Last week at the security conference Black Hat USA 2012, vulnerabilities in the point-of-sale (PoS) terminals were demonstrated by two security researchers from penetration testing firm MWR InfoSecurity in the U.K. According to the security experts, these vulnerabilities could allow attackers to steal credit card data and PIN numbers, as well as other personal information.
The two security experts were MWR's head of research, a German security researcher who only identifies himself as "Nils," and Rafael Dominguez Vega, a Spanish security researcher and MWR security consultant.
PCWorld.com reports that Nils and Vega focused their research on three particular models of the PoS terminals. While two of them are popular in the U.K. and are also used in the U.S., the third model is widely deployed in the U.S.
Nils and Vega showed that the third popular PoS terminal with more sophisticated features – such as touchscreen, smart card reader, SIM card, support for contactless payments, USB port, Ethernet port and an administration interface – can be accessed both locally and remotely. Additionally, because the communication between these terminals and a remote administration server is not encrypted, the attackers can interfere with it, Nils said.
As per the report, the MWR researchers did not provide any further details of the models, and also declined to identify companies that manufacture them. In fact, during live demonstration, stickers were used to cover logos and printed text printed on the model, wrote IDG News reporter Lucian Constantin. The reporter believes that the security experts are giving these vendors sufficient time to address the issues.
Nils told conference attendees that these vulnerabilities can give attackers control over various components of these devices, such as the display, receipt printer, card reader or PIN inputting pad, wrote Constantin. Plus, added Nils, “they can be exploited by using specially crafted EMV (Chip-and-PIN) cards.”
These experts believe that these EMV cards have malicious codes written on their chips which get executed when they get inserted into the terminals' smart card readers.
During this demonstration, the researchers used this card to install a racing game on one of the three test devices, and played with it using its PIN pad and display, according to Constantin’s report. Likewise, added Constantin, the researchers used the same method to install a Trojan program on the second machine to record card numbers and PINs. “The recorded information was then extracted by inserting a different rogue card into the payment terminal,” wrote Constantin.
In practice, the report indicates that criminals can also leverage these vulnerabilities to trick store clerks into thinking that a transaction was authorized by the bank when in fact it wasn't, allowing them to buy things without actually paying.
Furthermore, Nils told the conference attendees that a malicious program could be installed on the device to block payment attempts made with the card and print a valid receipt to mislead the merchant.
Want to learn more about the latest in communications and technology? Then be sure to attend ITEXPO West 2012, taking place Oct. 2-5, in Austin, TX. ITEXPO (News - Alert) offers an educational program to help corporate decision makers select the right IP-based voice, video, fax and unified communications solutions to improve their operations. It's also where service providers learn how to profitably roll out the services their subscribers are clamoring for – and where resellers can learn about new growth opportunities. For more information on registering for ITEXPO click here.
Stay in touch with everything happening at ITEXPO. Follow us on Twitter.
Edited by Allison Boccamazzo