Vulnerability Management

Black Hat: SAP systems vulnerable to payment card theft, rerouting payments

Stealing stored payment card data and rerouting payments in SAP systems is easy for Ertunga Arsal.

In a demonstration at Black Hat 2014, Arsal, who has audited hundreds of corporate and government enterprise SAP systems and uncovered hundreds of vulnerabilities, used a tool to launch a remote shell on a SAP system.

He was able to gain admin user access, which ultimately enabled him to tap into vendor payment histories, as well as bank accounts also maintained in the SAP system. In the end, he showed how an attacker could reroute payments.

Although detection can take longer if there is no proper securiy meastures, Arsal said rerouting payments is typically a “one-shot kind of attack to SAP systems” because eventually the recipient will realize they have not been paid.

Improved auditing and more automation will help the problem, Arsal said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.