Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
SUBSCRIBE
Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
Zerosecurity
No Result
View All Result
Home Security

Harvesting Credit Cards from ISO8583-1987 Traffic

Paul Anderson by Paul Anderson
May 25, 2012
in Security
0
6a0133f264aa62970b016766be45d5970b
74
SHARES
1.2k
VIEWS
Share on FacebookShare on Twitter

You might also like

BreachForums Owner Arrested and Charged

Stolen credit card market BidenCash leaks over 2 million credit cards

Cloudflare Stops Record-Breaking DDoS

Having investigated cardholder data security breaches for a few years now, I have noticed changes in attacker behavior when choosing entities to target. Over the past 3 years trends in attack vectors have been transformed as the hacker community matured and set their sights on larger organizations to prey on. The migration from attacking small merchants to large-scale organizations brings with it a whole host of changes to the forensic community, particularly the differences in technologies used in the environments that are now being targeted. In the past, it was simple enough to investigate a small ecommerce merchant that had been compromised via SQL injection, now with larger service providers and banks being the targets of compromises the focus if the investigation shifts from mainstream cardholder data transmission protocols like TCP/IP to the less common types such as the standard for Financial Transaction Card Messages, ISO8583.

 

The first thing to note after having captured network based evidence was that instead of the 7 bit encoding employed by ASCII, a large portion of the data sent through the wire was encoded in EBCDIC, an 8-bit character encoding. Switching to this encoding using one of many Hex decoders out there results in some form of legible data as shown below:Screen Shot 2012-05-21 at 12.55.16 PMFigure 1 – Example of Raw ISO 8583 Traffic

This legibility usually fools the investigator into thinking that card data would be clearly visible in this format. This is not the case; a lot more dissection needs to take place before the data is fully extracted. ISO8583 traffic consists of 3 major parts as follows:

Screen Shot 2012-05-24 at 11.40.24 AM 

Figure 2 – ISO8583 Message Elements

There are already several whitepapers that discuss all the data fields available in an ISO8583 message block; however, the primary focus for this and most investigations is to strip out the card data from the message block captured on the wire. The following are the main points to note when producing POC code to strip out the cards from the block:

  • The MTI (Message Type Indicator) is the first field of every ISO8583 message block and contains metadata such as message version, class and origin.
  • Every ISO8385 message block has at least 1, 64-bit bitmap that has to be taken into account. Some setups make use of 2 or more bitmaps depending on the inclusion of other proprietary and reserved fields. The information in the bitmaps will indicate which data elements are present in the message block being analyzed.
  • Every other field that is not directly lined to the cardholder’s Primary Account Number (PAN) can be neglected for the purpose of the production of the POC code; nevertheless the code can be customized to pull out other fields as necessary.

As shown in figure 1, each message block started with an EBCDIC encoded “ISO8583-1987” clause. This clause is the part of the MTI that denotes the ISO8583 version in use; in this case the 1987 version of the standard was used. An intuitive approach would be to imagine all the data succeeding this header clause, but preceding the next header to be part of the same message block.

From a very high level, the part of the MTI that immediately follows the version is the message class, this tells us the exact purpose of the massage. In our case ‘0x0200’ denotes a financial message originating from an acquirer.

Probably the most important part of the message block is the primary bitmap. This immediately follows the “Message Class” section of the MTI. The first step would be to analyze the bitmap to determine where the credit cards sits in relation to the beginning of the message block if at all any exist.  For this exercise, every other piece of data is considered irrelevant. As each bitmap is 64-bits in length, extraction of the 64-bits immediately following the message class would give us the following hexadecimal value from figure 1:

Screen Shot 2012-05-24 at 11.52.08 AM

Figure 3 – Primary Bitmap from Figure 1

Decoding this value would give us the following binary equivalent:

Screen Shot 2012-05-24 at 11.53.34 AM

Figure 4 – Binary Equivalent of Primary Bitmap

Making sense of this information is a relatively simple process from here on. ISO8583 defines at least 128 data elements that can possibly exist in each message block. Each binary digit from all the present bitmaps will denote the presence of a field in the spaces remaining for the data elements. The table below shows an example of some of the data elements that have been defined by the ISO8583 standard. Only the first 7 data elements have been included below.

Data ElementData TypeDescription
1BinaryBitmap of up to 192 bits
2NumericPrimary Account Number (PAN) of up to 19 characters
3Numeric6 digit Processing Code
4Numeric12 Digit Transaction Amount
5Numeric12 Digit Settlement Amount
6Numeric12 Digit Cardholder Billing Amount
7Numeric10 Digit value specifying transmission Time and Date

Figure 5 – Data Elements Description Table, First 7 Values

The list of data elements goes all the way up to at least 128. Each element’s data type could be binary, numeric or even alphanumeric depending on the data transmitted in the filed.

Now, consolidating information from this data elements table with the results obtained from decoding the mandatory primary bitmap, we can mow make sense of what fields to expect and how long they will be. Every positive bit in the decoded bitmap denotes the presence of the corresponding field, whilst the naughts represent the absence of a field, more importantly though, all readings are taken from the left toward the right. Therefore, taking into account the first 4 bytes of the decoded binary output from the primary bitmap as an example we can tell the following:

01110010     Fields 2,5,6, and 7 are present
00111110     Fields 10,11,12,13,14 are present
11100100     Fields 19,22,23 and 24 are
10000001     Fields 25 and 32 are present

Referring back to the table, we can draw the following conclusions:

  • A secondary bitmap is not present
  • The Primary Account Number (PAN) is in the message block
  • The Settlement and Billing amounts are present
  • Dates and Times of each transaction can be harvested from the message block

Now that we know what data is present, we can produce POC code that will allows us to strip out PANs from each message as follows.

Screen Shot 2012-05-23 at 11.26.44 AM

Figure 6 – POC Code to extract PANs from the ISO8583 Message block

It is apparent from the code that for the purposes of this exercise, everything that is not the PAN is read and disregarded. The script can be altered to pull out any field as required as the presence of each field and its length is clearly shown in the bitmap. A lot more can be done with this code to produce a much more robust tool that dynamically choses the field to extract on demand… however, at this point, deciphering and extracting credit cards sounds like a good starting point to me!

Source: http://blog.spiderlabs.com/

Tags: cardscredithackedhackingharvestingobtaining
Share30Tweet19
Paul Anderson

Paul Anderson

Editor and chief at ZeroSecurity. Expertise includes programming, malware analysis, and penetration testing. If you would like to write for ZeroSecurity, please click "Contact us" at the top of the page.

Recommended For You

BreachForums Owner Arrested and Charged

by Paul Anderson
March 17, 2023
0
BreachForums Owner Arrested and Charged

On Wednesday afternoon, federal agents arrested a man in Peekskill, New York, for allegedly running a dark web data breach site known as "BreachForums." The suspect, Conor Brian...

Read more

Stolen credit card market BidenCash leaks over 2 million credit cards

by Paul Anderson
March 3, 2023
0
Stolen credit card market BidenCash leaks over 2 million credit cards

BidenCash, a marketplace that focuses on carding, has leaked a database of 2,165,700 credit and debit cards to celebrate its first anniversary. Instead of keeping the leak a...

Read more

Cloudflare Stops Record-Breaking DDoS

by Christi Rogalski
June 29, 2022
0
Cloudflare record breaking DDoS

Cloudflare has reported that it successfully neutralized the largest recorded DDoS attack in history. The attack, a 26 million request per second onslaught, targeted a customer on the...

Read more

Chrome Browser Extension Vytal Prevents Privacy Leaks

by Christi Rogalski
June 19, 2022 - Updated on June 20, 2022
0
Vytal Chrome Extension spoofs location data

Released in 2008, Google Chrome is a cross-platform web browser. With over 3.2 billion internet users worldwide, there's no denying that Chrome is the most popular browser today....

Read more

State-sponsored Iranian Hackers utilize .NET DNS Backdoor in new Attack

by Kyle
June 12, 2022
0
Lycaeum APT DNS hijacking backdoor

An Advanced Persistent Threat (APT) hacking group based out of Iran going by the name Lycaeum has been seen using a .NET-based DNS backdoor to target organizations within...

Read more
Next Post
Google Aiding the FBI in Fight Against Malware

Google Aiding the FBI in Fight Against Malware

Related News

NSA intercepting U.S. Routers

NSA intercepting U.S. Routers

June 6, 2014 - Updated on March 17, 2023
Netwire RAT seized by FBI and other worldwide police agencies

Netwire RAT seized by FBI and other worldwide police agencies

March 16, 2023
The Emotet botnet returns and is sending a slew of malicious emails

The Emotet botnet returns and is sending a slew of malicious emails

March 14, 2023
Zerosecurity

We cover the latest in Information Security & Blockchain news, as well as threat trends targeting both sectors.

Categories

  • Crypto
  • Data Breaches
  • DotNet Framework
  • Downloads
  • Exploits
  • Exploits
  • Information
  • Legal
  • Malware
  • Malware Analysis
  • Mobile Security
  • Paper Downloads
  • Piracy
  • Privacy
  • Programming
  • Public
  • Security
  • Security
  • Software & Service Reviews
  • Technology News
  • Tools
  • Tutorials
  • Video Tutorials
  • Whitepapers
  • Zero Security
  • Contact Us
  • List of our Writers

© 2022 ZeroSecurity, All Rights Reserved.

No Result
View All Result
  • Home
  • Security
  • Exploits
  • Data Breaches
  • Malware
  • Privacy
  • Mobile Security
  • Tools
  • Contact Us
  • Privacy Policy

© 2022 ZeroSecurity, All Rights Reserved.