Amol Sarwate

Director of Vulnerability at Qualys (USA)

Amol Sarwate

Paper Title

Anatomy of a credit card stealing POS malware


Credit card payment processing and point-of-sale (POS) systems are like a black box for most people without knowledge of its internal working. But recent data breaches of thousands of credit cards have shown that determined attackers have not only mastered ways to steal old fashioned magnetic stripe cards, but targeted EMV card data (chip-and-PIN, chip-and-signature, chip-and-choice). Attackers have also found a way to compromise the newest smart phone based mobile point-of-sale systems. Magnetic cards are mostly used in USA which is transitioning to smart cards. But Europe, India, Canada and other countries that already have transitioned to EMV smart cards are also under attack.

This session will explain the architecture of different type of POS systems and how components operate and integrate with each other. With this understanding I will explain how each type of system can be attacked and describe various attack vectors. This knowledge will help understand, defend and implement security measures against future attacks. A live demo! and quick source code explanation of a PoC ram scraping malware and its internal working will be shown. Techniques for attack mitigation will be provided to save merchants, banks and consumers from disastrous financial losses. And finally, if time permits we will also discuss the financial issue of liability shift.

Speaker Bio

Amol heads Qualys' worldwide security engineering team responsible for vulnerability and compliance research. His team tracks emerging threats and develops software which identifies new vulnerabilities and insecure posture for Qualys' VM, PC, PCI and QBC services. Amol is a veteran of the security industry and has devoted his career to protecting, securing and educating the community from security threats. Amol has presented his research on Vulnerability Trends, Security Axioms, SCADA security, Malware and other security topics at numerous security conferences, including RSA Conference, BlackHat, Hacker Halted, SecTor, BSides, InfoSec Europe, NullCon, GrrCon, ISSA, Homeland security Network HSNI and FS/ISAC. He regularly contributes to the SANS Top 20 expert consensus identifying the most critical security vulnerabilities. He writes the "HOT or NOT" column for SC Magazine and holds a US patent for Systems and Methods for Performing Remote Configuration Compliance Assessment of a Networked Computer Device.

Copyright © 2023 | Nullcon India | International Security Conference | All Rights Reserved