Vulnerabilities in payment terminals demonstrated at Black Hat

Vulnerabilities found in three popular payment terminal models can result in credit card data theft, researchers say

Three widely deployed payment terminals have vulnerabilities that could allow attackers to steal credit card data and PIN numbers, according to a pair of security researchers from penetration testing firm MWR InfoSecurity in the U.K.

The vulnerabilities were demonstrated Wednesday at the Black Hat USA 2012 security conference by MWR's head of research, a German security researcher who only identifies himself as "Nils," and Rafael Dominguez Vega, a Spanish security researcher and MWR security consultant.

Nils and Vega focused their research on three particular models of payment terminals, also known as point-of-sale (PoS) terminals. Two of them are particularly popular in the U.K., but are also used in the U.S., while the third is widely deployed in the U.S., Nils said.

The researchers declined to name the exact device models or the companies that manufacture them because they wanted to give vendors enough time to address the issues. Stickers were used during the live demonstration to cover logos and text printed on the devices that could be used to identify them.

The two devices that are popular in the U.K. have vulnerabilities in their payment applications -- the specialized programs handling the payment process.

These vulnerabilities can give attackers control over various components of these devices, like the display, receipt printer, card reader or PIN inputting pad, and can be exploited by using specially crafted EMV (Chip-and-PIN) cards, Nils said.

These cards have malicious code written on their chips that gets executed when they get inserted into the terminals' smart card readers.

The researchers used this method to install a racing game on one of the three test devices during their demonstration and played it using its PIN pad and display.

For the second device, the researchers used the same method to install a Trojan program designed to record card numbers and PINs. The recorded information was then extracted by inserting a different rogue card into the payment terminal.

Criminals can also leverage these vulnerabilities to trick store clerks into thinking that a transaction was authorized by the bank when in fact it wasn't, allowing them to buy things without actually paying.

A malicious program installed on the device could block the payment attempt made with the attacker's card, but print a valid receipt to mislead the merchant, Nils said.

Even though the live demonstration only showed that card numbers and PINs can be recorded, there are also ways to steal the data stored on a card's magnetic stripe (magstripe), Nils said. Attackers could design a malicious program that blocks EMV transactions and asks the customers to swipe their cards instead in order to complete a payment.

Criminals need the magnetic stripe data in order to actually clone a payment card and perform fraudulent transactions with it.

The third payment terminal, which is popular in the U.S., is more sophisticated than the other two devices. It has a touchscreen to facilitate signature-based payments, a smart card reader, a SIM card to communicate over mobile networks, support for contactless payments, an USB port, an Ethernet port and an administration interface that can be accessed both locally and remotely.

The communication between these terminals and a remote administration server is not encrypted, which means that attackers can interfere with it, Nils said. If attackers gain access to the local network, they can use techniques like ARP or DNS spoofing to force the payment terminals to communicate with a rogue server under their control.

During the demonstration, the researchers were able to turn on the telnet service remotely and log in as root -- the administrative account on Linux systems -- which allowed them to take control of the device.

There is too much trust placed in such devices, Nils said. Merchants trust payment terminals to tell them when a payment is legitimate and payment processors trust them to handle credit card numbers and PINs securely.

Earlier this month a different team of security researchers demonstrated vulnerabilities in a POS device widely deployed in Germany. The vulnerabilities could have allowed attackers to compromise such devices over the local network and use them to steal card magstripe data and PIN numbers.

Nils didn't have any evidence that models from other manufacturers also contain vulnerabilities. However, these are computers systems so they're fairly likely to have some weaknesses, he said.

The quality of the software found on devices tested by MWR researchers was very different, Nils said. There might be some devices that have better software security, but no system is perfect, he said.

All of the affected vendors have been notified about the vulnerabilities and one of them has already developed a patch. However, it will probably take a while for the new version to be certified and then deployed to all customers.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place