Credit Cards Tech and Threats — How Hackers Pay with Your Money

our next presenter is an um living in interconnected world as they tell me because uh he is among other things an e resident of Estonia fantastic you know you can enjoy our lovely country from abroad minus the weather that's a good thing I guess but also an active initiator in the community and the founder of oow w ASP chapter in Estonia sounds very fancy he's going to tell us all about it please welcome Mr Stefan amorelli thank you very much everybody and I'm very excited to be here with you as a matter of fact it's my first time here in bides talin and I want to do something very fun with you be before we start our talk I want to celebrate with you so the first thing I want to do is to ask everybody uh to take out your credit card from your pocket I will do the same I'm not messing guys please go ahead so this is my credit card and the next thing I would like to ask is to also take out your phone as well what we're going to do is we're going to scan this QR codes and some lucky uh members of the audience will see this fantastic page so you actually won this price and you can put your credit card information and redeem your price uh clearly I'm messing with you uh but millions of people still fell for this scum today but that's not the only way how hackers pay with our money and that's what our talk is about today as a matter of fact fact I would like to start with this question and this will remain an open question until the end I want everybody to stay tuned and try to guess the best answer and the question is how hackers pay with your money there are many ways but the correct answer is what is the most efficient way on how they do that but before we get started quick introduction about myself I help startups and companies in high regulated Industries such as payment industry as both software engineering and cyber security lead I'm also an irr resident and IR residency Community leader and I run the first oasp chapter here in Estonia and by the way uh we will also have a very cool Workshop later uh for oasp top 10 on large large language models so feel free to join us it's going to be very fun but without further ado let's move forward with our presentation and it's a uh presentation divided into three parts uh first part we're going to analyze a little bit the technology behind payment cards how they work generally speaking the second part is about caching H how hackers actually commit card fraud and the third part is a case study uh I want to share some lessons with you uh from my latest project implementing a payment card solution on board of Airlines the biggest airlines in the world so without further Ado let's start with technology first of all we need to understand how card authorizations work now there are multiple processes whenever we pay with a card but for the sake of this presentation we are going to focus on the first one the card authorization how does it work on a very general level we present our card to a post device uh and this card then uh gets uh read by the device or we can also have a web portal this information gets transmitted into a credit card processor uh what is a credit card processor usually there are companies that facilitate the transmission of data uh to the card networks such as visa and Master Card and this information then gets transmitted to the issuing Bank what is the issuing bank is the bank that uh issued the card at this stage here uh there is some verification process and if the transaction is actually validated authenticated then we get the result back in the pipeline and we get transaction succeeded or transaction failed well let's move forward so as you probably know uh with this card uh we have many different ways of paying so here I have a post device and the first way would be to swipe it right this is not very common in Europe I don't remember the last time I did it but this is very common in other parts of the world as we will see the second type of transactions how we can pay with this card is EMV transactions uh EMV transactions stands for uh eroc card MasterCard and visa and there are two main ways to pay one is dip it so Chip and pin and one is stop it okay the last type of transactions well imagine I don't have the card I'm at home I can still pay these transactions are called card not present or CNP let's begin with the technology behind magstripe uh this is the oldest technology was introduced in 1960s uh 1969 by Master Card to be size and this is a very old technology basically how does it work in the back of your card you can see this magnetic stripe that contains in plain text the binary data of your card now obviously as you can see here obviously this poses a huge threat because this information can be easily copied and easily cloned in another cart and usually what attackers do uh they use some devices called schemers we will see them in a little bit they copy this information and they sell it or clone in another physical card very old technology very vulnerable but then what is EMV as we said uh this is a new technology developed by aeropay MasterCard and visa and is based on the chip that you see on your card now this little shiny thing is pretty magical uh because it's a micro computer in itself it contains a processor memory storage and algorithm um it runs algorithms uh so the way that EMV transactions work are pretty different from the way magstripe transaction work so let's see what's the difference in magstripe transactions uh the post device just create a payment request reads the data and encrypts it and send it to to the issuing Bank okay nothing crazy there pretty simple pretty vulnerable in EMV transactions the thing is different because whenever we create a payment request uh we send it to the EMV card the micr computer and the microcomputer contains a secret this secret never leaves the card but what it does it encrypts the payment request with this secret that only the issuing Bank knows so this information gets transmitted back to the post uh the post doesn't know nothing about it but uh gets validated only at the issuing Bank uh end obviously this is a much more secure approach and it's considered the safest and modern way to pay with physical cards why well it's uh physical tumber resistant we cannot easily clone uh uh chip cards there have been any case where there was a cloned chip as a matter of fact and it's based on a comment and response protocol rather than just reading stating data obviously there are still threats uh to these transactions uh the main threat is that the post devices can be tricked into thinking that the chip is damaged for example and then fall back into unsafe methods such as swiping and then again the link between the post device and the the card become the weakest segment but what about card not present transactions how we can protect them well recently a few years ago uh we have a new system especially in Europe with the psd2 uh directive that requires uh Merchants to implement a strong customer authentication what does it mean whenever you pay online uh usually you get a multiactor Authentication that could be that's usually a SMS code and this the same concept is implemented uh independently by Visa Master Card in us where there is no psd2 like in Europe but um works exactly the same way still some threats there so we have seen a lot of sim sim swapping recently but also uh they're vulnerable to social engineering techniques man in the middle not so much but the big biggest threat is that not all Merchant switched to have implemented this uh this technology especially in us but let's talk about regulation so let's imagine we are building a system that handles credit card information uh either as software Engineers or cyber Security Professionals how we can protect the data the answer is PCI DSS so who knows PCI DS says raise your hand we already have some cool and is considered of course the golden standard for payment card industry and stands for payment card industry data security standard uh this is something that is required for any organization uh that handles transmit or stores card holder data but what is it exactly it is a set of security standards and guidelines lines and rules and there are 12 requirements and more than 300 sub requirements in the current version uh it's a lot and it's considered one of the most challenging uh certification to get as a company and by the way I also want to say that this is not a legal requirement uh so it's not required by law to be PCI Compliant but it's usually a contractual requirement by your bank the question is always if fraud happens who is going to pay so if you are PCI Compliant you have your shoulder bucked a little bit um it's very huge uh process of getting PCI certified but I wanted to still uh share with you three main areas that covers that PCI covers and the first one is product card older data that's I think the main differentiator with other um standards such as ISO for example and the second one build them maintain a secure network and maintain a vulnerability Management program but let's go to the fun part so cashing in how haers actually commit payment card fraud and I would like to start with these statistics uh from the European uh Central Bank uh as you can see in yellow the majority of fraud is committed for card not present transactions 84% on average that makes sense because of course we don't have the same kind of protection we have physical car transactions but I have now a question for you we saw what happens in Europe but let's see what happens all over the world so I would love you to scan this QR code and you can vote the country where most fraud happens so please go ahead and let's see what the audience says uh the answers will be in real time so I'm very curious to see what you guys think the first option is United States then we have Italy CC where I'm coming from and then we also have France Nigeria Switzerland and China we already have some votes oh okay 35 people let's see if we can get to 40 at least okay we got 40 43 cool okay so the vast majority says us but we also have somebody uh thinking of China Nigeria is the first spot I think it's enough uh and the right answer is us uh obviously uh why why is the reason there are many reasons and the uh one of those is that swiping is still pretty popular in United States uh as we saw magstripe is a very old technology but is still pretty used and MasterCard the the first uh that implemented magstripe is actually dropping it uh by 2029 there will be no Master Card having magstripe uh and it's dropping first in in Europe because it's it's not very well used here and then in us from 2027 but already next year is starting to to drop mag stripe in Europe that's pretty uh interesting in my opinion but let's see a step uh bystep guide how hackers Ste uh commit payment card fraud and the first step is to steal card data and there are different ways how they can steel card data maybe somebody wants to raise their hand and try to guess what could be one method nobody yes scream yes that's correct can I see your yes that's another one yeah I do think of it yeah somebody else stealing yeah OB yeah that could be another option but we got some interesting answers exactly that's a very interesting one but the the first one in the slides is fishing so the one that I showed the first page is one example then we have malware uh hackers can use malware to steal your credit card information data breaches and then we also have card scheming and card scheming is done by using these devices these little toys are invisible they're usually installed in ATM machines or post devices you don't see them but they copy the data now this is very old school but it's still pretty used United States as a matter of fact the second step is then now that we have the data how we make profit out of it how hackers make profit sell it is the answer and just for your information last year the price of a card Sol and card data plus Foods what does it mean FS is the full package of personal details your name your address everything about you is on average for 25.36 on the dark web it's pretty cheap and considering that also they the criminals pay one3 of a scent for $1 of credit on the card so PR pretty huge profitable business and pretty big Roi the third step uh as I said usually ERS steal the data they sell it and they already made a profit so they are out of the way but then there are people who buy the data and they have to use it somehow and usually these people are not the same because the longest is the pipeline the longer is the pipeline the more difficult is for investigator to find the first uh criminals and in general is easier to get away with it so the criminals who buy stolen card data then can clone it on physical cards and swipe it or buy stuff online and usually the preferred goods are gift cards or crypto that are highly untraceable just for your reference uh approximately 60 million St and CS data was on sale on the dark web last year and in this screenshot may maybe somebody know it but this is a a forum called the Russian Market pretty famous on the dark web uh for carding this is a huge number it means that more than 60 million uh people were stolen uh their credit card information but let's go in the last part of uh our our uh talk is a case study is a case study I will share with you some lessons that I learned when implementing a payment card solution on board of Airlines now this is uh extremely difficult situation uh because we had to handle offline authorization we did we don't have Internet on board of most uh flights but I will not cover that aspect maybe can be a good topic for another talk I will speak a little bit more on the general aspects of creating a PCI compliance solution from scratch so this is me on the first flight where we tested the application in Iceland uh but the app is now used on the biggest Airlines in US lesson number one uh d imp the PCI way so I'm pretty sure everybody or most of you knows the concept of D but this concept uh is extremely important especially if we are handling sensitive data is based on the principle of modularization and top down design approach what does it mean uh usually in uh uh when we create a PCI solution not all of our system needs to be PCI Compliant uh we might have an e-commerce page we might have an orders page uh you know discounts page whatever but only a small part of it handles with card older data and that's why it's important to understand that not everything needs to be PCI Compliant why well uh we would have a much faster compliance process this way uh if we would have a system that is easier to protect if we are talking about the PCI module okay that sounds cool and everything but how we actually do that the first thing is to isolate environments so what we usually call a PCI environment or CDE environment card uh uh card older data environment needs to be separated completely from the rest of our system and in a way we black blackbox the applications but the systems uh environments as a whole uh that also means of course that we need to implement strong role based access controls and identity access management plays a vital role there in my uh professional experience the PCI and CD environment were completely different didn't know an implementation details uh one of each other another important aspect is data minimization and this is something that is specific to PCI and what it means is that we need to minimize the amount of data that we store for the uh little time as possible so whenever we process a transaction there is no reason why we should keep the data stored in our database that's the concept of data minimization is pretty recurring in the PCI compliance process and the first the last thing uh of course encryption is extremely important at rest and in transit so whenever we communicate between different environments we have to keep into consideration that everything needs to be strongly encrypted let's move forward to the second lesson and this is a very cool concept I love it is called uh the best code written is the one you don't write and this based on a principle called yag you ain't going to need it so this concept applies in every software engineering every system uh existing on Earth but especially in PCI environments we need to write the less code we need to to use the less dependency possible why because that way we would have a system easier to maintain to protect to scale and to comply also based on another software engineering principle called kiss uh keep it simple stupid and based on that I have another question for all of you so please scan the QR code and answer again uh to this question uh that ask which back end would you like would you prefer to protect and we have a go plus serverless that's the first First Option then we have cobal monolith who knows cobal by the way raise your hand okay uh and then we have net plus kubernetes so I'm very curious and by the way this answer is very subjective there is no right or wrong uh I have my personal Pro preference but I'm very curious about what you think so let's see if we can get to maybe 50 people this time the majority is saying go plus serverless which is very interesting but the second spot is cobal monolit which which is even more interesting to me okay 10 more people we are still a lot of time actually uh um maybe somebody else wants to try Okay so let's see um as I said there is no right or wrong answer to this uh my personal preference would be to use a serverless approach uh so my my answer to that would be using go plus serverless and maybe somebody who answered uh cobal monolith can raise their hand and explain with one line why please that's a good one as a matter of fact cobal by the way is something that was used by banks in 1980s it's very old language but many systems still rely on that programming language and as a matter of fact most people who build this systems they are either either retired or dead uh so the people who actually can code Cobble they very high paid right now and nobody knows what is it uh so going back to our speech uh how we we write the least code possible I've seen a serverless approach to be extremely efficient in that way I've seen PCI compliance Solutions running on just a few serverless functions either on AWS or Firebase Cloud functions and why this is important is we are delegate a lot of vulnerability management patch management uh keeping everything updated and monitored uh to providers that we know they are safe they are PCI Compliant Amazon is PCI Compliant Google Google is as well so it's a lot of uh stuff uh we are delegating and that provides a huge benefit in our case another thing uh we talked about backend but another thing uh would be using crossplatform Technologies on the client side uh because remember PCI is not only about uh backend it's also about client and in in the app I I made the client side was also extremely important because we would store the data locally on the phone devices before actually uh syncing it when there was internet and in that sense client side uh we can use some crossplatform technologies a flatter react native are very good options in that regard now a lot of people uh I I heard they were a little bit asdan to use uh react native for example or flatter for such high sensitive data and systems but the reality is that nowadays these Technologies they are pretty much they are pretty Advanced and for example flatter is is used by Google pay by MasterCard as well for some products so they are St able enough in this day and age last thing uh reduce dependencies whenever we introduce a dependency whether it's a package whether it's another system third party system uh plug-in whatever we need to make sure that is PCI Compliant that adds a lot of uh troubles let's go to