Confidence

Adrian Pastor

Title: A pentester’s guide to credit card theft techniques

Bio:
Adrian “pagvac” Pastor, BSc (Hons) Computer-aided Engineering, has been part of the IT security industry for several years and from an early age has been involved with the whitehat hacker scene as a hobbyist. He has authored several papers, numerous vulnerability advisories and has spoken at events such as HITBSecConf Dubai, HITBSecConf Kuala Lumpur, CONFidence Krakow, Hack.lu, etc… Adrian is perhaps best known for finding critical vulnerabilities on the BT Home Hub, the most popular Wi-Fi home/SOHO router in the UK.

Adrian’s work has been featured in established media outlets such as BBC Radio 1, The Washington Post, Wired, Slashdot, PC Pro, The Register, PC World, CNET and many others. He currently works as a principal security consultant at Corsaire Ltd and also performs independent security research during his free time via the GNUCITIZEN information security think tank.

Abstract:
You are a security geek, you specialize in pentesting, but somehow during your career you’ve had to deal with PCI DSS. Yes, PCI DSS can be very boring, I feel your pain! Pentesters usually don’t like standards because they understand that there is only so much they can do to help organizations protect their information assets. On top of that, pentesters usually like to experiment which goes against the principle of boring audit checklists.

In this presentation, we will cover PCI DSS and credit card security from a (hopefully) fun perspective, with a focus on credit card theft techniques. How are merchants and service providers being compromised? How about us consumers? What loopholes currently exist in the PCI DSS standards which still allow unsophisticated attackers to compromise credit card data?

This presentation is _not_ brought to you by a PCI DSS expert, but rather a frustrated pentester who will attempt to show you that PCI DSS and credit card security in general can be a fun topic! Knowledge learned from performing pentests and from working with QSAs who have assessed compromised data centers will be shared.