A Black Hat presentation on payment terminals and their vulnerabilities was given by a German security researcher known only as “Nils,” and his colleague Rafael Dominguez Vega, both of MWR InfoSecurity in the U.K., A PCWorld article detailed.
The presentation targeted three of the most popular point-of-sale (POS) terminals currently in service. The exact models and manufacturers were kept anonymous as the researchers felt it fair to give the companies time to correct the errors, and stickers were placed over logos and receipts containing sensitive information about the manufacturers.
The vulnerabilities of the machines are as follows:
Both machines deployed in the U.K. displayed susceptibilities in their payment applications. According to the researchers, problems in the payment process can give hackers access to the display, receipt printer, card reader or PIN inputting pad, and by using specially crafted EMV (Chip-and-PIN) cards the system can be compromised.
The second device, used in both the U.K. and U.S., showed vulnerabilities associated with the security of card numbers and PINs.The researchers, after installing a specialized Trojan program, were able to record the sensitive card and account information by simply inserting a rogue card into the terminal. Criminals need the data contained on a card’s magnetic strip to successfully duplicate a payment card and make fraudulent transactions.
The final device, used heavily in the U.S. was deemed more sophisticated than its predecessors. Features include a touch screen for signature-based payments, a smart card reader, a SIM card for use over mobile networks, contactless payment capabilities, a USB port, Ethernet port and an administration interface that is accessible both remotely and locally. Despite the device’s sophistication, it too remains vulnerable to attack, as the researchers found that communication between remote administrators and the POS terminals is not encrypted. Therefore, it is possible for an attacker to gain access to this terminal through ARP or DNS spoofing.