Stealing payment card data and PINs from POS systems is dead easy

Many of the large payment card breaches that hit retail and hospitality businesses in recent years were the result of attackers infecting point-of-sale systems with memory-scraping malware. But there are easier ways to steal this sort of data, due to a lack of authentication and encryption between card readers and the POS payment applications.

POS systems are specialized computers. They typically run Windows and have peripherals like keyboards, touch screens, barcode scanners and card readers with PIN pads. They also have specialized payment applications installed to handle transactions.

One of the common methods used by attackers to steal payment card data from PoS systems is to infect them with malware, via stolen remote support credentials or other techniques. These malware programs are known as memory or RAM scrapers because they scan the system’s memory for credit card data when it’s processed by the payment application on the POS system.

But on Tuesday at the BSides conference in Las Vegas, security researchers Nir Valtman and Patrick Watson, from U.S.-based POS and ATM manufacturer NCR, demonstrated a stealthier and more effective attack technique that works against most “payment points of interaction,” including card readers with PIN pads and even gas pump payment terminals.

The main issue shared by all of these devices is that they don’t use authentication and encryption when sending data back to the POS payment software. This exposes them to man-in-the-middle attacks through external devices that tap the network or serial connection or through “shim software” running the POS system itself.

For their demo, the researchers used a Raspberry Pi device with traffic capture software that taps the data cable between a PIN pad, and a laptop with a payment app simulator. The PIN pad had a custom top cover to hide its make and model; the researchers didn’t want to single out a particular vendor since many of them are affected.

While the demo used an external device that could be installed by an insider or a person posing as a technician, attackers can also simply modify a DLL (dynamic-link library) file of the payment app to do the data interception inside the OS itself, if they get remote access to it. A modified DLL that’s loaded by the legitimate payment software would be much harder to detect than memory-scraping malware.

The NCR researchers showed that not only can attackers use this attack technique to steal the data encoded on a card’s magnetic stripe, which can be used to clone it, but they can also trick cardholders to expose their PIN numbers and even the security codes printed on the back of the cards.

Normally PIN pads do encrypt the PIN numbers when transmitting them to the PoS software. This is an industry requirement and manufacturers comply with it.

However, man-in-the-middle attackers can also inject rogue prompts on the PIN pad screen by uploading so-called custom forms. These screen prompts can say whatever the attackers want, for example “Re-enter PIN” or “Enter card security code.”

Security professionals might know that they’re never supposed to re-enter their PINs or that card security codes, also known as CVV2s, are only needed for online, card-not-present transactions, but regular consumers typically don’t know these things, the researchers said.

In fact, they demonstrated this attack method to professionals from the payments industry in the past and 90 percent of them were not suspicious of the PIN re-entry screen, they said.

Some PIN pads have whitelists that restrict which words can appear on custom screens, but many of these whitelists allow the words “please re-enter” and even if they don’t, there’s a way to bypass the filter as PIN pad custom forms allow images. Attackers could instead simply inject an image with those words, using the same text colour and font that normally appears on the screen.

It’s also worth noting that this attack works against card readers and PIN pads that conform to the EMV standard, meaning they support chip-enabled cards. The EMV technology does not prevent attackers from using stolen track data from a chip-enabled card to create a clone and use it in a country that doesn’t support EMV yet or on terminals that are not EMV-enabled and only allow card swiping.

Also, EMV has no bearing on e-commerce transactions, so if the attackers gain the card’s track data and the card’s CVV2 code, they have all the information needed to perform fraudulent transactions online.

For manufacturers, the researchers recommend implementing point-to-point encryption (P2PE), which encrypts the entire connection from the PIN pad all the way back to the payment processor. If P2PE cannot be implemented on existing hardware, vendors should at least consider securing the communication between their PIN pads and the POS software with TLS (Transport Layer Security) and to digitally sign all requests sent back to the PIN pad by the payment application.

Meanwhile, consumers should never, ever, re-enter their PINs on a PIN pad if prompted to do so. They should also read the messages displayed on the screen and be suspicious of those that ask for additional information. Mobile payments with digital wallet services like Apple Pay should be used where possible, because at this point they’re safer than using traditional payment terminals.