Wednesday, November 8, 2017
George Mateaki, Security Analyst and Qualified Security Assessor at SecurityMetrics, noted the most significant changes in PCI DSS 3.2 involve increased requirements for service providers such as semi-annual segmentation checks and increased guidance on multifactor authentication.
"One of the big pieces that people fail on are things that surround remote access that multifactor authentication, following PCI standards, will give you the baseline where you can stop most threats, and then you go from there based on risk," Mateaki said.
He further explained that beyond just having multiple factors, PCI guidance requires that factors occur together. "A very common approach is once you have the login, then you're given some authentication code and that, per PCI guidance right now, would be considered multistep and not multifactor. That would not meet the requirement."
Mateaki provided the following summary of key changes in the PCI DSS 3.2 that impact payment service providers:
A Wi-Fi vulnerability called Key Reinstall Attack (KRACK) has impacted certain wireless devices and Wi-Fi repeater devices including cell phones, laptops and wireless extenders. KRACK, an exploitation method recently identified by researchers, bypasses an implementation flaw in WPA2, the most advanced security protocol for Wi-Fi.
"With KRACK, if I were connected to a wireless access point vulnerable to the attack, an attacker would be able to intercept my traffic going out to Google, for example, and they would be able to perform man-in-the-middle attacks, where they would be able to see all my traffic and be able to inject their own traffic," said Chad Horton, Senior Director of Penetration Testing at SecurityMetrics.
He explained that in a majority of cases, attackers only gain one-way, man-in-the-middle access where they are able to decrypt messages going in one direction, but not coming back in the other direction.
"What happens with wireless networks is we expect them to be unreliable and for frames to get dropped between my laptop and the router, and because of that we build in redundancy," Horton said. "We expect my laptop, if it doesn't get confirmation that a frame was received, to resend that to the access point. Similarly, on the other side, we expect the access point to accept those frames coming in a second time, in case it wasn't received. In order to have a robust protocol, they built that into it."
He noted that with KRACK, attackers realized that if they held onto certain frames and replayed them at a later time, it would reset the entire connection, or stream, back to the beginning, thus weakening encryption because they were then able to encrypt different data with the same stream ciphers.
"With Android 6 and Linux, in particular, that stream got replayed at a later time, and the standard didn't say that they needed to maintain the original key in memory," he said. "Android was getting rid of the encryption key that started. When it was told to go back and start over, there was no key there. What it got instead was a blank encryption key, which is zeros, and when it tried to encrypt the data it was encrypting it in plain text."
Horton does not blame the authors of the WPA supplicant (the client seeking to be authenticated), because the standard itself does not define how to handle that specific scenario. "The proofs that were written 15 years ago are still proven to be sound and secure," he said, noting that what was broken is how people implemented WPA2 due to ambiguities in the definition.
To prevent such attacks from occurring, Horton recommends installing security updates immediately upon release by vendors. With Android 6, he suggests updating to Android 7, since services providers such as AT&T and Sprint may not necessarily forward security patches to users. Linux, for the most part, has resolved the issue, while iOS and Windows operating systems were not affected by the KRACK attack, he said.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.