PCI DSS 3.0 section 4.1 requires more robust protection of cardholder information across open and public networks beyond the Internet and WLANs specified in PCI DSS 2.0. To satisfy the latest standard, Merchants and Service Providers now need to take further precautions by encrypting cardholder details across open networks such as Bluetooth, Cellular Technologies, GPRS and Satellite communications.
Why the change?
With the advent of new, cheap and widely available SDR (software defined radio) hardware and free software it is now possible for cyber criminals to intercept and attack communications protocols previously thought safe such as GSM/GPRS/3G/4G, Bluetooth, DMR, P25 and SCADA protocols. Previously the equipment required would have cost tens of thousands of pounds.
Most of these protocols support encryption but in reality it is often disabled or set to a crackable type for ease of setup. With the new generation of low cost SSD (Solid State Disks) and GPUs (Graphical Processing Units) the majority of real in-use encryption types can be cracked that were previously thought safe. This presents an easy way for attackers to steal cardholder information and credentials without any way of being traced and from great distances outside of the organisation’s physical or internet perimeter.
SureCloud PCI Penetration Test Findings
Recently, SureCloud’s PCI Penetration Testing services have identified the following vulnerabilities across open and public networks:-
- Bluetooth – the pairing process and all keystrokes were captured between a Bluetooth keyboard and computer including the user’s network login and password.
- DECT calls were intercepted containing the full personal details and full cardholder information (including the CVV) of customers.
- DMR communications were intercepted containing door and safe access codes.
How does SureCloud help?
Almost all of these protocols can be deployed securely using, strong encryption and penetration testing so that configuration issues and rogue systems can be detected and secured. SureCloud now provide specialist testing services and remediation advice for all of these protocols as part of their PCI Penetration Tests. The results of these tests, together with remediation advice are available in the SureCloud Platform so that remediation work can be tracked and vulnerabilities successfully fixed.