BG - Anatomy of Memory Scraping, Credit Card Stealing POS Malware - Amol Sarwate

um before we get started here just a uh a note please respect the speaker please silence your cell phones and other uh devices that you may have um I'll turn it over to uh the gentleman here in just a moment I've been informed that he does have giveaways uh for the crowd uh to answer if you answer the question correctly he'll give something to you so if that's not motivation to pay attention I don't know what is so sir the floor is yours thank you uh hello and good good afternoon my name is amol and I hope you guys are enjoying this bides as much as I am so has been a wonderful event since since this

morning uh a little bit of introduction I work for a company called qualis we or at least my team create signatures to identify vulnerabilities possible threats any sort of a misconfiguration or uh a way in which an attacker or a hacker could break into your network and that's sort of the basis of this stock and how this stock came came came along so in the next hour or so we'll take a look at uh point of sale systems different U or a particular type of malware which has been which has in the recent past uh affected Point of Sales Systems will go over a demo of uh uh one such example malware that I have

written and we'll see how it behaves so let's get started oh yeah and about the giveaway so I have uh well okay we'll talk about that later so the agenda is Winfree stuff well hopefully that should not be the only agenda for this presentation what I have is pretty uh small uh speakers that you can use on your iPad or uh uh whatever iPhone uh during the presentation you what you have to do is you have to first of all when you see this I can find a question which is on the slide it's very obvious and if you know the answer just raise your hand tell me the answer and take away these two things so apart from that uh we'll

we'll look at pause systems and some credit card Basics now this may be a little bit of a repetion for those of you who already are very familiar with past system with credit card data and things like that but for the for the good of all of us so that all of us are on the same page I'll quickly go over uh some of the basics sort of uh of PA systems and credit cards we'll see how the attack works there will be a demo so what I have here is I have a fully functional POS system appoint of sales system which I'm using as my presentation laptop so and then I'll I'll describe what that

means a little bit when we go towards the demo and we'll also go over some of the counter measures some of the things that uh various different uh people can do so that we don't get affected with this SP malware so this is the brief agenda let's get started uh oh so the first slide itself has has a question so uh F data breaches this is a slide from the Verizon data breach report of 2013 and this is the last year's uh Verizon data breach and it even last year it had PA systems at the Forefront of uh data breaches if you see there are about about 75% of the accommodation industry so basically hotels they uh

their data be data breach was due to poses system so this First Column is the data breaches in P systems you have a retail industry which had 31% of their data breach or credit card theft due to PA systems and a lot of uh vendors like Target Nan Markus and you you know all the names and I'm not here to deface any vendor so uh they have been affected hint hint guys uh they have been affected with the with with with POS data breaches next slide any answers

yes uh no no it's a good good guess

but don't share your answers okay guys keep Googling and we you can but but but you can we can just raise your hand when you have all the four so now you know what that is so raise your hand when you have all the four as I said it's a very silly trivia so okay uh going going to credit cards now this is a pretty basic slide uh usually there are these three different types of credit cards uh first is your usual magnetic stripe credit card so on the back side of the credit card you have the magnetic stripe which stores all the information like your credit card number your name your uh the expiry date of the credit card the

second type of credit card is uh chip and pin credit card which is uh not uh found in us as of yet but it's it's coming pretty soon uh the third one is your pay pass so which you sort of bring the card near the device and it can it can charge you so our talk is mostly about the first two cards or mostly about the first card the reason I say it's about the second card is because even though you are uh from uh from Europe where chip and pin are the default credit card still if you travel to us or if you want your card to be used internationally it has a magnetic strip at the back and has all

the same uh details that this card had so basically this card can be considered similar to this card because it also has the magnetic stripe on on the back side so there are two ways of using the second card uh so on the first card if you see there is this uh CVV on the back side of the card and uh I want to make this clear right from the get-go is there are two CVV numbers so there is this one CVV number which is the card verification number which is on the magnetic stripe all right Target Michaels Neiman Marcus PF CHS in 2014 U so uh there are two CVV numbers one is on the card uh in the magnetic

stripe and one is on written on the back of the card and these two numbers are different so for now let's just go with that so yeah three different types of cards pretty simple here this is your typical P system point of salees systems at the bottom are just some of the leading manufacturers nothing against any of them these are all great companies what a typical P system consists of is a cash register which usually you know comes out to dispense cash or if you swipe a credit card they store usually the credit card receipts in it there is a usually a touchscreen display where you where where the cashier enters the amount or enters the things that you

have bought there is a printer but most importantly is a credit card reader and some sort of a central processing unit which uh has your uh pause software also one thing missing is a barcode is a scanner here so when you bring an item they scan the item so I didn't get a pretty picture with a scanner but there is also a scanner to scan your items and so this is what the system looks like usually a typical system looks like also what it has inside is the POS software or Point of Sales software there are at least two three dozen companies that make this point of sale software uh some of the examples I've given above these are all very good

companies I have really high respect for them uh but what it all boils down to is these logos at the bottom as in all of this or most of this software runs on some flavor of windows so I hope no one runs on 95 anymore but uh XP systems are very common in in in the POS world so okay that was the PA software POS Hardware now let's take a look at the magnetic stripe this image is from ard.com I didn't draw it thank you qcard so a typical magnetic stripe and uh has three tracks and you may already know about but let's just go over this pretty quickly so the track one data is

basically it has 210 bits per inch so this is what is you know on the back side of your car on the magnetic strip track one 210 bits per inch and it so stores seven bits per character so that allows you or basically the banks to store 79 alpha numeric characters on track one that contains and then we will go into details about track one later there is track two which contains 75 bits per inch data and because it has only 75 bits per inch and five bits per character it can store less amount of data so it can store only 40 numeric characters so pretty simple till now track one can store 79 alpha numeric

characters track two can store 40 numeric characters track three which is uh which is not really found much in credit cards has five bits per character and 107 numeric characters it can store 107 numeric characters but most credit cards don't use track three so for our um malware what is useful is track one and track two data so this is the most busy slide of my presentation it's a little difficult to read but um bear with me here so the top part is basically track one data this is how uh literally the different characters are stored on track one and at the bottom is the explanation or a diagram again from qard uh of uh what

what what it means so basically it starts with uh start Sentinel so which is basically just a fancy name to like a start field it basically tells that this is the start of the track one data which is a percent sign then it has a format code which is B for credit cards usually that's what I've seen after that what follows is a 19 digigit pan or a primary account number this usually is a credit card number which is printed on the front of your card and this card number is uh is a fake one so uh don't worry about that followed by a field separator which is a carrot symbol followed by 26 alpha numeric characters remember track

one is uh can store alpha numeric characters so this usually this has basically your name your last name SL first name followed by again a field separator which is a car uh symbol followed by additional data so the four first four bytes of additional data have the expired date of the card in y ymm format and the next three bytes are the service code the service code is basically how can the card be used is it a debit card credit card what restrictions does it have and what not so that is uh stored in the service code followed by a discretionary data so this data has uh basically your PIN verification value your card verification value or the card

verification code the CVC that I mentioned earlier and this CVC as you remember this is different than the CVC which is on which is written or printed on the back of your card and then it has again your uh end Sentinel which is basically to tell that that's the end of track one data so this is all the information that is needed to process your card if someone has all of this information they can charge whatever amount that they want on your card and if they submit this charge it would be authorized unless you have canceled the card because they have the CV VV they have the card number um and they have the pan track

two data uh is on the next slide again I won't go into too much details but it's very similar except that since it cannot store alpha numeric characters it doesn't have the name it just has the primary account number and your additional data which has your expired date service code and CVV so technically speaking as far as I know either track one or track two data can authorize a transaction so your name is not really needed for authorizing the transaction what happens is when you swipe your card uh sometimes track one could be damaged so track two could be readable so your transaction would still go through if just track two data is available and

vice versa so uh you can call it a little bit of redundancy there so that's basically track one data that's your track two data and pretty much concludes uh you know everything what need we need to know as for this presentation about point of sale systems and credit cards oh well not completely there are like a few transaction types so the first type of transaction is very simple we have we all do that almost every day is a card swipe in this type of transaction the card is swiped so the CVV on the magnetic stripe as well as all the track one data that we saw is used while the type second typee of transaction is the card not present or

CNP transaction where you do not swipe your credit card this is when you buy things from Amazon from eBay and whatnot so in that case they ask you to enter the CVV which is on the back of your card so when the card is not present when it's not swiped you don't know what is your CVV 1 which is on the magnetic stripe so in that case they ask you for the cvv2 which is present physically on the back side of the card just to make sure that you really possess the card you really have physical access to the card so these are these are the two types of uh transactions now we have heard and don't

read a lot into this slide we have heard a lot about encrypting data in motion and encrypting data in at at rest and I think most uh companies most software most Hardware does that very nicely as in when you transmit card data for authorization it's transmitted securely in encrypted form when you store data which usually Merchants don't store data but people who do store data they store it very well with encryption and all the Jazz that is uh on on the slide but where the data is unencrypted is in the processes memory so when you swipe a card there is some amount of time when that encrypt unencrypted data is present in the point of sale uh processes memory and that's

the key that is where a lot of the B malware or this so-called Ram scrapers or Ram scraping malware they scrape the data from this other processes memory and uh so basically point to take is just because data is encrypted at risk and and in motion or when it is sent that uh that still leaves the data in uh process as they say when the data is being processed unencrypted and that's what the point of sale uh malware attacks so here is a attack scenario let's say U as as as you already saw a lot of these point of sale devices are um are are nothing but windows boxes they can be multitask they can be used

to to check your Facebook accounts your emails play games and whatnot so attack scenario is there is a fishing attack against the operator using the point of sale system he or she is using clicks on a link that they received on email on Facebook on some other device and Mal gets infected on the point of sale system next what happens is at the time of transaction a customer scans the card and the point of sale uh soft the the point of sale software before sending or maybe after sending the credit card details for authorization for some time it has this data unencrypted in its process and that's where the ram scraper malware Ram scraper it uh it basically starts at

work is as in it sort of takes over the PA process and scrapes a m from that process or possibly from the possibly does that continuously from the entire Ram of the machine to check for credit card numbers and we'll see shortly how how how that can be achieved so this is the attack scenario let's let's go to attack working so um Step first I think is the P malware this is what are these steps for these steps are steps that the malware takes so now we are sort of thinking from the point of view of malware if I am a malware what would I do how would I steal these credit card numbers from this other

process so the first step here that the malware does is it finds the B process which has credit card data now this is not uh a mandatory process this is a optional step but uh usually I mean even if you have a low powered machine a old machine with the 32-bit operating system and 32-bit processes it can still uh access about 2 GB of virtual memory if you have a 64bit OS and a 32-bit process it can still access about uh again I'm not uh I'm not I don't remember the numbers very well but it can still access about I think 4 GB of memory if you have a 64-bit machine or 64-bit OS and a 64-bit process then I think the

process can allocate uh terabytes of memory so it's very uh effective If instead of just blindly scraping the entire memory for credit card numbers if you fine-tune your if the malware fine tunes and that's what most of the malware does is they basically have the top 10 point of sale uh system software is what they target top 10 top 15 and they don't scrap the entire Ram they just look for that process and uh that is how the target is this can be done in various ways uh by looking at the title in the windows by looking at the way the process is registered uh there are a lot of ways you can do this and the way I did it in

the in the demo later is using some of these windows system apis so if you are I mean if you are a developer you can just write down the sequence of these apis and at the end of this talk you would be able to write a screen uh Ram scraper malware so the first step that it does is finds the PA process the Second Step that it does is it elevates its own privileges now there is a special privilege called as SC debug name and if you are able to elevate your processes privilege to that uh then pretty much you can attack other processes attach to other processes and do a whole lot of other things so aot

most Windows machines um or run with administrative credentials I have yet to meet uh a person who says that they they really have made uh they really don't use admin accounts but uh this is what the PO process does is if it's able to elevate its own privileges to SC debug name then it can basically attack and attach to other processes so this is the step to that it does there are certain system API calls that you need to use in a peculiar way that I've mention here uh to to do to G to gain those Privileges and the third thing after you gain those privileges or if you are able to gain those privileges is very simple you open

the P process it's basically it's as if you are just opening a gift because you already have those privileges you just open the P process as your gift and inside the pause and you do that by the simple open process call I mean I think everyone knows about this one after you open the pause process the point of sale process the credit card number has to be there somewhere in an encrypted format and you basically then just scrape the pause processes virtual memory uh by various virtual memory calls and doing read process memory and whatnot so this is uh I think it's a pretty simple and straightforward U thing to do it I don't think it really requires or has much

complexity when we look at the demo code you will see it's hardly about three pages long so there is not much involved in this and scraping Ram is relatively very easy as uh um against against popular belief so it's it's a pretty straightforward uh thing to do so with this information on how the malware does that okay and one one one last thing so in the last step basically when it scrapes the ram again the ram scraping is easy but it's sort of like finding a needle in the Hast stack because memory even if you target one single process could be huge there could be a lot of uh pages in that process memory and you

want to optimize it you are basically running against time because because the PA software that is also not written by like just dummies the pause software will try to keep un encrypted data in memory adds less for a very short time adds only at a very small time bare minimum time and then it will try to either write zeros in that data structure or write ones or clear the memory cleared the bu buffer so that it can't be attacked so what one need needs to do or what the malware does is it has to optimize to do this scraping really fast before the transaction is over and you you could do that I mean at

least my uh my example code does that by one only looking for memory that is committed so again as I mentioned if you have a 64-bit machine and a 64-bit process you you could um potentially access terabytes of memory but you only look for memory with certain Flags which tell you that this memory has really been committed to physical memory and that's the me m commit flag basically you also ignore memory that is part of the executable image so most of the memory in the PA process so when the PA process is loaded in memory most of the code is executable executable code that it uh basically is is being executed so you ignore all the executable image with

the M image flag and you read or scrape only the memory which has data structures which has variables and uh so a lot of your executable memory is gone if you use this flag and one another thing that you could do is once you find a credit card number you could remember memory addresses at which you found it the first time and next time you could first go to those addresses check if the numbers are there and uh so that's another optimization a lot of these B systems still use Windows XP or a lot of the POS processes they are not aslr enabled or anything like that so there is a good chance that if

you find a credit card number for One customer at a certain memory location when the next customer comes and swipes uh swipes his or her card you will find that the P process when it allocates buffers and VAR it it's being done by the process and by the OS around the same virtual addresses so these are some of the optimizations that would help uh any malware to find this needle in the Hast stack which is basically the 16-digit credit card number in entire entire P memory and the last thing to do is to do pattern match so basically from our track one and track two data that we just saw uh we know that it starts with

the perc sign there is a b then there is a cot of course the credit card number would be a variable the name would be a variable it will change from card to card the cbv would be a variable but these D limitter are fixed which is the person B carat carat and question mark so you basically look for these uh D limitter in memory once you find them you assume that this is a number this is the credit card number and then what you could do is you could put that credit card number into something which is called as the card verification algorithm so this algorithm will tell you if it is a valid credit card number

or not so there are two ways of doing it one is uh a lot of credit cards like Master card Visa card American Express card yes sure

uh you're very close I'll I'll still give it to you it's oh man you have a lot of competition so sorry go ahead sorry yeah those are the first numbers of the credit card so basically Master Card starts the M all master card numbers if you get uh credit card from your wallet would start from five if you have a Visa card it will start from four if you have American Express it will start from three uh these are the first digit of your credit card basically and all the other cards they also have uh some fixed uh fixed uh digits so you could either do that or you could uh do basically the Lan algorithm which basically verifies

if any credit card number is good or not I would prefer to do the uh algorithm and the algorithm is also pretty simple it's like a glorified base 10 algorithm what you do is you take the credit card number this is the original credit card number don't assume that it will always be 16 16 digits because there are credit card numbers that are not 16 digits there are less so you drop the last number that you have and then you basically reverse the digits so you drop the last number five you reverse the digit so the third line is just a reverse of the second line then you multiply odd digits by two so the first

digit was five it got multiplied by two so that's 10 the second digit is kept as is the third digit is again multiplied by two and you continue then you subtract nine if the number is greater than nine so 10 is greater than 9 you subtract N9 you get one this is not greater than n this is greater than n so you subtract N9 it from it again and you do that for all numbers and basically then you add all the numbers together and in this case you get you got an 85 and uh the verification is basically if you add 85 to the number that you dropped and you do a mod 10 of it you

should get a zero and if you get a zero then that's a valid credit card number this algorithm guys is documented very well on the net you will find it everywhere so I mean still I think the slides are really pretty so feel free to take pictures but uh it can be found uh it can be found uh anywhere on on on on on the net uh and that's what I guess you would do is once you find these regular Expressions starting with carrot ending with this you extract the number make sure all the digits are Al are numeric and then you apply this algorithm if the mod 10 is zero then yes you have a valid credit card

number uh and and and again this algorithm is very simple as in uh this is a c code that I wrote and it's I mean literally it's just a few lines of code you can literally type this in in your C compiler it will compile and it will give you if a credit card number is valid or not and there are again a thousand different ways of doing this I'm pretty sure a lot of you can optimize it more but this is a barebone uh code that that that that will work so what did we do we or what did the malware do it found the process it elevated its privileges it uh uh what

was the third thing it opened the pause process which had the unencrypted credit card number and then it did this screen scraping found the credit card number ran it through an algorithm made sure that it's a valid credit card number so time for uh time for the demo so what I have here and before maybe going to the demo I can just quickly show you the source it's as I said it's just a very small three pages worth of uh Source um maybe it's not too readable here so I think we can just uh skip the source here but I was I was very tempted to make this open source and I think I'll I may

do that but a friend of mine uh told me that such malare it's still sold in the black market for like $500 $600 something like that so no I'm not trying to make money here it's just uh I just want to make sure that it doesn't fall in the wrong hand so if you are a researcher if you have any question about this if you are trying to do Ram scraping or something like that just uh send me a message on Twitter I have my Twitter handle at the end of the presentation and I'll be glad to to give you the source or help you out or um you know as long as you sort of work for

some good legitimate company I can I can give give you this so in the demo here what I have is [Music] uh what I have here is this uh Point of Sales system it's a pretty well-known Point of Sales system from a multi multi multibillion doll company and I really mean multi multi multi-billion dollar company and uh it can accept this I have a card reader here where I can swipe cards and I have a card here which has been cancelled so again feel free to take pictures um it's a PB boys card um so but but it's a credit card and uh so what what typically happens is let's say I am I'm a cashier

I'm user Joe I come here I check in let's say I am Chris B I clock in now it says okay now you have two cashiers um what I'll do is uh this is just the inventory so what this uh shop does it it sells some Sporting Goods soft balls sweatpants and whatnot so this is my inventory so okay typical credit card system this is I see the employee list so I'm Chris B I'm clocked in looks all good so a customer comes in he or she has like just imagine has bought like a few items so what I'll do is I'll make a sale I'll say okay what do you have here let's say something with baseball so

they can purchased a baseball hat let's say they put purchase what else do you guys want to buy help me out baseball they just have a lot of hats let say b a bat choke okay okay I'm just having too much fun so okay they they bought some items I scanned it and this all came the total is $16 111 and now uh so in here for demo purpose this is my visual studio uh directory where the source is compiled in the release directory and let me this is this is the name of my executable which is the screen scraping credit card stealing evil malware so what I do here is as a cashier I say okay do you want to pay by

cash or credit credit I hit credit uh what they do is uh swipe the card and at this point basically the credit card number is unencrypted in the PA process so let's uh let's in in in in if I I really had the malware I would have the malware run continuously for demo purpose I'll basically just hit enter here and what this would do is follow all the four steps that we just talked about it would find the Poss process it would Elevate its privileges it would uh open the process and it would scrape the memory for unencrypted uh credit card numbers so let's see if the demo guards are with us or not because I don't have a backup uh

video for this so I just press enter here and boom what I got was memory location this it was able to extract credit card number which is I'm I don't think I can show it to you guys but it's exact ly the same one that is on the card 407 412 298 blah blah blah it was able to get my name it was able to get the expiration date it was able to get the service code there was no PV K but there was a CVV 1082 which is what is used to authorize the transaction so basically it was able to capture all the track one data because my malware as as as as you recall it

looks for these special characters and tries to find uh track one data and uh actually it was able to get the same data twice so again I haven't reversed the process um the PO process but it must be that in some array or in some variable the data is stored twice so and I I don't know why that is that must be a very peculiar thing for this particular pro software but it's stored twice so since the uh RAM scraping software it doesn't really know it just scrapes the RAM and looks for those patterns runs it to the algorithm it found the same data twice so well guys that's the demo woohoo work one peculiar thing so so here it

has stalled so it has it is asking me do I want to collect a tip which is huh I don't know who tips at at uh at a sporting shop but this is so let's say I do no tip and the authorization goes and it says authoriz authorized and the credit the transaction is done now if I go and run the software run my this it's gone it's not able to find it's able to find the process it says using PA process ID it was able to find the process ID for that process but the credit card number is gone so actually the software is pretty good it as soon as the transaction is complete it is

zeroing out the memory so it's uh what I uh am assuming is that it not just frees the memory but it also makes sure to write zeros or once or something on that memory in that variable so that uh such attacks are not possible but uh the the the sort of a bad thing that it did was the dialogue box where it stopped to say do you want to add some tip or not that is when the variables or the credit card number what's still in the process unencrypted if they fix that then it's as I said it's again Race Against Time how fast you can process the credit card send it over get the authorization and

dump the unencrypted card from your process versus the malware how fast it can read your process and how fast it can uh um basically get these

numbers if the malare is

what uh at the end of that it would still matter because if I mean if it's a 64-bit OS and a 64-bit process and potentially I mean these systems are huge they have a lot of memory allocated so it has to still go through the entire memory so it is uh it's basically as I said Race Against Time like if you can clear out the unencrypted data before the malware can get it then it's good so like let's say if this is card data it is being authorized the Mal this malware scraper is like going here here here if you able to authorized it and basically destroyed the data the Mal may not be able to get

it so it's uh yeah go

ahead inad of going into the POS instead of going into the POS system itself couldn't you just do a non non-destructive read on data coming in on the the serial line or parallel line instead of uh doing a ram scrape of the POS software uh you could do that um you couldn't sniff the data that the process is sending to authorization because it sends that it encrypts that and sends it for authorization well I mean when you swipe the card right you you could you could very well do that as well yes that is a possibility but uh what we have seen with all the hacks that are happening these days is for some reason this like maybe this

is just too easy to do that's why attackers are are doing that I think add one more uh go ahead and guys I have like one or two more slides so yes um instead of having a Race Against Time since you're already getting the SC debug process um permission is it possible to just uh debug all uh memory rights and that way you know yes the program's slower but no one's really going to notice that extra slowness and you can process every you know every credit card number that comes through without missing them yeah yeah you could do that as well I mean there are uh again guys this is just the way I wrote it there are a lot of ways you

could write it and a lot of other creative ways of stealing your your card number so let me just go to this last slide which I think still has some good discussion points if I can find it so what can we do what are the some of the medication techniques so one is use POS only for its intended purpose so if uh people use point of salees system as point of salees system and don't check their email or Facebook or whatever then the chances are that they won't click anything and the malware won't get downloaded in the first place so I think that's the first thing which is use the system it's a very simple thing but use

the system for its intended use don't use it to browse the net or whatever uh try to protect against Insider threats and this is from the perspective of the P business owner if I own the business so this ID theft center.org said that in 2013 in last year 11% of the data breaches were because of Insider threats which is basically the cashier was a bad guy or someone came in handed the cashier at 7-Eleven $100 Noe and say just plug in this USB in your PA and then give it back to me and uh 11% and I think that's really big so uh what PA owners have to really do is sort of to vet the people

they hire but I know it's very difficult in those type of jobs where a lot of people are just temp temp people best practices don't use uh even if you are using Windows don't use administrative credentials so you even if the PA process needs admin credentials you can log in as a user with lower rights use the run as uh which is sort of like sudu well not really but run ads facilities in Windows where you can run the p the process as admin but if you go to the internet download the malware it won't run it as admin so it won't get that debug ride the SE debug ride and then well things won't work other things patching Access

Control scanning auditing deploy smart cards or chip and pin cards this is uh okay I mean this is sort of still a Half Bake solution I mean it's going to be uh a lot of us merchants will shift to Smart cards by the end of this year but still it doesn't matter if your credit card has a chip or not it really matters on what are the capabilities of the reader so if this is let's say this is a smart card and has a chip on it what the chip does is basically it has a private key which uh uh basically encrypts your credit card number and what it's sent is just the transaction ID your credit card

number never gets from here to the PO system uh it basically on the device itself it is authorized and what it's sent is just the transaction numbers but anyway let's say this is a card which has the chip and pin but all the cards with chip and pin still have the magnetic rider for backwards compatibility otherwise all the foreigners who in Europe in Japan they use chip and pin when they come to us their cards won't work with this so even though you have chip and pin they have magnetic stripe and then you swipe and then you again have the same uh uh problem so this problem I don't think would go away unless all card readers

are don't look like this they look like the Chip And ping readers and all the credit cards don't have anything on the back the magnetic strip on the back doesn't exist uh from the past software vendors perspective again we talked about it keep the unencrypted data as little uh for very short time in memory as little as possible and the the last thing is where again I want part audience participation I don't have anything to give give away but what can credit card users do and I really I really don't have a good answer I mean uh in the US I think the credit card industry is all on trust when I sign when when when you go to a

restaurant you get the check you give this card to the cashier they walk away with it there they can have a very simple system like this where they just swipe swipe a blank card and they have duplicated your credit card in most other countries in European countries in Japan in Asia in South Asia India in a lot of other countries uh they bring they have first of all chip and pin and then they bring the credit card device to your uh to you so basically no matter how fancy the restaurant is they will come with that card reader in their hand and then you yourself uh put your PIN or you do the transaction so it is at least

a little bit of course that device itself could be hacked but I mean most probably the it's it's a little difficult so that is a little bit better where at least the card doesn't go out of my site where anyone can have like a credit card reader swipe it take a blank credit card swipe it again and there you go my credit card is gone um so that's that that's all I have thank you this is my Twitter handle feel free to uh email me with questions with examples or anything anything that you need uh it's just that as of now I'm not too comfortable in just putting the code on you know on Google or some somewhere

where it's anyone can access it but if you are a researcher or just someone legitimate feel free to send me a message on Twitter and I can I can I can help you out thank you