PCI DSS 3.2 strengthens, KRACK attacks

With the Feb. 1, 2018, deadline for implementation of the Payment Card Industry (PCI) Data Security Standard (DSS) version 3.2 fast approaching, many payment service providers have already deployed new procedures initially released as best practices in 2016. Simultaneously, a vulnerability identified in Wi-Fi Protected Access 2 (WPA2) prototocol has raised security concerns among Android and Linux users.

George Mateaki, Security Analyst and Qualified Security Assessor at SecurityMetrics, noted the most significant changes in PCI DSS 3.2 involve increased requirements for service providers such as semi-annual segmentation checks and increased guidance on multifactor authentication.

"One of the big pieces that people fail on are things that surround remote access that multifactor authentication, following PCI standards, will give you the baseline where you can stop most threats, and then you go from there based on risk," Mateaki said.

He further explained that beyond just having multiple factors, PCI guidance requires that factors occur together. "A very common approach is once you have the login, then you're given some authentication code and that, per PCI guidance right now, would be considered multistep and not multifactor. That would not meet the requirement."

What's new in 3.2?

Mateaki provided the following summary of key changes in the PCI DSS 3.2 that impact payment service providers:

• Section 3.5.1 requirement to maintain documentation of cryptographic architecture: Service providers are now required to document the architecture of their cryptography.

• Section 6.4.6 requirement that with any new changes to network environments, service providers must verify that all applicable PCI controls are in place with regard to logging, virus protection, etc.

• Section 8.3.1 requirement to incorporate multifactor authentication for all non-console access into the cardholder data environment for all personnel with administrative access.

• Section 10.8 requirement to have a system in place that provides alerts whenever major PCI requirement-type systems fail, such as impairment of firewall, file integrity monitoring, antivirus, physical access, audit logging and segmentation controls.

• Section 10.8. requirement to have a process in place for responding to system failures, which includes documenting and identifying the issue, finding the root cause, addressing security issues as a result of the issue, performing risk assessment, implementing controls and reinitiating monitoring.

• Section 11.3.4.1 requirement that service providers perform two segmentation checks annually.

• Section 12.4.1 requirement that service providers have a charter in place for PCI DSS compliance. Mateaki noted that SecurityMetrics will offer templates that service providers can use to comply with this section requirement.

• Section 12.11 requirement to have a quarterly process in place that ensures all PCI compliance measures continue to work effectively, such as proper application of configuration standards, response to security alerts and change management.

• Section 12.11.1 requirement to document results of the quarterly review process and have it signed off.

KRACK hits Wi-Fi

A Wi-Fi vulnerability called Key Reinstall Attack (KRACK) has impacted certain wireless devices and Wi-Fi repeater devices including cell phones, laptops and wireless extenders. KRACK, an exploitation method recently identified by researchers, bypasses an implementation flaw in WPA2, the most advanced security protocol for Wi-Fi.

"With KRACK, if I were connected to a wireless access point vulnerable to the attack, an attacker would be able to intercept my traffic going out to Google, for example, and they would be able to perform man-in-the-middle attacks, where they would be able to see all my traffic and be able to inject their own traffic," said Chad Horton, Senior Director of Penetration Testing at SecurityMetrics.

He explained that in a majority of cases, attackers only gain one-way, man-in-the-middle access where they are able to decrypt messages going in one direction, but not coming back in the other direction.

"What happens with wireless networks is we expect them to be unreliable and for frames to get dropped between my laptop and the router, and because of that we build in redundancy," Horton said. "We expect my laptop, if it doesn't get confirmation that a frame was received, to resend that to the access point. Similarly, on the other side, we expect the access point to accept those frames coming in a second time, in case it wasn't received. In order to have a robust protocol, they built that into it."

He noted that with KRACK, attackers realized that if they held onto certain frames and replayed them at a later time, it would reset the entire connection, or stream, back to the beginning, thus weakening encryption because they were then able to encrypt different data with the same stream ciphers.

"With Android 6 and Linux, in particular, that stream got replayed at a later time, and the standard didn't say that they needed to maintain the original key in memory," he said. "Android was getting rid of the encryption key that started. When it was told to go back and start over, there was no key there. What it got instead was a blank encryption key, which is zeros, and when it tried to encrypt the data it was encrypting it in plain text."

Horton does not blame the authors of the WPA supplicant (the client seeking to be authenticated), because the standard itself does not define how to handle that specific scenario. "The proofs that were written 15 years ago are still proven to be sound and secure," he said, noting that what was broken is how people implemented WPA2 due to ambiguities in the definition.

To prevent such attacks from occurring, Horton recommends installing security updates immediately upon release by vendors. With Android 6, he suggests updating to Android 7, since services providers such as AT&T and Sprint may not necessarily forward security patches to users. Linux, for the most part, has resolved the issue, while iOS and Windows operating systems were not affected by the KRACK attack, he said.

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.