June 2012

EMV Pin Pad Terminal (in) Security – Again?

EMV Pin Pad Terminal (in) Security – Again?

I can't remember how often we have discussed the security of POS terminals and have tried to convey that it is a non-trivial design and development task. And of course it is not just the hardware the software is arguably even more critical. I remember being part of a banking committee some 25 years ago where software integrity was the subject matter. We managed to define what it meant but never solved how you could consistently achieve it although we did make everybody around us appreciate that it was a significant problem with no silver bullets. I would argue it is a more difficult challenge today than it was then because of the way the modern terminals are configured and maintained.

Perhaps it's a teaser who knows but this month researchers at MWR InfoSecurity have claimed that cybercriminals using a rogue smart card which gets connected to a Point of Sale (POS) terminal can effectively gain access to another customer's PIN and Primary Account Number (PAN - the number printed/embossed on the front of your financial card). They also claim that they can get access to the merchant's IT network. The company plans to present its findings at the Black Hat security conference in Las Vegas July 21-26. It doesn't seem to have a slot assigned so I guess it would need to be at the hustings.

Ian Shaw the Managing Director of MWR has said that the security of Pin Pads is below that which a consumer might reasonably expect for financial transactions. He has further said that their investigations have shown that the range of vulnerabilities found in these devices could compromise consumer's card details and Pin number.

Mobile Payment China

Just to put it all in perspective many have quoted the figures from the UK payment Cards Association where 852 million card payments were processes in the UK in the month of April using a Pin Pad terminal.

We have often discussed the idea of getting malware into a POS terminal or even an extra bit of hardware and software. It seems so easy for a hacker to go around changing terminals in a POS environment replacing them with new terminals incorporating some extra fraudulent activity. It wasn't that long ago when T-Max was attacked by hackers who just went around intercepting the wireless connections from POS terminals. People have learnt to encipher these connections in more recent years.

We have also heard about the Cambridge University attacks on EMV terminals where the connection path between the terminal and the smart card was intercepted by some extra electronics hidden up the attacker's sleeve to interfere with the need for Pin authentications (generally called wedge attacks).

TCW eticketing

But here is something new, no extra electronics, no need to get inside the terminal or the merchants network to plant malware, you just need to submit a rogue smart card to the candidate POS terminal card reader.

I've seen it already on the discussion boards, it's impossible and anyway the terminals are tested under PCI (Payment Card Industry) tests to make sure they are secure. Oh dear if only it were that easy!

Perhaps we just need to remember SQL injection, Buffer Overflows and Pathname attacks. The aim of these attacks is to get unauthorised access to sensitive data or even better to get the target device to execute rogue code or commands. Examples are rampant and buffer overflows in particular have even been successfully used even against smart cards. But here we are interested in attacking the terminal with no holds barred.

So how can a rogue smart card cause problems? It is a slave device, you send it a commands and it sends you a reply. However depending on the various implementations there are ways of putting the smart card into command mode so that it sends commands to the terminal for it to execute. This is prevalent in the world of smart phones.

In any event data is being sent from the smart card to the terminal device. So where does it go? Well there is some software driver in the terminal that is managing the commands and replies between the terminal and the smart card. Here is the area of weakness, what happens if this software misbehaves if it is sent data that it is not expecting, too much (buffer overflow) or something in the data that causes the software to operate outside its envelope?

Now I don't know what MWR InfoSecurity is going to tell us at the end of July in Las Vegas but I'm expecting to hear something interesting. MWR claim that tens of thousands of Pin Pad terminals are affected. Oh and lest there be any doubt the selling of credit and debit card details is big business in the criminal world.

Dr David Everett, (Smartcard & Identity News)


21/03/2019 Headlines

France Fines Google $57 Million for European Privacy Rule Breach

Google lacked transparency and clarity in the way it informs users about its handling of personal data and failed to properly obtain their consent for personali.....Read More

New Payment Services Laws Passed in Singapore

New payment services laws have been passed by Singapore's parliament in a move that will streamline existing laws while bringing many new fintech providers into.....Read More

Twitter Warns that Private Tweets were Public for Years

Private tweets sent by users of Twitter's Android app could have been exposed publicly for years.

Twitter said it had discovered a security flaw which me.....Read More

Exchange Loses Big over Airdrop Miscue

Computer glitches are never fun, but when they result in the loss of money, they can be completely debilitating. Coinnest, a cryptocurrency exchange out of Sout.....Read More

Name and Shame Firms with Poor Cyber Security, Government Told

The government should name and shame companies whose cyber security measures fail to protect consumers' data and firms should implement Active Cyber Defence, an.....Read More

Sirin Labs Opens First Blockchain Smartphone Store in London

Sirin Labs has opened the first blockchain smartphone store located in London. The intention is to attract crypto enthusiasts passionate for blockchain and dece.....Read More

Video Interviews

Tim Jones talks on the wealth of networks

Christophe Dolique of Gemplus talks about ·SIM

Dominique Brule of Philips Semiconductors talks about Near Field Communication