Detecting Card Numbers
The Payment Card Industry Data Security Standard (PCI DSS for short) requires that card numbers are not transmitted insecurely and are not displayed to most users unmasked. Naturally a network monitoring system such as an IDS or an IPS seems like a natural enforcement system to ensure that such information is not sent against the regulation over a network but a closer examination shows that a correct implementation is far from trivial. And Network Vulnerability Tests are also helpful in detecting that any sensitive information is present in the environment or not.
This write-up discusses several aspects of implementing a network monitoring system and network vulnerability tests to detect leakage of card numbers:
- Matching a card number sequence
• Handling false positives using exceptions
• Additional considerations, including evasion, logging, performance and other sensitive patterns.
1. Using Snort to Detect Clear Text Card Numbers
Snort IDS can be used to detect sensitive information in clear text on our networks. We will look at some Snort rules designed to detect clear text card numbers.
Let’s take look at the format of four major card brands.
Credit Card Number Formats
The Visa card format is 16 digits long and starts with a “4″. Examples include:
• 4xxx-xxxx-xxxx-xxxx
• 4xxx xxxx xxxx xxxx
• 4xxxxxxxxxxxxxxx
The MasterCard format is 16 digits long and starts with a “5″. Examples include:
• 5xxx-xxxx-xxxx-xxxx
• 5xxx xxxx xxxx xxxx
• 5xxxxxxxxxxxxxxx
The Discover card format is 16 digits long and starts with “6011″. Examples include:
• 6011-xxxx-xxxx-xxxx
• 6011 xxxx xxxx xxxx
• 6011xxxxxxxxxxxx
The American Express card format is 15 digits long and starts with a “3″. Examples include:
• 3xxx-xxxxxx-xxxxx
• 3xxx xxxxxx xxxxx
• 3xxxxxxxxxxxxxx
Snort Rules
Building Snort Rules for Credit Card Detection
A 16 digit number starting with a “4″, where the number may have a space, dash, or nothing between every four numbers. Following the PCRE (Perl Compatible Regular Expressions) expression was identified:
4d{3}(s|-)?d{4}(s|-)?d{4}(s|-)?d{4}
For our clear text Visa card rule, we use the Snort PCRE rule option combined with the “content”,”nocase”, “sid” and “rev” rule options.
Our final Snort rule will look like:
alert tcp any any <> any any (pcre:”/4d{3}(s|-)?d{4}(s|-)?d{4}(s|-)?d{4}/”;
msg:”VISA card number detected in clear text”;content:”visa”;nocase;sid:9000000;rev:1;)
clear
This rule will detect any traffic on any port that has the string “Visa” and a correctly formatted visa card number. The “sid” option will assign it a Snort ID number to uniquely identify the rule. You can use www.snortid.com to lookup rule IDs that are being used by Snort.
Now that we have our Visa card rule built, we can easily build the other credit cards rules as follows:
MasterCard
PCRE 5d{3}(s|-)?d{4}(s|-)?d{4}(s|-)?d{4}
Snort Rule alert tcp any any <> any any (pcre:”/5d{3}(s|-)?d{4}(s|-)?d{4}(s|-)?d{4}/”;
msg:”MasterCard number detected text”;content:”mastercard”;nocase;sid:9000001;rev:1;) in clear
Discover Card
PCRE 6011(s|-)?d{4}(s|-)?d{4}(s|-)?d{4}
Snort Rule alert tcp any any <> any any (pcre:”/6011(s|-)?d{4}(s|-)?d{4}(s|-)?d{4}/”;
msg:”Discover card number detected text”;content:”discover”;nocase;sid:9000002;rev:1;) in clear
American Express Card
PCRE 3d{3}(s|-)?d{6}(s|-)?d{5}
Snort Rule alert tcp any any <> any any (pcre:”/3d{3}(s|-)?d{6}(s|-)?d{5}/”;
msg:”American Express card number text”;content:”amex”;nocase;sid:9000003;rev:1;) in clear
Now that we have our credit card rules built, we can add them to our rule set for Snort to use.
2. Detecting credit card numbers with Nessus
Tenable Network Security has released a new Nessus plugin named “Windows File Contents Check” (plugin ID #24760). It is available in the Nessus Professional Feed and has the ability to find a wide variety of sensitive data at rest on Windows computers.
How does it work?
The current check supports credentialed scans of a Windows server. Like all Nessus credentialed scans, it does not require an agent but it does require an account that has login credentials and the ability to read the disk. A domain administrator account can be used to perform these checks.
Each scan is given one or more “.audit” files that have the same type of format and structure as Nessus’s compliance checks. Below is an example of a .audit policy to search for American Express credit card numbers:
<check_type:”WindowsFiles”>
<item>
type: FILE_CONTENT_CHECK
description: “Determine if a file contains a valid American Express Card Number”
file_extension: “xls” | “pdf”
regex: “([^0-9-]|^)(3(4[0-9]{2}|7[0-9]{2})( |-|)[0-9]{6}( |-|)[0-9]{5})([^0-9-]|$)”
expect: “American Express” | “CCAX” | “amex” | “credit”
max_size : “50K”
only_show : “4″
</item>
</check_type>
Rather than making your audit part of your “sensitive” data controls, all of the audits performed by Nessus can limit the amount of data that is displayed. The “only_show” keyword in the audit file will display the last “N” bytes of data.
For example, if an example credit card of “1122-3344-5566-7788″ was found, it would only display “XXXXXXXXXXXXXXX7788″.