Stealing payment card data and PINs from POS systems is dead easy

Lack of authentication and encryption allow attackers to easily steal payment card data and PIN numbers from point-of-sale systems.

Many of the large payment card breaches that hit retail and hospitality businesses in recent years were the result of attackers infecting point-of-sale systems with memory-scraping malware. But there are easier ways to steal this sort of data, due to a lack of authentication and encryption between card readers and the POS payment applications.

POS systems are specialized computers. They typically run Windows and have peripherals like keyboards, touch screens, barcode scanners and card readers with PIN pads. They also have specialized payment applications installed to handle transactions.

One of the common methods used by attackers to steal payment card data from PoS systems is to infect them with malware, via stolen remote support credentials or other techniques. These malware programs are known as memory or RAM scrapers because they scan the system's memory for credit card data when it's processed by the payment application on the POS system.

But on Tuesday at the BSides conference in Las Vegas, security researchers Nir Valtman and Patrick Watson, from U.S.-based POS and ATM manufacturer NCR, demonstrated a stealthier and more effective attack technique that works against most "payment points of interaction," including card readers with PIN pads and even gas pump payment terminals.

The main issue shared by all of these devices is that they don't use authentication and encryption when sending data back to the POS payment software. This exposes them to man-in-the-middle attacks through external devices that tap the network or serial connection or through "shim software" running the POS system itself.

For their demo, the researchers used a Raspberry Pi device with traffic capture software that taps the data cable between a PIN pad, and a laptop with a payment app simulator. The PIN pad had a custom top cover to hide its make and model; the researchers didn't want to single out a particular vendor since many of them are affected.

While the demo used an external device that could be installed by an insider or a person posing as a technician, attackers can also simply modify a DLL (dynamic-link library) file of the payment app to do the data interception inside the OS itself, if they get remote access to it. A modified DLL that's loaded by the legitimate payment software would be much harder to detect than memory-scraping malware.

point-of-sale POS PIN pad card reader payment Lucian Constantin

Researchers Patrick Watson and Nir Valtman cause a payment terminal to display a fake re-enter PIN prompt.

The NCR researchers showed that not only can attackers use this attack technique to steal the data encoded on a card's magnetic stripe, which can be used to clone it, but they can also trick cardholders to expose their PIN numbers and even the security codes printed on the back of the cards.

Normally PIN pads do encrypt the PIN numbers when transmitting them to the PoS software. This is an industry requirement and manufacturers comply with it.

However, man-in-the-middle attackers can also inject rogue prompts on the PIN pad screen by uploading so-called custom forms. These screen prompts can say whatever the attackers want, for example "Re-enter PIN" or "Enter card security code."

Security professionals might know that they're never supposed to re-enter their PINs or that card security codes, also known as CVV2s, are only needed for online, card-not-present transactions, but regular consumers typically don't know these things, the researchers said.

In fact, they demonstrated this attack method to professionals from the payments industry in the past and 90 percent of them were not suspicious of the PIN re-entry screen, they said.

Some PIN pads have whitelists that restrict which words can appear on custom screens, but many of these whitelists allow the words "please re-enter" and even if they don't, there's a way to bypass the filter as PIN pad custom forms allow images. Attackers could instead simply inject an image with those words, using the same text colour and font that normally appears on the screen.

It's also worth noting that this attack works against card readers and PIN pads that conform to the EMV standard, meaning they support chip-enabled cards. The EMV technology does not prevent attackers from using stolen track data from a chip-enabled card to create a clone and use it in a country that doesn't support EMV yet or on terminals that are not EMV-enabled and only allow card swiping.

Also, EMV has no bearing on e-commerce transactions, so if the attackers gain the card's track data and the card's CVV2 code, they have all the information needed to perform fraudulent transactions online.

For manufacturers, the researchers recommend implementing point-to-point encryption (P2PE), which encrypts the entire connection from the PIN pad all the way back to the payment processor. If P2PE cannot be implemented on existing hardware, vendors should at least consider securing the communication between their PIN pads and the POS software with TLS (Transport Layer Security) and to digitally sign all requests sent back to the PIN pad by the payment application.

Meanwhile, consumers should never, ever, re-enter their PINs on a PIN pad if prompted to do so. They should also read the messages displayed on the screen and be suspicious of those that ask for additional information. Mobile payments with digital wallet services like Apple Pay should be used where possible, because at this point they're safer than using traditional payment terminals.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?