Breaking Credit Card Tokenization Without Cryptanalysis

DerbyCon 6.0 - Recharge

Presented by: Tim MalcomVetter
Date: Saturday September 24, 2016
Time: 09:00 - 09:50
Location: Regency North
Track: Break Me

Credit Card Tokenization is a very popular antidote to costly and time-consuming PCI regulations, but are all implementations equally secure? Early studies on tokenization focused on the cryptanalysis of the token generation process, especially when early implementations sought to create 16 digit numeric tokens to satisfy constraints in legacy commerce systems. Fast forward to 2016, most of those problems do not exist today; however, anecdotes from consulting with Fortune 500s suggest other insecure properties not involving crypto can vary and emerge in tokenization systems. This talk will dig into several sanitized examples from consulting engagements which reduce “PCI Compliant” Credit Card Tokenization from “silver bullet” to “speed bump” status when big-picture security controls are missing. Specifically: abusing separation of duties by rogue partial insiders via public APIs commonly found in e-commerce applications; discovery of accidental side channels of critical information flow, such as timing analysis or response differentiation, which can be abused to reveal full PANs (primary account numbers); whether DevOps cultures could promote rogue admins abusing tokenization presentation logic implemented in JavaScript; and for good measure: some common programming defects which at best render tokenization pointless, and at worst could allow for a breach. With each example, we’ll look at potential solutions.

Tim MalcomVetter

Tim MalcomVetter (@malcomvetter) has fifteen years in defending, building, and breaking systems. Tim is the Director of the Red Team at the world’s largest commercial entity, Walmart (@WalmartLabs), where he is privileged to lead a team of very skilled Red Team engineers testing one of the largest environments in the world (over 130 million IP addresses, petabytes of Big Data, thousands of applications, and millions upon millions of internal and external users). Before that, Tim was a Principal Consultant in Optiv’s Software Security Group, their top offensive security blogger during his tenure, performing penetration tests and code reviews on web apps, web services, mobile apps, point of sale systems, proprietary TCP socket services, and even fuel pumps and car washes (yes, fuel pumps!). Before that, Tim led agile e-commerce dev teams, led PCI compliance projects at Level 1 merchants, and was a security generalist wearer-of-many-hats. Tim has presented in numerous venues, including Black Hat USA Tools Arsenal, BSides, ArchC0N, ShowMeCon, Secure World Expo, several developer conferences, and Tim also donates time to coach the Missouri S&T Collegiate Cyber-Defense Team. Tim has several security certifications, a masters in information assurance, and held a doctoral study fellowship at Missouri S&T.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats