SAP, Credit Cards and the Bird that Talks Too Much PDF Free Download

Name: SAP, Credit Cards and the Bird that Talks Too Much PDF
Author: DecisionPanda

1 / 43

0 views•43 pages

SAP, Credit Cards and the Bird that Talks Too Much PDF Free Download

SAP, Credit Cards and the Bird that Talks Too Much PDF free Download. Think more deeply and widely.

!"#$%&'()*+%&,')-%,.)%+/(%0*')%+/,+%1,23-%144%567/

8'+6.9,%"'-,2

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

"9(.),

‣06-*.(--%#'47(--(-%

‣!"#%!:-+(;-%

‣8<=24*+%>(;4%

‣?!"#%&'()*+%&,')-%,.)%0*')-@%

‣8<+('.,2%#,:;(.+%!426A4.-%4.%!"#%

‣B4C%+4%!+,:%!(76'(%

‣"D46+%E-

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

H,.+%+4%3.4C%%

/4C%+/*-%/,==(.()I

#,'+%K%L%1/(%06-*.(--%#'47(--(-

1/(%0,739'46.)

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

!"#M%1/(%>4;*.,A.9%!:-+(;

‣!"#%8N#%*-%='(O:%;67/%+/(%

)4;*.,A.9%-:-+(;%C/*7/%

+',.-2,+(-%+/(%D6-*.(--%='47(--(-%

+4%+/(%)*9*+,2%C4'2)%%

‣&4P('-%,2;4-+%,22%,-=(7+-%4Q%

D6-*.(--%

‣"224C-%(<+(.-*P(%76-+4;*R,A4.-%

‣!"#%*-%+/(%74'(%4Q%;,S4'%D6-*.(--(-%

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

"O,73*.9%+/(%&4'(

‣!"#%-:-+(;-%,'(%74;=2(<%-:-+(;-%

‣U6;('46-%74;=4.(.+-%

‣N,'(2:%/,')(.()%%

‣V4'%='4=('2:%=,+7/()%

‣K+%)4(-%.4+%-+4=%+/('(V%%

–!"#%,==2*7,A4.-%74.+,*.%J')%=,'+:%"0"#%,))L4.-

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

"O,73%X(7+4'-

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

B4C%7,.%*+%D(%,O,73()I

8<,;=2(M%0"!K!%&4;=4.(.+-

‣Z8!U&LG[\JL[[J]%N(;4+(%^!%&4;;,.)%8<(76A4.%*.%!"#%0"!K!%

&4;;6.*7,A4.%!('P*7(-%

–"224C-%^!%74;;,.)%(<(76A4.$%C*+/%+/(%'*9/+-%4Q%+/(%!"#%,==2*7,A4.%-('P('%

–H(%'(=4'+()%+/*-%*.%G[\\$%*+%94+%=,+7/()%*.%G[\J%Z!"#%U4+(%\WY_\JG]%%

–!"#`-%&XX!%PG%D,-(%-74'(%Q4'%+/*-%P62.(',D*2*+:%*-%6.0$(Medium$Risk)$

‣H(%C('(%,D2(%+4%D:=,--%+/(%=,+7/`-%='4+(7A4.%

–!(74.)%=,+7/%7,;(%,%746=2(%4Q%;4.+/-%2,+('%Z!"#%U4+(%\aGW\WG]%

–1/*-%A;(%&X!!%PG%-74'(%*-M%7.5$(High$Risk)%

‣!,;(%P62.(',D*2*+:%/*9/('%&X!!%-74'(%

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

B4C%7,.%*+%D(%,O,73()I

J')%#,'+:%&4;=4.(.+-

‣Z8!U&LG[\JL[[_]%N(;4+(%

"0"#%&4)(%K.S(7A4.%*.%

^=(.1(<+bKc^!%8&5%Q4'%!"#%

U(+H(,P('%

–H*)(2:%6-()%J')%=,'+:%74;=4.(.+%Q4'%

,'7/*P*.9%,.)%)476;(.+%;,.,9(;(.+d%

–X62.(',D*2*+:%,224C-%*.S(7A.9%"0"#%

74)(%+4%+/(%!"#%-:-+(;d

8<=24*+%>(;4

0(74;*.9%,.%,);*.%6-('%4.%+/(%!"#%-:-+(;

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

H/,+%*-%,%06-*.(--%#'47(--I

‣&422(7A4.%4Q%'(2,+()%,7AP*A(-%+/,+%='4)67(%,%-=(7*f7%-('P*7(%4'%='4)67+%

Q4'%76-+4;('-%

‣0(9*.-%C*+/%,%76-+4;('`-%.(()%,.)%(.)-%C*+/%,%76-+4;('`-%.(()%

Q62f22;(.+d%

‣&4;;4.2:%)4.(%6-*.9%!"#%-:-+(;-

F\\

Famous Example: The pin factory by Adam Smith

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

8<,;=2(M%"O,73*.9%+/(%06-*.(--%#'47(--(-%

g*.)*.9%h%8<=24*A.9%X(.)4'-%C/*7/%8<=(7+%54.(:

‣1/(%,O,73('%7462)%)*'(7+2:%94%+4%P(.)4'%=,:;(.+%/*-+4':%Q4'%

)(+(';*.*.9%+/(%+,'9(+%D,.3%,7746.+-%4Q%P(.)4'-d%

F\G

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

>(+(';*.*.9%X*7A;%0,.3%"7746.+-

‣"O,73('%7,.%f2+('%46+%6.*.+('(-A.9%,7746.+-%,.)%Q476-%4.%4.(-%C/('(%

+/(%P*7A;%74;=,.:%C*22%+',.-Q('%;4'(%+/,.%\[d[[[%8EN

F\J

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

>(+(';*.*.9%X*7A;%0,.3%"7746.+-

‣"O,73('%7,.%=*73%+/(%2,'9(-+%-6;%

C/*7/%C*22%D(%=,*)%%

‣"O,73('%7,.%,2-4%7/(73%C/(.%+/(%

+',.-Q('%C*22%D(%)4.(%

‣U4C%4.2:%4.(%-+(=%*-%2(i%Q4'%+/(%

'(-62+%

–N(=2,7*.9%+/(%D,.3%,7746.+%4Q%+/(%X(.)4'%

C*+/%+/(%,O,73('`-%D,.3%,7746.+

F\_

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

&/,.9*.9%+/(%0,.3%"7746.+-

‣"O,73('%'6.-%+/(%+',.-,7A4.%FK02%,.)%-(,'7/(-%P*7A;%P(.)4'%

‣"O,73('%'(=2,7(-%+/(%,7746.+%.6;D('%4Q%+/(%P(.)4'%C*+/%(P*2%4.(%

‣H/(.%+/(%=,:;(.+%A;(%74;(-$%-6;%*-%+',.-Q(''()%+4%+/(%,O,73('`-%,7746.+

F\T

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

8.)%4Q%&/,=+('%K

‣g4'%+/(%-(74.)%=,'+%4Q%+/(%='(-(.+,A4.$%C(%,--6;(%+/,+%+/(%,O,73('%

/,-%-6j7*(.+%,6+/4'*R,A4.-%Q4'%(<(76A.9%,.:%,7A4.%;(.A4.()%2,+('d%

–0:%(<=24*A.9%P62.(',D*2*A(-%

–&4226-*4.%

–8<*-A.9%'*9/+-%%

‣!4$%-:-+(;%*-%74;='4;*-()d%06+%C/('(%(2-(%7,.%+/(%,O,73('%94%Q'4;%

+/('(I%%

‣0(Q4'(%+/,+$%2(+`-%+,23%,D46+%7'()*+%7,')-%,.)%+/(%D*')-V

F\W

#,'+%KK%L%!"#%&'()*+%&,')-%,.)%0*')-

&'()*+%&,')%#'47(--*.9%4.%!"#

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

&'()*+%&,')%#'47(--*.9%4.%!"#

‣!,2(-%,.)%>*-+'*D6A4.%k!>l%,.)%;,.:%!"#%;4)62(-%6A2*R(%=,:;(.+%7,')%='47(--*.9%

–&6-+4;('%4')('-%

–N(+,*2%=4*.+%4Q%-,2(%k#^!l%

–g*.,.7*,2%,7746.A.9%

–K.+('.(+%74;;('7(%

–BN%L%+',P(2%(<=(.-(-%

‣1/(%7,')/42)('%),+,%=,--(-%+/'469/%!"#%-:-+(;%,.)%*+%*-%-+4'()%4.%+/(%-:-+(;%4.%

;,.:%477,-*4.-%

–>,+,%+,D2(-%

–&/,.9(%)476;(.+-%

–1',.-,7A4.%249-%

–>0%249-%

‣^.2:%Q(C%(<+('.,2%-426A4.-%6-(%+43(.*R*.9%,.)%,.)%(<+('.,2%=4'+,2-$%46+-*)(%!"#

F\a

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

&'()*+%&,')%>,+,

>0%1,D2(-

‣>6'*.9%46'%'(-(,'7/$%C(%Q46.)%;4'(%+/,.%T[%!"#%),+,D,-(%+,D2(-%

C/*7/%74.+,*.%(d9d%7'()*+%7,')%.6;D('-%%

‣1/(%6-()%+,D2(-%)*m('%D,-()%4.%C/*7/%;4)62(-%,.)%Q6.7A4.,2*A(-%

,'(%6-()b,7AP,+()%4.%+/(%76-+4;('%%

‣!4;(%74;;4.%!"#%+,D2(-%,'(M

F\e

FPLTC

#,:;(.+%7,')-M%1',.-,7A4.%),+,%L%!>

BSEGC

>476;(.+%L%>,+,%4.%#,:;(.+%&,')%#,:;(.+-

VCKUN

"--*9.%76-+4;('L7'()*+%7,')

VCNUM

&'()*+%7,')%;,-+('

Pa0105$(Subtype$0011)

BN%5,-+('%N(74')M%K.Q4+:=(%[[\\%k8<+d0,.3%1',.-Q('-l

PCA_SECURITY_RAW

&,')%5,-+('M%8.7':=A4.

CCSEC_ENC,$CCSEC_ENCV

8.7':=+()%#,:;(.+%&,')%>,+,

CCARDEC

8.7':=+()%#,:;(.+%&,')%>,+,

/PMPAY/PENCRP

#,:;(+'*7%n%8.7':=+()%#,:;(+'*7%&,')%>,+,%kQ4'%4o*.(%6-,9($%.4C%4D-42(+(l

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

"77(--*.9%&2(,'+(<+%&,')/42)('%K.Q4';,A4.

N(7*=(

‣1:=(%!8\W%,+%+/(%74;;,.)%D,'%4Q%

!"#pEK%,i('%:46%2494.$%/*+%8.+('d%

–1:=(%+/(%+,D2(%C/*7/%:46%C,.+%+4%)*-=2,:%,.)%

='(--%8.+('d%%

•8d9d%FPLTC%

‣8.+('%:46'%7'*+('*,%k(;=+:%qq%,22l%

‣&4=:%=,-+(%+/(%),+,%,-%)(-*'()%+4%:46'%

Q,P4'*+(%#,-+(0*.

FG[

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

"77(--*.9%&2(,'+(<+%&,')/42)('%K.Q4';,A4.

E-*.9%N(;4+(%g6.7A4.%&,22-

‣Ng&%kN(;4+(%g6.7A4.%&,22l%='4+4742%7,.%D(%6A2*R()%

‣!^"#LNg&%4P('%B11#%,224C-%K.+('.(+%D,-()%,77(--%+4%Ng&%Q6.7A4.,2*+:d%

‣RFC_READ_TABLE%Q6.7A4.%,224C-%9(.('*7%,77(--%+4%74.+(.+-%4Q%+/(%

+,D2(-%

‣!,=-673('%7462)%D(%6-()%Q4'%*+I

FG\

-46'7(M%H*3*=()*,

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

g'((%1442I%L%!,=-673('

‣U,;()%,i('%+/(%Q,;46-%D*')%

‣"224C-%(,-:%,77(--%+4%!"#%+,D2(-%P*,%

Ng&%,.)%B11#k-l%='4+4742-%

‣"224C-%'(6-*.9%c!!()%!"#%2494.%

7443*(-%Q4'%Ng&%74..(7A4.-%

‣!U&%k!(76'(%.(+C4'3%

74;;6.*7,A4.-l%-6==4'+()%

‣!"#%'46+('%-6==4'+()%

‣8,-*2:%(<+',7+%,.)%f2+('%-(.-*AP(%),+,

FGG

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

>(7':=A.9%8.7':=+()%&'()*+%&,')%U6;D('-

‣>6(%+4%#&KL>!!%'(r6*'(;(.+-$%7,')/42)('%

),+,%;6-+%D(%(.7':=+()d%%

–1,D2(-%(d9d%PCA_SECURITY_RAW$%CCSEC_ENC$%

CCSEC_ENCV$%CCARDEC$%/PMPAY/PENCRP%

74.+,*.%(.7':=+()%),+,%k*Q%(.7':=A4.%*-%(.,D2()l%%

‣#'49',;%RS_REPAIR_SOURCE%-=,C.-%

,%74)(%()*+4'%

–".%,O,73('%7462)%6-(%*+%+4%+:=(%;,2*7*46-%"0"#%74)($%

(P(.%4.%='4)67A4.%-:-+(;-

FGJ

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

"'(%C(%+/(%4.2:%4.(-I

‣1/(%),+,%7,.%D(%)(7':=+()%P*,%

Q6.7A4.%;4)62(-%

CCARD_DEVELOPE%4'%%

CCSECA_CCNUM_DECRYPTION%

–+/(%Ng&%/PMPAY/P_ENCRYP_RFC%4'%

XIPAY_E4_CRYPTO%Q4'%#,:;(+'*7%

‣#(4=2(%,'(%,2'(,):%)4*.9%+/*-s%

–,.)%+/(:%,'(%-/,'*.9%+/(*'%(<=('*(.7(-

FG_

8<+('.,2%#,:;(.+%!426A4.-%4.%!"#

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

8<+('.,2%X(.)4'-%Q4'%#,:;(.+%!426A4.-

‣K+%*-%74;;4.%+4%-((%(<+('.,2%-426A4.-%Q4'%-(76'*.9%&&%

),+,%%

–#,:;(+'*7%c*#,:Lc*!(76'(%k7442%+43(.*R*.9%-+6ml%,.)%4+/('-%-67/%,-%

p5"#,:$%#,:2*.c$%>(2(94!(76'($%#'*.7(+4.%&,')&4..(7+%+4%.,;(%,%

Q(CV%

‣!(76'(%k,--6;*.9l%=,:;(.+%-426A4.%t%*.-(76'(%!"#%

-:-+(;%(r6,2-%+4%I%

‣54-+%74;;4.%-426A4.-%6-(%?'(9*-+('()%Ng&%-('P('-@%

Q4'%!"#%74..(7AP*+:

FGW

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

!+,.),')%&4.7(=+

FGY

!"#$%"&'

($)*+,$'

(-.'(&/#$0'

12#$)3"4'5)67)"0/',"3'/$38'

)$9:$/#/'#6'.;<'($)*$)'6*$)'

#=$'7"#$%"&'*+"'>?;'

5)6#6,64'

."&0$3#';")8'<3#$)@",$'($)*$)''

)$7+/#$)/'+#/$4@'63'(-.'!"#$%"&'

"38'",,$5#/',633$,A63/'

;;B-CDEF><G-D<FH'

;;B(1DDI1J1HD'

>$7+3@6'-;I'

8$K3$/'%=6',"3'

)$7+/#$)'"'/$)*$)'6)'

,633$,#'#6'"'

)$7+/#$)$8'/$)*$)'

(-.'/&/#$0',"3'

/$38')$9:$/#/'#6'

.;<'($)*$)'6*$)'

#=$'7"#$%"&'*+"'

>?;'5)6#6,64'

.;<'($)*$)'

J$),="3#NM"3O'

>$7+/#$)/'"/'

D.'<PQPAY.P01'

-,,$//$/'D.'PAY.P01'

8<+('.,2%#,:;(.+%&,')%

K.+('Q,7(%&4..(7AP*+:

L%C*+/%'(9*-+('()%Ng&%!('P('-

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

8<+('.,2%#,:;(.+%&,')%K.+('Q,7(%&4..(7AP*+:

!+,.),')%&4.7(=+%L%&4;;4.%!(76'*+:%K--6(-

‣&6-+4;('%)4(-%.4+%74.f96'(%"&u%

‣"&u%7,.%D(%D:=,--()%k;*--*.9%!"#%3('.(2%=,+7/l%

‣&6-+4;('%6-(-%!"#`-%+442%+4%9(.(',+(%+/(%,77(--%74.+'42%2*-+%

–!"#`-%'(9*.Q4%"&u%9(.(',+4'%7'(,+(-%,77(--%2*-+-%C*+/%ACCESS=*!

–!"#%)4(-%.4+%,73.4C2()9(%+/*-%,-%,%-(76'*+:%*--6(%

‣#'()*7+,D2(%1#%.,;(-%4Q%=,:;(.+%='47(--4'-%

–(.,D2*.9%6.,6+/(.A7,+()%,O,73-

FGa

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

8<+('.,2%#,:;(.+%&,')%K.+('Q,7(%&4..(7AP*+:

H*+/%'(9*-+('()%Ng&%!('P('-%L%"O,73-

FGe

!"#$%"&'

($)*+,$'

(-.'(&/#$0'

1*+2'$3#$)4"2'5)67)"0/',"4'

/$48')$9:$/#/'#6'.;<'($)*$)'

6*$)'#=$'7"#$%"&'*+"'>?;'

5)6#6,62'#6'$3#)",#';;'

+4@6)0"A64'

."&0$4#';")8'<4#$)@",$'($)*$)''

)$7+/#$)/'+#/$2@'64'(-.'!"#$%"&'

"48'",,$5#/',644$,A64/'

;;B-CDEF><G-D<FH'

;;B(1DDI1J1HD'

>$7+4@6'-;I'8$K4$/'%=6',"4'

)$7+/#$)'"'/$)*$)'6)',644$,#'#6'"'

)$7+/#$)$8'/$)*$)'

(-.'/&/#$0'/$48/')$9:$/#/'#6'

.;<'($)*$)'6*$)'#=$'7"#$%"&'

.;<'($)*$)'

J$),="4#N

O"4P'

>$7+/#$)/'

D.'<QRPAY.P01'

J<DJS-4'"T",P$)',"4'

5)$#$48'#6'U$'.;<'/$)*$)'U&'

)$7+/#$)+47'%+#='#=$'/"0$'D.'

<Q'#6'/4+V';;'+4@6)0"A64'6)'

#6'#)+,P'#=$'(-.'/&/#$0'#="#'

5"&0$4#'+/',6052$#$'

>$7+/#$)/'

D.'<QRPAY.P01'

-,,$//$/'D.'PAY.P01'

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

g6'+/('%!(76'*+:%K--6(-

‣54)('.%-426A4.-%+/,+%6-(%(d9d%!"#%#K%k='47(--%*.+(9',A4.l%,'(%4i(.%

;*-74.f96'()%C*+/%Q,+,2%v,C-%

‣>(D699*.9%4'%-:-+(;%+',7*.9%*-%.4+%-C*+7/()%4md%%

‣!U&%k+',.-=4'+%(.7':=A4.l%*-%','(2:%6-()%D(+C((.%#&K%,.)%!"#%-:-+(;%

‣N()*'(7A.9%(d9d%!"#%C(D%-/4=%6-('-%+4%,.%(<+('.,2%='4P*)('%kD(Q4'(%

=,:;(.+l%+4%,P4*)%D(*.9%*.%+/(%#&KL>!!%-74=(%*-%+/(%.(C%+'(.)%%

–Tokenizing%4.%*+-%4C.%*-%.4+%-6j7*(.+d%1/(%!"#%-:-+(;%;6-+%,2-4%D(%/,')(.()d%%

‣#&KL>!!%,6)*+4'-%9(.(',22:%/,P(%2*O2(%4'%.4%3.4C2()9(%,D46+%!"#%

-(76'*+:d

FJ[

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

8<+('.,2%#,:;(.+%&,')%K.+('Q,7(%&4..(7AP*+:

!+,.),')%&4.7(=+%L%N(-62A.9%*.

‣5,.L*.L+/(L;*))2(%,O,73%Q4'%CC_SETTLEMENT%,.)%

CC_AUTHORIZATION%Q6.7A4.-%

‣&'()*+%7,')%),+,%+/(i%%

‣g,3(%+',.-,7A4.%,6+/4'*R,A4.%%

–!"#%-:-+(;%7,.%D(%Q442()%+/,+%+',.-,7A4.%*-%74;=2(+(%,.)%*+%7,.%)(2*P('%+/(%944)-%

‣g4'(-((,D2(%74.-(r6(.7(-%

–D',.)%),;,9($%2(9,2%74.-(r6(.7(-%(+7d%

‣".)%-4;(%6.Q4'(-((,D2(%74.-(r6(.7(-V%

FJ\

4'%!4;(+/*.9%54'(%8.+('+,*.*.9

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

‣K`P(%/(,')%,+%;,.:%74.Q('(.7(-%+/,+%!"#%-/462)%D(%;4'(%-47*,2%.(+C4'3*.9%

(.,D2()$%-4%2(+`-%)4%*+s%%%

‣1,;=('*.9%+/(%=,:;(.+%7,')%*.+('Q,7(%Q6.7A4.-%*-%=4--*D2(%

–(d9d%SD_CCARD_AUTH_CALL_RFC%%7462)%,224C%7,=+6'*.9%7'()*+%7,')%.6;D('-%'(,2LA;(%

•K.726)*.9%P,2*),A4.%-+,+6-$%7,')%P,2*),A4.%74)(%7PPG%k7,22()%7P7G%Q4'%;,-+('7,')$%-,;(%+/*.9l%

‣K.+'4)67*.9%1C((+0O+5%%

–1B8%gKN!1%!"#%&N8>K1%&"N>%1^%1HK118N%KU18Ng"&8%

–"224C-%!"#%-:-+(;%+4%+C((+%,i('%,%7'()*+%7,')%+',.-,7A4.%

–N(r6*'(-%=,+7/*.9%!"#`-%74)($%P4*)-%C,'',.+:s%

•1/,+%-/462)%D(%+/(%2(,-+%4Q%:46'%C4''*(-%

–g,22D,73%+4%>U!%+6..(2*.9%C/(.%1C*O('%*-%6.'(,7/,D2(

&4..(7A.9%!"#%+4%!47*,2%5()*,

FJJ

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

1C((+0O+5w%&/,22(.9(-

‣1C*O('%7/,.9()%*+-%"#K%+/*-%:(,'%-4%B11#%*-%.4+%,224C()%,.:;4'(%

–p44)%-*)(M%#&KL>!!%74;=2*,.+%D,73)44'%

–N(r6*'(-%*;=4'A.9%1C*O('`-%7('+%P*,%+',.-,7A4.%STRUST%

•H4'3,'46.)%D:%*.P43*.9%SAPGENPSE !

–>(2,:-M%\LJ%-(74.)-%=('%+C((+%

‣>U!%+6..(2%Q,22D,73%C/(.%46+D46.)%

74..(7A4.%*-%D2473()%

–g6.7A4.%;4)62(%RFC_HOST_TO_IP%*-%

k;*-l6-()%,-%,%=44'%;,.`-%>U!%+6..(2%4.%

"0"#%

‣#6D2*7%-46'7(%74)(I%

–!A22%*.%)*-76--*4.-%C*+/%+/(%2(9,2%96:-d%g4224C%

;(%4.%+C*O('%+4%-+,:%*.Q4';()%Ml

FJ_

w0O+5%q%0*')%+/,+%%

+,23-%+44%567/

#,'+%KKK%L%B4C%+4%!+,:%!(76'(%

Q'4;%6.Q4'(-((,D2(%74.-(r6(.7(-

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

U4d\M%"))'(--%1/(%&4;=2(+(%#*7+6'(

FJW

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

U4dGM%K;=2(;(.+%,%B42*-A7%#'47(--%+4%!+,:%!(76'(

FJY

Detec%on(

• Real&'me)security)

monitoring)

• SAP)event)

correla'on)

Response(

• Automa'c)Threat)Mi'ga'on)

• Automa'c)Firewall)Rule)

Crea'on)

Preven%on(

• Vulnerability)

Discovery)

• Automa'c)Issue)

Fixing)

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

U4dJM%"6+4;,+(%K+

‣"6+4;,+()%!"#%-(76'*+:%-7,.-%

‣"6+4;,+()%!"#%#&KL>!!%74;=2*,.7(%7/(73-%

‣"6+4;,+()%"0"#%74)(%74''(7A4.-%

‣"6+4;,+()%!"#%'(,2LA;(%;4.*+4'*.9%

‣"6+4;,+()%!"#%(P(.+%74''(2,A4.%

‣"6+4;,+()%74.A.646-%*.+(9',A4.%*.+4%!(76'*+:%K.7*)(.+%8P(.+%

5,.,9(;(.+%L%!K85%

‣"6+4;,+()%!"#%P62.(',D*2*+:b*--6(%f<*.9%k'(;()*,A4.l%

‣"6+4;,+()%!"#%*.+'6-*4.%)(+(7A4.$%='(P(.A4.%,.)%,2('A.9

FJa

"D46+%E-

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

8!U&%p;DB%L%p(';,.:

‣8!U&%,--(--(-%,.)%f<(-%-(76'*+:%P62.(',D*2*A(-%*.%!"#%-:-+(;-%

–8!U&%!(76'*+:%!6*+(M%#(.+(-A.9$%'(,2LA;(%!"#%-(76'*+:%;4.*+4'*.9%,.)%,6+4;,A7%P62.(',D*2*+:%

;*A9,A4.%

‣B(,)r6,'+('-%*.%56.*7/%

‣&6-+4;('%D,-(M%p4P('.;(.+,2%*.-A+6A4.-$%D,.3*.9$%6A2*A(-$%

,6+4;,AP($%4*2%,.)%4+/('%7'*A7,2%*.)6-+'*(-%%

‣#'(-(.+('M%8'+6.9,%"'-,2%%

–!(76'*+:%'(-(,'7/('%C*+/%24.9%/*-+4':%,.)%Q476-%4.%!"#%

–"6)*+()%/6.)'()-%4Q%74'=4',+(%,.)%94P('.;(.+%(.+('='*-(%!"#%-:-+(;-%+4%),+(%

–&'()*+()%D:%!"#%Q4'%YT%-(76'*+:%=,+7/(-%*.%G[\J%k4P('%\[[%P62.(',D*2*A(-%*.%+4+,2l%%

–u(7+6'('%?!:-+(;-%,.)%U(+C4'3%!(76'*+:@%,+%!,D,.7*%E.*P('-*+:%Q4'%=4-+9',)6,+(-%

–!=(,3('%,+%&&&%,..6,2%74.9'(--$%>(Q74.%B,-/),:-$%>((=-(7$%!(7L1%(+7V%

–g46.)('%4Q%8!U&%

F_[

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

1/(%5(.6%4Q%!"#%!(76'*+:

‣"[\%L%!"#%"6)*+%h%"--(--;(.+%

‣"[G%L%!"#%#&K%>!!%Jd[%&4;=2*,.7(%

‣"[J%L%!"#%N(;()*,A4.%,.)%N*-3%5,.,9(;(.+%

‣"[_%L%!(76'*+:%#42*7:%8.Q4'7(;(.+%4.%!"#%-:-+(;-%

‣"[T%L%!"#%#(.(+',A4.%1(-A.9%

‣&[\%L%"0"#%&4)(%!(76'*+:%"--(--;(.+%h%&4''(7A4.%%

‣N[\%L%!"#%N(,2L1*;(%54.*+4'*.9%h%K>#%

‣N[G%L%!"#%!K85%K.+(9',A4.

F_\

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

‣".)%;,.:%+/,.3-%+4%%

–8'*7%06-/;,.%x(D6-/;,.y=,:;(+'*7d74;z%Q'4;%#,:;(+'*7%Q4'%+/(%944)%*.=6+%

–,.)%;:%+(,;%

1/*-%)476;(.+%74.+,*.-%'(Q('(.7(-%+4%='4)67+-%4Q%!"#%"pd%!"#$%"0"#$%!"#pEK%,.)%4+/('%.,;()%!"#%='4)67+-%,.)%,--47*,+()%2494-%,'(%D',.)%.,;(-%4'%'(9*-+('()%+',)(;,'3-%4Q%!"#%"p%*.%p(';,.:%,.)%4+/('%746.+'*(-%*.%

+/(%C4'2)d%B#%*-%,%'(9*-+('()%+',)(;,'3%4Q%B(C2(OL#,73,')%&4;=,.:d%^',72(%,.)%{,P,%,'(%'(9*-+('()%+',)(;,'3-%4Q%^',72(%,.)b4'%*+-%,j2*,+(-d%"22%4+/('%+',)(;,'3-%,'(%+/(%='4=('+:%4Q%+/(*'%'(-=(7AP(%4C.('-d%%

1/*-%)476;(.+%*-%Q4'%()67,A4.,2%=6'=4-(-d%K+%)4(-%.4+%74;(%C*+/%,.:%C,'',.+:%4'%96,',.+((d%8!U&%p;DB%*-%.4+%'(-=4.-*D2(%4Q%,.:%;*-6-(%4Q%+/(%74.+(.+d%

1/*-%)476;(.+%4'%=,'+-%4Q%+/*-%)476;(.+%*-%.4+%,224C()%+4%D(%)*-+'*D6+()%C*+/46+%8!U&`-%C'*O(.%=(';*--*4.d

1/,.3%:46

F_G

|h"

8'+6.9,%"'-,2%%

8;,*2M%('+6.9,y(-.7d)(

0',)%H*23*.-4.%

8;,*2M%D',)y(-.7d)(%

0 views·43 pages

SAP, Credit Cards and the Bird that Talks Too Much PDF Free Download

SAP, Credit Cards and the Bird that Talks Too Much PDF free Download. Think more deeply and widely.

Uploaded by DecisionPanda on 4/10/2026

/43

100%

!"#$%&'()*+%&,')-%,.)%+/(%0*')%+/,+%1,23-%144%567/

8'+6.9,%"'-,2

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

"9(.),

‣06-*.(--%#'47(--(-%

‣!"#%!:-+(;-%

‣8<=24*+%>(;4%

‣?!"#%&'()*+%&,')-%,.)%0*')-@%

‣8<+('.,2%#,:;(.+%!426A4.-%4.%!"#%

‣B4C%+4%!+,:%!(76'(%

‣"D46+%E-

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

H,.+%+4%3.4C%%

/4C%+/*-%/,==(.()I

#,'+%K%L%1/(%06-*.(--%#'47(--(-

1/(%0,739'46.)

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

!"#M%1/(%>4;*.,A.9%!:-+(;

‣!"#%8N#%*-%='(O:%;67/%+/(%

)4;*.,A.9%-:-+(;%C/*7/%

+',.-2,+(-%+/(%D6-*.(--%='47(--(-%

+4%+/(%)*9*+,2%C4'2)%%

‣&4P('-%,2;4-+%,22%,-=(7+-%4Q%

D6-*.(--%

‣"224C-%(<+(.-*P(%76-+4;*R,A4.-%

‣!"#%*-%+/(%74'(%4Q%;,S4'%D6-*.(--(-%

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

"O,73*.9%+/(%&4'(

‣!"#%-:-+(;-%,'(%74;=2(<%-:-+(;-%

‣U6;('46-%74;=4.(.+-%

‣N,'(2:%/,')(.()%%

‣V4'%='4=('2:%=,+7/()%

‣K+%)4(-%.4+%-+4=%+/('(V%%

–!"#%,==2*7,A4.-%74.+,*.%J')%=,'+:%"0"#%,))L4.-

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

"O,73%X(7+4'-

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

B4C%7,.%*+%D(%,O,73()I

8<,;=2(M%0"!K!%&4;=4.(.+-

‣Z8!U&LG[\JL[[J]%N(;4+(%^!%&4;;,.)%8<(76A4.%*.%!"#%0"!K!%

&4;;6.*7,A4.%!('P*7(-%

–"224C-%^!%74;;,.)%(<(76A4.$%C*+/%+/(%'*9/+-%4Q%+/(%!"#%,==2*7,A4.%-('P('%

–H(%'(=4'+()%+/*-%*.%G[\\$%*+%94+%=,+7/()%*.%G[\J%Z!"#%U4+(%\WY_\JG]%%

–!"#`-%&XX!%PG%D,-(%-74'(%Q4'%+/*-%P62.(',D*2*+:%*-%6.0$(Medium$Risk)$

‣H(%C('(%,D2(%+4%D:=,--%+/(%=,+7/`-%='4+(7A4.%

–!(74.)%=,+7/%7,;(%,%746=2(%4Q%;4.+/-%2,+('%Z!"#%U4+(%\aGW\WG]%

–1/*-%A;(%&X!!%PG%-74'(%*-M%7.5$(High$Risk)%

‣!,;(%P62.(',D*2*+:%/*9/('%&X!!%-74'(%

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

B4C%7,.%*+%D(%,O,73()I

J')%#,'+:%&4;=4.(.+-

‣Z8!U&LG[\JL[[_]%N(;4+(%

"0"#%&4)(%K.S(7A4.%*.%

^=(.1(<+bKc^!%8&5%Q4'%!"#%

U(+H(,P('%

–H*)(2:%6-()%J')%=,'+:%74;=4.(.+%Q4'%

,'7/*P*.9%,.)%)476;(.+%;,.,9(;(.+d%

–X62.(',D*2*+:%,224C-%*.S(7A.9%"0"#%

74)(%+4%+/(%!"#%-:-+(;d

8<=24*+%>(;4

0(74;*.9%,.%,);*.%6-('%4.%+/(%!"#%-:-+(;

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

H/,+%*-%,%06-*.(--%#'47(--I

‣&422(7A4.%4Q%'(2,+()%,7AP*A(-%+/,+%='4)67(%,%-=(7*f7%-('P*7(%4'%='4)67+%

Q4'%76-+4;('-%

‣0(9*.-%C*+/%,%76-+4;('`-%.(()%,.)%(.)-%C*+/%,%76-+4;('`-%.(()%

Q62f22;(.+d%

‣&4;;4.2:%)4.(%6-*.9%!"#%-:-+(;-

F\\

Famous Example: The pin factory by Adam Smith

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

8<,;=2(M%"O,73*.9%+/(%06-*.(--%#'47(--(-%

g*.)*.9%h%8<=24*A.9%X(.)4'-%C/*7/%8<=(7+%54.(:

‣1/(%,O,73('%7462)%)*'(7+2:%94%+4%P(.)4'%=,:;(.+%/*-+4':%Q4'%

)(+(';*.*.9%+/(%+,'9(+%D,.3%,7746.+-%4Q%P(.)4'-d%

F\G

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

>(+(';*.*.9%X*7A;%0,.3%"7746.+-

‣"O,73('%7,.%f2+('%46+%6.*.+('(-A.9%,7746.+-%,.)%Q476-%4.%4.(-%C/('(%

+/(%P*7A;%74;=,.:%C*22%+',.-Q('%;4'(%+/,.%\[d[[[%8EN

F\J

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

>(+(';*.*.9%X*7A;%0,.3%"7746.+-

‣"O,73('%7,.%=*73%+/(%2,'9(-+%-6;%

C/*7/%C*22%D(%=,*)%%

‣"O,73('%7,.%,2-4%7/(73%C/(.%+/(%

+',.-Q('%C*22%D(%)4.(%

‣U4C%4.2:%4.(%-+(=%*-%2(i%Q4'%+/(%

'(-62+%

–N(=2,7*.9%+/(%D,.3%,7746.+%4Q%+/(%X(.)4'%

C*+/%+/(%,O,73('`-%D,.3%,7746.+

F\_

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

&/,.9*.9%+/(%0,.3%"7746.+-

‣"O,73('%'6.-%+/(%+',.-,7A4.%FK02%,.)%-(,'7/(-%P*7A;%P(.)4'%

‣"O,73('%'(=2,7(-%+/(%,7746.+%.6;D('%4Q%+/(%P(.)4'%C*+/%(P*2%4.(%

‣H/(.%+/(%=,:;(.+%A;(%74;(-$%-6;%*-%+',.-Q(''()%+4%+/(%,O,73('`-%,7746.+

F\T

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

8.)%4Q%&/,=+('%K

‣g4'%+/(%-(74.)%=,'+%4Q%+/(%='(-(.+,A4.$%C(%,--6;(%+/,+%+/(%,O,73('%

/,-%-6j7*(.+%,6+/4'*R,A4.-%Q4'%(<(76A.9%,.:%,7A4.%;(.A4.()%2,+('d%

–0:%(<=24*A.9%P62.(',D*2*A(-%

–&4226-*4.%

–8<*-A.9%'*9/+-%%

‣!4$%-:-+(;%*-%74;='4;*-()d%06+%C/('(%(2-(%7,.%+/(%,O,73('%94%Q'4;%

+/('(I%%

‣0(Q4'(%+/,+$%2(+`-%+,23%,D46+%7'()*+%7,')-%,.)%+/(%D*')-V

F\W

#,'+%KK%L%!"#%&'()*+%&,')-%,.)%0*')-

&'()*+%&,')%#'47(--*.9%4.%!"#

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

&'()*+%&,')%#'47(--*.9%4.%!"#

‣!,2(-%,.)%>*-+'*D6A4.%k!>l%,.)%;,.:%!"#%;4)62(-%6A2*R(%=,:;(.+%7,')%='47(--*.9%

–&6-+4;('%4')('-%

–N(+,*2%=4*.+%4Q%-,2(%k#^!l%

–g*.,.7*,2%,7746.A.9%

–K.+('.(+%74;;('7(%

–BN%L%+',P(2%(<=(.-(-%

‣1/(%7,')/42)('%),+,%=,--(-%+/'469/%!"#%-:-+(;%,.)%*+%*-%-+4'()%4.%+/(%-:-+(;%4.%

;,.:%477,-*4.-%

–>,+,%+,D2(-%

–&/,.9(%)476;(.+-%

–1',.-,7A4.%249-%

–>0%249-%

‣^.2:%Q(C%(<+('.,2%-426A4.-%6-(%+43(.*R*.9%,.)%,.)%(<+('.,2%=4'+,2-$%46+-*)(%!"#

F\a

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

&'()*+%&,')%>,+,

>0%1,D2(-

‣>6'*.9%46'%'(-(,'7/$%C(%Q46.)%;4'(%+/,.%T[%!"#%),+,D,-(%+,D2(-%

C/*7/%74.+,*.%(d9d%7'()*+%7,')%.6;D('-%%

‣1/(%6-()%+,D2(-%)*m('%D,-()%4.%C/*7/%;4)62(-%,.)%Q6.7A4.,2*A(-%

,'(%6-()b,7AP,+()%4.%+/(%76-+4;('%%

‣!4;(%74;;4.%!"#%+,D2(-%,'(M

F\e

FPLTC

#,:;(.+%7,')-M%1',.-,7A4.%),+,%L%!>

BSEGC

>476;(.+%L%>,+,%4.%#,:;(.+%&,')%#,:;(.+-

VCKUN

"--*9.%76-+4;('L7'()*+%7,')

VCNUM

&'()*+%7,')%;,-+('

Pa0105$(Subtype$0011)

BN%5,-+('%N(74')M%K.Q4+:=(%[[\\%k8<+d0,.3%1',.-Q('-l

PCA_SECURITY_RAW

&,')%5,-+('M%8.7':=A4.

CCSEC_ENC,$CCSEC_ENCV

8.7':=+()%#,:;(.+%&,')%>,+,

CCARDEC

8.7':=+()%#,:;(.+%&,')%>,+,

/PMPAY/PENCRP

#,:;(+'*7%n%8.7':=+()%#,:;(+'*7%&,')%>,+,%kQ4'%4o*.(%6-,9($%.4C%4D-42(+(l

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

"77(--*.9%&2(,'+(<+%&,')/42)('%K.Q4';,A4.

N(7*=(

‣1:=(%!8\W%,+%+/(%74;;,.)%D,'%4Q%

!"#pEK%,i('%:46%2494.$%/*+%8.+('d%

–1:=(%+/(%+,D2(%C/*7/%:46%C,.+%+4%)*-=2,:%,.)%

='(--%8.+('d%%

•8d9d%FPLTC%

‣8.+('%:46'%7'*+('*,%k(;=+:%qq%,22l%

‣&4=:%=,-+(%+/(%),+,%,-%)(-*'()%+4%:46'%

Q,P4'*+(%#,-+(0*.

FG[

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

"77(--*.9%&2(,'+(<+%&,')/42)('%K.Q4';,A4.

E-*.9%N(;4+(%g6.7A4.%&,22-

‣Ng&%kN(;4+(%g6.7A4.%&,22l%='4+4742%7,.%D(%6A2*R()%

‣!^"#LNg&%4P('%B11#%,224C-%K.+('.(+%D,-()%,77(--%+4%Ng&%Q6.7A4.,2*+:d%

‣RFC_READ_TABLE%Q6.7A4.%,224C-%9(.('*7%,77(--%+4%74.+(.+-%4Q%+/(%

+,D2(-%

‣!,=-673('%7462)%D(%6-()%Q4'%*+I

FG\

-46'7(M%H*3*=()*,

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

g'((%1442I%L%!,=-673('

‣U,;()%,i('%+/(%Q,;46-%D*')%

‣"224C-%(,-:%,77(--%+4%!"#%+,D2(-%P*,%

Ng&%,.)%B11#k-l%='4+4742-%

‣"224C-%'(6-*.9%c!!()%!"#%2494.%

7443*(-%Q4'%Ng&%74..(7A4.-%

‣!U&%k!(76'(%.(+C4'3%

74;;6.*7,A4.-l%-6==4'+()%

‣!"#%'46+('%-6==4'+()%

‣8,-*2:%(<+',7+%,.)%f2+('%-(.-*AP(%),+,

FGG

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

>(7':=A.9%8.7':=+()%&'()*+%&,')%U6;D('-

‣>6(%+4%#&KL>!!%'(r6*'(;(.+-$%7,')/42)('%

),+,%;6-+%D(%(.7':=+()d%%

–1,D2(-%(d9d%PCA_SECURITY_RAW$%CCSEC_ENC$%

CCSEC_ENCV$%CCARDEC$%/PMPAY/PENCRP%

74.+,*.%(.7':=+()%),+,%k*Q%(.7':=A4.%*-%(.,D2()l%%

‣#'49',;%RS_REPAIR_SOURCE%-=,C.-%

,%74)(%()*+4'%

–".%,O,73('%7462)%6-(%*+%+4%+:=(%;,2*7*46-%"0"#%74)($%

(P(.%4.%='4)67A4.%-:-+(;-

FGJ

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

"'(%C(%+/(%4.2:%4.(-I

‣1/(%),+,%7,.%D(%)(7':=+()%P*,%

Q6.7A4.%;4)62(-%

CCARD_DEVELOPE%4'%%

CCSECA_CCNUM_DECRYPTION%

–+/(%Ng&%/PMPAY/P_ENCRYP_RFC%4'%

XIPAY_E4_CRYPTO%Q4'%#,:;(+'*7%

‣#(4=2(%,'(%,2'(,):%)4*.9%+/*-s%

–,.)%+/(:%,'(%-/,'*.9%+/(*'%(<=('*(.7(-

FG_

8<+('.,2%#,:;(.+%!426A4.-%4.%!"#

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

8<+('.,2%X(.)4'-%Q4'%#,:;(.+%!426A4.-

‣K+%*-%74;;4.%+4%-((%(<+('.,2%-426A4.-%Q4'%-(76'*.9%&&%

),+,%%

–#,:;(+'*7%c*#,:Lc*!(76'(%k7442%+43(.*R*.9%-+6ml%,.)%4+/('-%-67/%,-%

p5"#,:$%#,:2*.c$%>(2(94!(76'($%#'*.7(+4.%&,')&4..(7+%+4%.,;(%,%

Q(CV%

‣!(76'(%k,--6;*.9l%=,:;(.+%-426A4.%t%*.-(76'(%!"#%

-:-+(;%(r6,2-%+4%I%

‣54-+%74;;4.%-426A4.-%6-(%?'(9*-+('()%Ng&%-('P('-@%

Q4'%!"#%74..(7AP*+:

FGW

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

!+,.),')%&4.7(=+

FGY

!"#$%"&'

($)*+,$'

(-.'(&/#$0'

12#$)3"4'5)67)"0/',"3'/$38'

)$9:$/#/'#6'.;<'($)*$)'6*$)'

#=$'7"#$%"&'*+"'>?;'

5)6#6,64'

."&0$3#';")8'<3#$)@",$'($)*$)''

)$7+/#$)/'+#/$4@'63'(-.'!"#$%"&'

"38'",,$5#/',633$,A63/'

;;B-CDEF><G-D<FH'

;;B(1DDI1J1HD'

>$7+3@6'-;I'

8$K3$/'%=6',"3'

)$7+/#$)'"'/$)*$)'6)'

,633$,#'#6'"'

)$7+/#$)$8'/$)*$)'

(-.'/&/#$0',"3'

/$38')$9:$/#/'#6'

.;<'($)*$)'6*$)'

#=$'7"#$%"&'*+"'

>?;'5)6#6,64'

.;<'($)*$)'

J$),="3#NM"3O'

>$7+/#$)/'"/'

D.'<PQPAY.P01'

-,,$//$/'D.'PAY.P01'

8<+('.,2%#,:;(.+%&,')%

K.+('Q,7(%&4..(7AP*+:

L%C*+/%'(9*-+('()%Ng&%!('P('-

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

8<+('.,2%#,:;(.+%&,')%K.+('Q,7(%&4..(7AP*+:

!+,.),')%&4.7(=+%L%&4;;4.%!(76'*+:%K--6(-

‣&6-+4;('%)4(-%.4+%74.f96'(%"&u%

‣"&u%7,.%D(%D:=,--()%k;*--*.9%!"#%3('.(2%=,+7/l%

‣&6-+4;('%6-(-%!"#`-%+442%+4%9(.(',+(%+/(%,77(--%74.+'42%2*-+%

–!"#`-%'(9*.Q4%"&u%9(.(',+4'%7'(,+(-%,77(--%2*-+-%C*+/%ACCESS=*!

–!"#%)4(-%.4+%,73.4C2()9(%+/*-%,-%,%-(76'*+:%*--6(%

‣#'()*7+,D2(%1#%.,;(-%4Q%=,:;(.+%='47(--4'-%

–(.,D2*.9%6.,6+/(.A7,+()%,O,73-

FGa

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

8<+('.,2%#,:;(.+%&,')%K.+('Q,7(%&4..(7AP*+:

H*+/%'(9*-+('()%Ng&%!('P('-%L%"O,73-

FGe

!"#$%"&'

($)*+,$'

(-.'(&/#$0'

1*+2'$3#$)4"2'5)67)"0/',"4'

/$48')$9:$/#/'#6'.;<'($)*$)'

6*$)'#=$'7"#$%"&'*+"'>?;'

5)6#6,62'#6'$3#)",#';;'

+4@6)0"A64'

."&0$4#';")8'<4#$)@",$'($)*$)''

)$7+/#$)/'+#/$2@'64'(-.'!"#$%"&'

"48'",,$5#/',644$,A64/'

;;B-CDEF><G-D<FH'

;;B(1DDI1J1HD'

>$7+4@6'-;I'8$K4$/'%=6',"4'

)$7+/#$)'"'/$)*$)'6)',644$,#'#6'"'

)$7+/#$)$8'/$)*$)'

(-.'/&/#$0'/$48/')$9:$/#/'#6'

.;<'($)*$)'6*$)'#=$'7"#$%"&'

.;<'($)*$)'

J$),="4#N

O"4P'

>$7+/#$)/'

D.'<QRPAY.P01'

J<DJS-4'"T",P$)',"4'

5)$#$48'#6'U$'.;<'/$)*$)'U&'

)$7+/#$)+47'%+#='#=$'/"0$'D.'

<Q'#6'/4+V';;'+4@6)0"A64'6)'

#6'#)+,P'#=$'(-.'/&/#$0'#="#'

5"&0$4#'+/',6052$#$'

>$7+/#$)/'

D.'<QRPAY.P01'

-,,$//$/'D.'PAY.P01'

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

g6'+/('%!(76'*+:%K--6(-

‣54)('.%-426A4.-%+/,+%6-(%(d9d%!"#%#K%k='47(--%*.+(9',A4.l%,'(%4i(.%

;*-74.f96'()%C*+/%Q,+,2%v,C-%

‣>(D699*.9%4'%-:-+(;%+',7*.9%*-%.4+%-C*+7/()%4md%%

‣!U&%k+',.-=4'+%(.7':=A4.l%*-%','(2:%6-()%D(+C((.%#&K%,.)%!"#%-:-+(;%

‣N()*'(7A.9%(d9d%!"#%C(D%-/4=%6-('-%+4%,.%(<+('.,2%='4P*)('%kD(Q4'(%

=,:;(.+l%+4%,P4*)%D(*.9%*.%+/(%#&KL>!!%-74=(%*-%+/(%.(C%+'(.)%%

–Tokenizing%4.%*+-%4C.%*-%.4+%-6j7*(.+d%1/(%!"#%-:-+(;%;6-+%,2-4%D(%/,')(.()d%%

‣#&KL>!!%,6)*+4'-%9(.(',22:%/,P(%2*O2(%4'%.4%3.4C2()9(%,D46+%!"#%

-(76'*+:d

FJ[

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

8<+('.,2%#,:;(.+%&,')%K.+('Q,7(%&4..(7AP*+:

!+,.),')%&4.7(=+%L%N(-62A.9%*.

‣5,.L*.L+/(L;*))2(%,O,73%Q4'%CC_SETTLEMENT%,.)%

CC_AUTHORIZATION%Q6.7A4.-%

‣&'()*+%7,')%),+,%+/(i%%

‣g,3(%+',.-,7A4.%,6+/4'*R,A4.%%

–!"#%-:-+(;%7,.%D(%Q442()%+/,+%+',.-,7A4.%*-%74;=2(+(%,.)%*+%7,.%)(2*P('%+/(%944)-%

‣g4'(-((,D2(%74.-(r6(.7(-%

–D',.)%),;,9($%2(9,2%74.-(r6(.7(-%(+7d%

‣".)%-4;(%6.Q4'(-((,D2(%74.-(r6(.7(-V%

FJ\

4'%!4;(+/*.9%54'(%8.+('+,*.*.9

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

‣K`P(%/(,')%,+%;,.:%74.Q('(.7(-%+/,+%!"#%-/462)%D(%;4'(%-47*,2%.(+C4'3*.9%

(.,D2()$%-4%2(+`-%)4%*+s%%%

‣1,;=('*.9%+/(%=,:;(.+%7,')%*.+('Q,7(%Q6.7A4.-%*-%=4--*D2(%

–(d9d%SD_CCARD_AUTH_CALL_RFC%%7462)%,224C%7,=+6'*.9%7'()*+%7,')%.6;D('-%'(,2LA;(%

•K.726)*.9%P,2*),A4.%-+,+6-$%7,')%P,2*),A4.%74)(%7PPG%k7,22()%7P7G%Q4'%;,-+('7,')$%-,;(%+/*.9l%

‣K.+'4)67*.9%1C((+0O+5%%

–1B8%gKN!1%!"#%&N8>K1%&"N>%1^%1HK118N%KU18Ng"&8%

–"224C-%!"#%-:-+(;%+4%+C((+%,i('%,%7'()*+%7,')%+',.-,7A4.%

–N(r6*'(-%=,+7/*.9%!"#`-%74)($%P4*)-%C,'',.+:s%

•1/,+%-/462)%D(%+/(%2(,-+%4Q%:46'%C4''*(-%

–g,22D,73%+4%>U!%+6..(2*.9%C/(.%1C*O('%*-%6.'(,7/,D2(

&4..(7A.9%!"#%+4%!47*,2%5()*,

FJJ

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

1C((+0O+5w%&/,22(.9(-

‣1C*O('%7/,.9()%*+-%"#K%+/*-%:(,'%-4%B11#%*-%.4+%,224C()%,.:;4'(%

–p44)%-*)(M%#&KL>!!%74;=2*,.+%D,73)44'%

–N(r6*'(-%*;=4'A.9%1C*O('`-%7('+%P*,%+',.-,7A4.%STRUST%

•H4'3,'46.)%D:%*.P43*.9%SAPGENPSE !

–>(2,:-M%\LJ%-(74.)-%=('%+C((+%

‣>U!%+6..(2%Q,22D,73%C/(.%46+D46.)%

74..(7A4.%*-%D2473()%

–g6.7A4.%;4)62(%RFC_HOST_TO_IP%*-%

k;*-l6-()%,-%,%=44'%;,.`-%>U!%+6..(2%4.%

"0"#%

‣#6D2*7%-46'7(%74)(I%

–!A22%*.%)*-76--*4.-%C*+/%+/(%2(9,2%96:-d%g4224C%

;(%4.%+C*O('%+4%-+,:%*.Q4';()%Ml

FJ_

w0O+5%q%0*')%+/,+%%

+,23-%+44%567/

#,'+%KKK%L%B4C%+4%!+,:%!(76'(%

Q'4;%6.Q4'(-((,D2(%74.-(r6(.7(-

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

U4d\M%"))'(--%1/(%&4;=2(+(%#*7+6'(

FJW

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

U4dGM%K;=2(;(.+%,%B42*-A7%#'47(--%+4%!+,:%!(76'(

FJY

Detec%on(

• Real&'me)security)

monitoring)

• SAP)event)

correla'on)

Response(

• Automa'c)Threat)Mi'ga'on)

• Automa'c)Firewall)Rule)

Crea'on)

Preven%on(

• Vulnerability)

Discovery)

• Automa'c)Issue)

Fixing)

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

U4dJM%"6+4;,+(%K+

‣"6+4;,+()%!"#%-(76'*+:%-7,.-%

‣"6+4;,+()%!"#%#&KL>!!%74;=2*,.7(%7/(73-%

‣"6+4;,+()%"0"#%74)(%74''(7A4.-%

‣"6+4;,+()%!"#%'(,2LA;(%;4.*+4'*.9%

‣"6+4;,+()%!"#%(P(.+%74''(2,A4.%

‣"6+4;,+()%74.A.646-%*.+(9',A4.%*.+4%!(76'*+:%K.7*)(.+%8P(.+%

5,.,9(;(.+%L%!K85%

‣"6+4;,+()%!"#%P62.(',D*2*+:b*--6(%f<*.9%k'(;()*,A4.l%

‣"6+4;,+()%!"#%*.+'6-*4.%)(+(7A4.$%='(P(.A4.%,.)%,2('A.9

FJa

"D46+%E-

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

8!U&%p;DB%L%p(';,.:

‣8!U&%,--(--(-%,.)%f<(-%-(76'*+:%P62.(',D*2*A(-%*.%!"#%-:-+(;-%

–8!U&%!(76'*+:%!6*+(M%#(.+(-A.9$%'(,2LA;(%!"#%-(76'*+:%;4.*+4'*.9%,.)%,6+4;,A7%P62.(',D*2*+:%

;*A9,A4.%

‣B(,)r6,'+('-%*.%56.*7/%

‣&6-+4;('%D,-(M%p4P('.;(.+,2%*.-A+6A4.-$%D,.3*.9$%6A2*A(-$%

,6+4;,AP($%4*2%,.)%4+/('%7'*A7,2%*.)6-+'*(-%%

‣#'(-(.+('M%8'+6.9,%"'-,2%%

–!(76'*+:%'(-(,'7/('%C*+/%24.9%/*-+4':%,.)%Q476-%4.%!"#%

–"6)*+()%/6.)'()-%4Q%74'=4',+(%,.)%94P('.;(.+%(.+('='*-(%!"#%-:-+(;-%+4%),+(%

–&'()*+()%D:%!"#%Q4'%YT%-(76'*+:%=,+7/(-%*.%G[\J%k4P('%\[[%P62.(',D*2*A(-%*.%+4+,2l%%

–u(7+6'('%?!:-+(;-%,.)%U(+C4'3%!(76'*+:@%,+%!,D,.7*%E.*P('-*+:%Q4'%=4-+9',)6,+(-%

–!=(,3('%,+%&&&%,..6,2%74.9'(--$%>(Q74.%B,-/),:-$%>((=-(7$%!(7L1%(+7V%

–g46.)('%4Q%8!U&%

F_[

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

1/(%5(.6%4Q%!"#%!(76'*+:

‣"[\%L%!"#%"6)*+%h%"--(--;(.+%

‣"[G%L%!"#%#&K%>!!%Jd[%&4;=2*,.7(%

‣"[J%L%!"#%N(;()*,A4.%,.)%N*-3%5,.,9(;(.+%

‣"[_%L%!(76'*+:%#42*7:%8.Q4'7(;(.+%4.%!"#%-:-+(;-%

‣"[T%L%!"#%#(.(+',A4.%1(-A.9%

‣&[\%L%"0"#%&4)(%!(76'*+:%"--(--;(.+%h%&4''(7A4.%%

‣N[\%L%!"#%N(,2L1*;(%54.*+4'*.9%h%K>#%

‣N[G%L%!"#%!K85%K.+(9',A4.

F_\

SAP, Credit Cards and the Bird that Talks Too Much Ertunga Arsal - BlackHat USA 2014

‣".)%;,.:%+/,.3-%+4%%

–8'*7%06-/;,.%x(D6-/;,.y=,:;(+'*7d74;z%Q'4;%#,:;(+'*7%Q4'%+/(%944)%*.=6+%

–,.)%;:%+(,;%

1/*-%)476;(.+%*-%Q4'%()67,A4.,2%=6'=4-(-d%K+%)4(-%.4+%74;(%C*+/%,.:%C,'',.+:%4'%96,',.+((d%8!U&%p;DB%*-%.4+%'(-=4.-*D2(%4Q%,.:%;*-6-(%4Q%+/(%74.+(.+d%

1/*-%)476;(.+%4'%=,'+-%4Q%+/*-%)476;(.+%*-%.4+%,224C()%+4%D(%)*-+'*D6+()%C*+/46+%8!U&`-%C'*O(.%=(';*--*4.d

1/,.3%:46

F_G

|h"

8'+6.9,%"'-,2%%

8;,*2M%('+6.9,y(-.7d)(

0',)%H*23*.-4.%

8;,*2M%D',)y(-.7d)(%