Payment terminal flaws shown at Black Hat
Vulnerabilities found in three popular payment terminal models can result in credit card data theft, researchers say
IDG News Service - Three widely deployed payment terminals have vulnerabilities that could allow attackers to steal credit card data and PIN numbers, according to a pair of security researchers from penetration testing firm MWR InfoSecurity in the U.K.
The vulnerabilities were demonstrated Wednesday at the Black Hat USA 2012 security conference by MWR's head of research, a German security researcher who only identifies himself as "Nils," and Rafael Dominguez Vega, a Spanish security researcher and MWR security consultant.
Nils and Vega focused their research on three particular models of payment terminals, also known as point-of-sale (PoS) terminals. Two of them are particularly popular in the U.K., but are also used in the U.S., while the third is widely deployed in the U.S., Nils said.
The researchers declined to name the exact device models or the companies that manufacture them because they wanted to give vendors enough time to address the issues. Stickers were used during the live demonstration to cover logos and text printed on the devices that could be used to identify them.
The two devices that are popular in the U.K. have vulnerabilities in their payment applications -- the specialized programs handling the payment process.
These vulnerabilities can give attackers control over various components of these devices, like the display, receipt printer, card reader or PIN inputting pad, and can be exploited by using specially crafted EMV (Chip-and-PIN) cards, Nils said.
These cards have malicious code written on their chips that gets executed when they get inserted into the terminals' smart card readers.
The researchers used this method to install a racing game on one of the three test devices during their demonstration and played it using its PIN pad and display.
For the second device, the researchers used the same method to install a Trojan program designed to record card numbers and PINs. The recorded information was then extracted by inserting a different rogue card into the payment terminal.
Criminals can also leverage these vulnerabilities to trick store clerks into thinking that a transaction was authorized by the bank when in fact it wasn't, allowing them to buy things without actually paying.
A malicious program installed on the device could block the payment attempt made with the attacker's card, but print a valid receipt to mislead the merchant, Nils said.
Even though the live demonstration only showed that card numbers and PINs can be recorded, there are also ways to steal the data stored on a card's magnetic stripe (magstripe), Nils said. Attackers could design a malicious program that blocks EMV transactions and asks the customers to swipe their cards instead in order to complete a payment.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts