing
17(1)
Timeout Reversals
18(1)
Special Transaction Types
18(1)
Key Areas of Payment Application Vulnerabilities
19(3)
Summary
22(3)
Chapter 2 Payment Application Architecture
25(30)
Essential Payment Application Blocks
25(9)
Interfaces
25(3)
Processing Modules
28(3)
Data Storage
31(1)
Typical Payment Transaction Flow
32(2)
Communication Between Modules
34(5)
Physical Connections
34(1)
Communication Protocols
35(1)
Local Communication
36(1)
Message Protocols
36(2)
Internal Protocols
38(1)
Communication Summary
38(1)
Deployment of Payment Applications
39(11)
The Concept of EPS
39(1)
Payment Switch
40(1)
Comparing Deployment Models
41(2)
Store EPS Deployment Model
43(1)
POS EPS Deployment Model
44(2)
Hybrid POS/Store Deployment Model
46(1)
Gas Station Payment Systems
46(2)
Mobile Payments
48(2)
Summary
50(5)
Chapter 3 PCI
55(36)
What is PCI?
56(1)
PCI Standards
57(26)
PA-DSS vs. PCI DSS
59(1)
PA-DSS
59(8)
PCI DSS
67(10)
Comparing PA-DSS and PCI DSS Requirements
77(3)
PTS
80(1)
P2PE
81(2)
PCI Guidelines
83(3)
Fallacy of Tokenization
83(2)
EMV Guidance
85(1)
Mobile Payments Guidelines for Developers
86(1)
Summary
86(5)
Part II Attacks on Point-of-Sale Systems
91(74)
Chapter 4 Turning 40 Digits into Gold
93(32)
Magic Plastic
93(1)
Physical Structure and Security Features
94(4)
Why Security Features Fail
97(1)
Inside the Magnetic Stripe
98(12)
Track 1
98(2)
Track 2
100(1)
PAN
101(1)
Expiration Date
102(1)
ISO Prefix and BIN Ranges
103(2)
PAN Check Digit
105(1)
Service Code
106(1)
Card Verification Values
107(3)
Regular Expressions
110(1)
Getting the Dumps: Hackers
111(3)
Security Breach
112(1)
Largest Point-of-sale Breach
113(1)
Converting the Bits into Cash: Carders
114(1)
Monetization Strategies: Cashers
115(1)
Producing Counterfeit Cards
116(5)
Encoders
118(2)
Printers
120(1)
Summary
121(4)
Chapter 5 Penetrating Security Free Zones
125(22)
Payment Application Memory
125(9)
RAM Scraping
26(100)
WinHex
126(1)
MemoryScraper Utility
127(7)
Windows Page File
134(1)
Sniffing
134(6)
Traffic on Local Networks
135(1)
Network Sniffers
135(1)
NetScraper Utility
136(3)
More Communication Vulnerability Points
139(1)
Exploiting Other Vulnerabilities
140(4)
Tampering With the Application
140(1)
Tampering With the Hardware
141(1)
Targeting New Technologies
142(1)
Attacks on Integrity and Availability
143(1)
Summary
144(3)
Chapter 6 Breaking into PCI-protected Areas
147(18)
PCI Areas of Interest
147(1)
Data at Rest: The Mantra of PCI
148(12)
Temporary Storage
149(1)
Application Logs
150(2)
Hashed PAN
152(1)
Insecure Storage of Encryption Keys
153(4)
DiskScraper Utility
157(3)
Data in Transit: What is Covered by PCI?
160(2)
SSL Vulnerabilities
160(1)
Man-in-the-Middle
161(1)
Summary
162(3)
Part III Defense
165(86)
Chapter 7 Cryptography in Payment Applications
167(28)
The Tip of the Iceberg
167(1)
Symmetric, Asymmetric, or One-way?
168(2)
Does Size Matter?
170(2)
Key Entropy
170(1)
Key Stretching
171(1)
Symmetric Encryption
172(4)
Strong Algorithms
173(1)
EncryptionDemo
173(1)
Implementing Symmetric Encryption
174(1)
Generating the Key
174(1)
Blocks, Padding, and Initialization Vectors
175(1)
Encryption and Decryption
175(1)
Asymmetric Encryption
176(5)
Implementing Public-key Encryption
177(1)
Generating the Keys
178(1)
Self-signed Certificate
178(1)
PFX Certificate File
179(1)
Encryption
180(1)
Decryption
180(1)
One-way Encryption
181(5)
Implementing One-way Encryption
181(1)
Salting Tokens
182(2)
Salting Passwords
184(1)
Validating Passwords
184(2)
Digital Signatures
186(2)
Attached vs. Detached Signatures
186(1)
Code and Configuration Signing
187(1)
Data File and Message Signing
187(1)
Cryptographic Hardware
188(1)
Cryptographic Standards
188(3)
NIST and FIPS
189(2)
ANSI
191(1)
PKCS
191(1)
Summary
191(4)
Chapter 8 Protecting Cardholder Data
195(24)
Data in Memory
195(2)
Minimizing Data Exposure
196(1)
Encrypting Data End to End
196(1)
Data in Transit
197(10)
Implementing SSL
197(9)
Using Encrypted Tunnels
206(1)
Data at Rest
207(2)
Secure Key Management
207(1)
Multiple Key Components
207(1)
KEK and DEK
208(1)
Key Rotation
209(1)
Point-to-point Encryption
209(5)
What Point-to-point Really Means
209(1)
Levels of P2PE
209(1)
Hardware P2PE
210(1)
DUKPT Key Management
211(3)
EMV
214(1)
Mobile and Contactless Payments
215(1)
Summary
215(4)
Chapter 9 Securing Application Code
219(32)
Code Signing
219(10)
Authenticode
220(1)
Code Signing Certificates
220(1)
Creating the Root CA Using OpenSSL
221(1)
Certificate Formats
222(1)
Creating a Production-grade Code Signing Certificate
223(3)
Timestamp
226(1)
Implementing Code Signing
227(2)
Signing Configuration and Data Files
229(8)
Attached or Detached?
229(1)
Data Signing Certificate
230(1)
Certificate Store
231(1)
Implementing Detached Signature
232(3)
Attached Signatures
235(1)
Signing XML Files
235(1)
Implementing Attached Signature
235(2)
Code Obfuscation
237(5)
Reverse Engineering
237(3)
Obfuscating the Code
240(2)
Secure Coding Guidelines
242(4)
OWASP Top 10
242(1)
CWE/SANS Top 25
243(2)
Language-specific Guidelines
245(1)
Summary
246(3)
Conclusion
249(2)
Appendix A POS Vulnerability Rank Calculator
251(6)
Security Questionnaire and Vulnerability Rank
251(1)
The Scoring System
252(1)
Instructions
252(1)
POS Security Questionnaire
252(3)
Decoding the Results
255(2)
Appendix B Glossary of Terms and Abbreviations
257(8)
Index 265
Slava Gomzin, CISSP, PCIP, ECSP, Security+ is the Security and Payments Technologist at Hewlett-Packard. Prior to joining HP, Slava was a security architect and PCI ISA, corporate product security officer, and R&D and application security manager at Retalix, a Division of NCR Retail.