How to Detect Plaintext Credit Card Numbers from the Traffic
(3 votes, average: 4.33 out of 5)
Loading ...The Payment Card Industry (PCI) Data Security Standard (DSS) requires that the credit card information in the web stories must be protected. Among other things, the standard requires that the credit card numbers must not be transferred unencrypted over the public networks, such as the Internet, or any wireless networks (WLAN, GSM, etc).
I figured that StoneGate IPS would be pretty good at verifying that this requirement is kept. Why not to create a custom situation to the StoneGate IPS that would alert every time it sees a plaintext credit card number in the network?
It seemed that the wikipedia had a pretty good looking page that describes of how the credit card numbers are made of. Some obsolete cards may still use 13-digit numbers, but all the major and currently used cards use 14, 15 or 16 digits. The first 6 digits are called as Issuer Identification Numbers (IIN) and they define the institution that has issued the card. The next seven, eight or nine digits are for the account number and the last one digit is a checksum for the card.
Different major cards use a bit different number groups. The most typical grouping (used by Visa and Mastercard, possibly also others) is four digits + four digits + four digits + four digits. American Express uses four digits + six digits + five digits. It should be noted that the number groups are different thing than the boundary between the issuer (IIN number) and the account number! The grouping could be important to notice, however, if it is used in the card numbers while in transit over the network.
Thus we can create the fingerprint for the cards:
(?x)
.*[0-9]{14,16}|
.*[0-9]{4}[\-\x20][0-9]{4}[\-\x20][0-9]{4}[\-\x20][0-9]{4}|
.*[0-9]{4}[\-\x20][0-9]{6}[\-\x20][0-9]{5}
The first line sets the “Extended readability mode”, which lets us to add comments etc to the fingerprint. One side effect of this is that we need to specify all “space” characters explicitly with the \x20 notation.
The second line searches for number sequences of 14, 15 or 16 characters long.
The third line searches for four four-digit number groups that are separated by “-” sign or by a space.
The fourth line searches for three number groups (four digit, followed by six digt, followed by five digit), separated by “-” sign or by a space.
Note the “|” (OR) sign at the end of the second and third line. It tells the IPS that if any of the lines 2, 3 or 4 matches, the situation is a “match”.
The context for the new fingerprint depends on where you want to test it. If you want to ensure that the web application itself does not require the card input over the plaintext HTTP, you could add the fingerprint to the “HTTP Normalized Request-Line” context. If you want to detect if the web server is showing the card information back to the client in plaintext, add the fingerprint to the “HTTP Server Stream” context.
Other possibly interesting contexts would be “FTP Download Stream” and “FTP Upload Stream” to detect the card number transactions within the FTP data connections.
The PCI standard:
https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html
Wikipedia Credit Card numbers:
http://en.wikipedia.org/wiki/Credit_card_numbers
Recent Comments