Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
Here we are back on the POODLE vulnerability (Padding Oracle On Downgraded Legacy Encryption). Everybody thought that the problem was solved, but that’s not the case. Our advice is still valid but it’s now becoming more and more urgent to take additional security measures.
If you are running a business that involves handling cardholder data (CHD), keep an eye on the PCI DSS requirement 4.1, which states that organisations must:
“Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks.”
If the server supports weak cryptography and protocols, CHD is at risk together with your compliance, potentially causing serious consequences for your business and reputation.
The urge to stop using Secure Socket Layer version 3.0 for all the organisations that handle customer information and CHD is growing. The NIST publication 800-52r1, which has not been updated recently, already stated that Secure Socket Layer version 3.0 should not be used and recommended the move to TLS 1.2 by January 2015.
Responding to this vulnerability, Mozilla has already stopped supporting SSL version 3.0 and their new release doesn’t support it anymore.
Microsoft has issued instructions and are working on a solution. Google Chrome will no longer support Secure Socket Layer version 3.0 from the next release as announced already when the vulnerability was discovered last October.
As said already, disabling Secure Sockets Layer version 3.0 support on your server will prevent individuals using vulnerable browsers from being exposed. However, there is a new problem announced relating to the implementation of Transport Layer Security 1.2. The lack of formatting for padding gave rise to the original attack and it has now been discovered that some implementations, such as those used within the F5 Load Balancers, do not check the padding structure following decryption and are also vulnerable to a variant of the original attack.
PCI DSS requirement 6.1 requires organisations to ensure that vendor supplied security patches are applied to protect all system components and software from known vulnerabilities, so you should look to apply patches as shortly after release from the vendors.
“Establish a process to identify security vulnerabilities, by using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as 'high,' 'medium,' or 'low') to newly discovered security vulnerabilities.”
Advantio recommends that organisations who process CardHolder Data, disable the use of old certificates as soon as possible. Then check with vendors to ensure that the implementation of Transport Layer Security 1.2 is not vulnerable and validate the padding format.
Are you a cardholder and you want to protect yourself?
Here a short guide on how to solve the problem in the most commonly used browsers. Make sure you do this if you’re using a browser that still allows SSL version 3.0 or older and TLS version 1.1 or older:
Google Chrome (for Windows users)
While waiting for the next release of Google Chrome, you can protect yourself by using a simple solution, as it follows:
Apple has released a series of patches that you can download and install on your own. Follow this link to find out more about how to protect your Safari browser.
I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.
Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA