
Slicing into a Point-of-Sale Botnet - cpach
http://krebsonsecurity.com/2016/06/slicing-into-a-point-of-sale-botnet/
======
themartorana
Couple of things. First, I suppose I should have assumed it, but I didn't know
botnets had nice admin panels! :)

Secondly, this is at least part of what chip-and- _pin_ was supposed to solve,
and here in the US we ended up with chip and signature, which is almost as
useless. (Not that it helps much with online transactions, although I'd be
more scared of mail fraud charges than anything...)

I wonder if card companies ever go darknet and try to bot the bots, to
proactively close and replace those compromised cards?

~~~
ianmiers
From what I understand, this is exactly what chip and signature solves and
adding a PIN does little. The "credit card numbers" a chip produces are one
time use, so skimming them is worthless. And if the POS system is really and
truly owned, it still gets to see the PIN.

The only thing a PIN protects against is stolen cards. But it also creates the
presumption that any stolen card that is used was the users fault because she
gave up the PIN. This is problematic especially if coupled with a liability
shift. There is a long line of work by [0] about these problems in England.

[0]
[https://www.cl.cam.ac.uk/research/security/banking/nopin/oak...](https://www.cl.cam.ac.uk/research/security/banking/nopin/oakland10chipbroken.pdf)

~~~
joe_the_user
The ideal thing would be having a pin you enter into a little keyboard on the
card itself, meaning physically stealing the card wouldn't be easy. Then have
an interface that would let these cards to be used over the net. Then stolen
credentials would be hard to do.

~~~
e12e
Note that, if you could dust the card, and be highly likely to get the 4
numbers needed for a typical 4 digit pin, with 3 guesses, you'd have a ~13%
chance of guessing the pin for a card ( 1/4! + 1/(4!-1) + 1(4!-2) ). [ed:
obviously there are (at most, for 4 different digits) 24 possible
combinations, so you'd need 12 tries at 2 guesses/try to be certain you found
the correct code].

This does assume you can figure out which digits are in use, but I'd be
surprised if you couldn't...

~~~
joe_the_user
Well, if the card could require you to enter first a random code and then your
pin, the key board might be kept such that each key was hit equally often.

I'm sure there are plenty more bugs to work out in such a system but if such
things were reasonably widespread, it would make overall security much higher.

------
Cyph0n
Great article! I love these kinds of reports on the features and capabilities
of the latest trojans.

I used to get my fix when I was active (as a customer) in the malware scene
several years back, but now I can't follow these developments anymore. Don't
worry: I didn't do much, and it's all behind me now.

Does anyone know of good blogs or websites that cover these kinds of things? I
currently follow Krebs and a number of subreddits, yet I still feel there's
more out there.

~~~
bediger4000
Which subreddits?

I might add the Malware Must Die blog:
[http://blog.malwaremustdie.org/](http://blog.malwaremustdie.org/)

One of the few malware analysis blogs that doesn't have all-Windows, all-the-
time blinders on.

~~~
Cyph0n
Cool, bookmarked!

These are the ones I'm subscribed to. There is unfortunately some overlap in
content, and some stuff is not related to malware, but they're pretty good
when taken together.

[https://reddit.com/r/ReverseEngineering/](https://reddit.com/r/ReverseEngineering/)

[https://reddit.com/r/netsec](https://reddit.com/r/netsec)

[https://reddit.com/r/malware](https://reddit.com/r/malware)

------
arcanus
Any word on who is running this botnet? I'm guessing it is not a hacking ring
inside the USA, and would guess China or Russia, but that is based on
reputation, not any specific knowledge.

~~~
themartorana
Admin panel is in English - does that give a clue maybe? Or is English used as
the international language for distributed hacker teams, maybe?

~~~
meowface
Russian is typically their lingua franca.

