From Gold Stars to Red Flags: The Physical Security Gap in PCI Compliance

How safe are your financial transactions? If you’ve ever wondered how banks keep your credit card information secure, you’re not alone. Among various safeguards financial institutions are bound by stringent rules to secure sensitive data, and one of the key measures they must adhere to is PCI (Payment Card Industry) compliance.

While there are several components to PCI compliance, the aspect that I usually find myself testing, and then attempting to abuse, is the network segmentation component in which banks must keep your credit card data separate from the internet.

Basically this simply means that you cannot go directly from the internet, or even most parts of the banks internal network directly to the mainframe, or where they store customer’s credit card data.

While banks very regularly pass this part of the compliance test, mostly due to the fact that they never adjust their network topology from the last time this was tested, almost all banks actually fail if you simply add a physical component when testing.

Since institutions that deal with credit cards are so common, and these types of tests are so numerous, I thought it would be a good idea to go over my take on these tests and why only focusing on the cyber threat is a mistake.

Understanding PCI Compliance and Network Segmentation

Photo by Jordan Harrison on Unsplash

PCI compliance is a set of security standards designed to protect credit card information during and after a financial transaction. One crucial element of these standards is network segmentation, which involves dividing a network into smaller, isolated segments to limit access to sensitive data. By keeping critical systems, such as those handling credit card data, separate from less secure parts of the network, banks can significantly reduce the risk of a data breach.

As someone frequently called upon to assess network segmentation for financial institutions, I’ve seen firsthand how well these measures can work. In most cases, when I’m tasked with performing the segmentation test, it's almost like giving out a gold star. Many banks haven't changed their network topology since the last assessment, and their segmentation is still robust and effective. This makes perfect sense, given that they have to perform these tests regularly why would they change anything.

The purpose of the network segmentation is of course setup so that an attacker cannot go directly from the internet, nor most parts of the bank’s internal network directly to the mainframe and steal the customer data. This protection makes a lot of sense to avoid catastrophic breaches either because of a security misconfiguration or some new zero day exploit.

That said, there are still some really obvious vulnerabilities that most banks either are unaware of, or simply want to avoid thinking about and acknowledging because they can be difficult to fix and even harder to maintain.

The Physical Security Gap: A Breach Waiting to Happen

The issue arises when you add a physical security component to these tests. Most banks—and other institutions—tend to overlook this aspect. The truth is, it usually isn't too difficult to physically breach a bank, identify which employee has access to the mainframe or PCI data, and compromise their workstation. This breach method effectively bypasses the carefully segmented network, rendering all those digital safeguards almost useless.

Lets put ourselves into the mind of an black team and I will walk you through how this might go. Suppose your team has been hired to provide proof of concept that it is possible for attackers with physical access to get onto either the mainframe or the location network where PCI data can be reached.

Start with OSINT

Photo by LinkedIn Sales Solutions on Unsplash

While the network is segmented, even from within the bank itself someone has to be in contact with and have access to the mainframe. So rather than simply walking through the building plugging your laptop or bug into ever workstation and port, lets begin before we have ever approached the building and try to locate the employee(s) who likely are in direct communication with this sensitive area.

Checking places like linkedin are a great for finding employees who have skillsets, or even boast about what they do on an average day. Looking at their work titles, experience listed, etc are often easy ways to find which employees are likely to be our prime targets once inside the building.

Very often these employees will be working as a team, so if you find one of their workstations inside the bank, likely everyone around them, or at least a few will have the same level of access and can also provide the connections you’re looking for.

Normally, someone experienced with OSINT can even discover the members of their team, what systems and methods they often use for communication, which office they work at, etc. I have in the past even managed to find pictures on social media that they took from their office which even told me exactly which desk in the building, and on what floor was theirs.

Breaching The Bank