Stealing stored payment card data and rerouting payments in SAP systems is easy for Ertunga Arsal.
In a demonstration at Black Hat 2014, Arsal, who has audited hundreds of corporate and government enterprise SAP systems and uncovered hundreds of vulnerabilities, used a tool to launch a remote shell on a SAP system.
He was able to gain admin user access, which ultimately enabled him to tap into vendor payment histories, as well as bank accounts also maintained in the SAP system. In the end, he showed how an attacker could reroute payments.
Although detection can take longer if there is no proper securiy meastures, Arsal said rerouting payments is typically a “one-shot kind of attack to SAP systems” because eventually the recipient will realize they have not been paid.
Improved auditing and more automation will help the problem, Arsal said.