Stealing payment card data and PINs from POS systems is dead easy

Lack of authentication and encryption allow attackers to easily steal payment card data and PIN numbers from point-of-sale systems.

Many of the large payment card breaches that hit retail and hospitality businesses in recent years were the result of attackers infecting point-of-sale systems with memory-scraping malware. But there are easier ways to steal this sort of data, due to a lack of authentication and encryption between card readers and the POS payment applications.

POS systems are specialized computers. They typically run Windows and have peripherals like keyboards, touch screens, barcode scanners and card readers with PIN pads. They also have specialized payment applications installed to handle transactions.

One of the common methods used by attackers to steal payment card data from PoS systems is to infect them with malware, via stolen remote support credentials or other techniques. These malware programs are known as memory or RAM scrapers because they scan the system's memory for credit card data when it's processed by the payment application on the POS system.

But on Tuesday at the BSides conference in Las Vegas, security researchers Nir Valtman and Patrick Watson, from U.S.-based POS and ATM manufacturer NCR, demonstrated a stealthier and more effective attack technique that works against most "payment points of interaction," including card readers with PIN pads and even gas pump payment terminals.

The main issue shared by all of these devices is that they don't use authentication and encryption when sending data back to the POS payment software. This exposes them to man-in-the-middle attacks through external devices that tap the network or serial connection or through "shim software" running the POS system itself.

For their demo, the researchers used a Raspberry Pi device with traffic capture software that taps the data cable between a PIN pad, and a laptop with a payment app simulator. The PIN pad had a custom top cover to hide its make and model; the researchers didn't want to single out a particular vendor since many of them are affected.

While the demo used an external device that could be installed by an insider or a person posing as a technician, attackers can also simply modify a DLL (dynamic-link library) file of the payment app to do the data interception inside the OS itself, if they get remote access to it. A modified DLL that's loaded by the legitimate payment software would be much harder to detect than memory-scraping malware.

point-of-sale POS PIN pad card reader payment Lucian Constantin

Researchers Patrick Watson and Nir Valtman cause a payment terminal to display a fake re-enter PIN prompt.

The NCR researchers showed that not only can attackers use this attack technique to steal the data encoded on a card's magnetic stripe, which can be used to clone it, but they can also trick cardholders to expose their PIN numbers and even the security codes printed on the back of the cards.

Normally PIN pads do encrypt the PIN numbers when transmitting them to the PoS software. This is an industry requirement and manufacturers comply with it.

However, man-in-the-middle attackers can also inject rogue prompts on the PIN pad screen by uploading so-called custom forms. These screen prompts can say whatever the attackers want, for example "Re-enter PIN" or "Enter card security code."

Security professionals might know that they're never supposed to re-enter their PINs or that card security codes, also known as CVV2s, are only needed for online, card-not-present transactions, but regular consumers typically don't know these things, the researchers said.

In fact, they demonstrated this attack method to professionals from the payments industry in the past and 90 percent of them were not suspicious of the PIN re-entry screen, they said.

Some PIN pads have whitelists that restrict which words can appear on custom screens, but many of these whitelists allow the words "please re-enter" and even if they don't, there's a way to bypass the filter as PIN pad custom forms allow images. Attackers could instead simply inject an image with those words, using the same text colour and font that normally appears on the screen.

It's also worth noting that this attack works against card readers and PIN pads that conform to the EMV standard, meaning they support chip-enabled cards. The EMV technology does not prevent attackers from using stolen track data from a chip-enabled card to create a clone and use it in a country that doesn't support EMV yet or on terminals that are not EMV-enabled and only allow card swiping.

Also, EMV has no bearing on e-commerce transactions, so if the attackers gain the card's track data and the card's CVV2 code, they have all the information needed to perform fraudulent transactions online.

For manufacturers, the researchers recommend implementing point-to-point encryption (P2PE), which encrypts the entire connection from the PIN pad all the way back to the payment processor. If P2PE cannot be implemented on existing hardware, vendors should at least consider securing the communication between their PIN pads and the POS software with TLS (Transport Layer Security) and to digitally sign all requests sent back to the PIN pad by the payment application.

Meanwhile, consumers should never, ever, re-enter their PINs on a PIN pad if prompted to do so. They should also read the messages displayed on the screen and be suspicious of those that ask for additional information. Mobile payments with digital wallet services like Apple Pay should be used where possible, because at this point they're safer than using traditional payment terminals.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?