I can't remember how often we have discussed the security of POS terminals and have tried to convey that it is a non-trivial design and development task. And of course it is not just the hardware the software is arguably even more critical. I remember being part of a banking committee some 25 years ago where software integrity was the subject matter. We managed to define what it meant but never solved how you could consistently achieve it although we did make everybody around us appreciate that it was a significant problem with no silver bullets. I would argue it is a more difficult challenge today than it was then because of the way the modern terminals are configured and maintained.
Perhaps it's a teaser who knows but this month researchers at MWR InfoSecurity have claimed that cybercriminals using a rogue smart card which gets connected to a Point of Sale (POS) terminal can effectively gain access to another customer's PIN and Primary Account Number (PAN - the number printed/embossed on the front of your financial card). They also claim that they can get access to the merchant's IT network. The company plans to present its findings at the Black Hat security conference in Las Vegas July 21-26. It doesn't seem to have a slot assigned so I guess it would need to be at the hustings.
Ian Shaw the Managing Director of MWR has said that the security of Pin Pads is below that which a consumer might reasonably expect for financial transactions. He has further said that their investigations have shown that the range of vulnerabilities found in these devices could compromise consumer's card details and Pin number.
Just to put it all in perspective many have quoted the figures from the UK payment Cards Association where 852 million card payments were processes in the UK in the month of April using a Pin Pad terminal.
We have often discussed the idea of getting malware into a POS terminal or even an extra bit of hardware and software. It seems so easy for a hacker to go around changing terminals in a POS environment replacing them with new terminals incorporating some extra fraudulent activity. It wasn't that long ago when T-Max was attacked by hackers who just went around intercepting the wireless connections from POS terminals. People have learnt to encipher these connections in more recent years.
We have also heard about the Cambridge University attacks on EMV terminals where the connection path between the terminal and the smart card was intercepted by some extra electronics hidden up the attacker's sleeve to interfere with the need for Pin authentications (generally called wedge attacks).
But here is something new, no extra electronics, no need to get inside the terminal or the merchants network to plant malware, you just need to submit a rogue smart card to the candidate POS terminal card reader.
I've seen it already on the discussion boards, it's impossible and anyway the terminals are tested under PCI (Payment Card Industry) tests to make sure they are secure. Oh dear if only it were that easy!
Perhaps we just need to remember SQL injection, Buffer Overflows and Pathname attacks. The aim of these attacks is to get unauthorised access to sensitive data or even better to get the target device to execute rogue code or commands. Examples are rampant and buffer overflows in particular have even been successfully used even against smart cards. But here we are interested in attacking the terminal with no holds barred.
So how can a rogue smart card cause problems? It is a slave device, you send it a commands and it sends you a reply. However depending on the various implementations there are ways of putting the smart card into command mode so that it sends commands to the terminal for it to execute. This is prevalent in the world of smart phones.
In any event data is being sent from the smart card to the terminal device. So where does it go? Well there is some software driver in the terminal that is managing the commands and replies between the terminal and the smart card. Here is the area of weakness, what happens if this software misbehaves if it is sent data that it is not expecting, too much (buffer overflow) or something in the data that causes the software to operate outside its envelope?
Now I don't know what MWR InfoSecurity is going to tell us at the end of July in Las Vegas but I'm expecting to hear something interesting. MWR claim that tens of thousands of Pin Pad terminals are affected. Oh and lest there be any doubt the selling of credit and debit card details is big business in the criminal world.
Dr David Everett, (Smartcard & Identity News)