Chip and pin devices under attack

August 2012 Security Services & Risk Management

Retail chip and pin devices can be easily attacked, exposing banks, retailers, and customers to serious fraud around the world, a British Security company has revealed at the Black Hat Security Conference in Las Vegas last month.

Researchers from British IT security company, MWR InfoSecurity, have demonstrated at the conference that it is possible to attack chip and pin devices using a specially prepared chip based credit card.

Ian Shaw, managing director of the company said: “What our researchers have found reveals huge potential for fraud around the world and demonstrates that the software being used in these machines is not up to the job.

“In fact we have found the same sort of vulnerabilities in the major chip and pin machines used throughout Britain and around the world, that were found in computers 10 to 15 years ago. There is no excuse for this and lessons should have been learnt then. This lack of security is putting millions of businesses around the globe at potential risk.”

In scenario 1: researchers demonstrated how a specially prepared chip credit card is used by an attacker to pay for an item. The pin pad device produces a receipt and appears to authorise the payment without the payment ever actually being processed.

In scenario 2: researchers showed how a specially prepared card containing malware is inserted into the pin pad device installing code that will harvest all card numbers and PINs from subsequent users of the terminal. The attacker can then return at a later date and insert another malicious card that will collect the harvested numbers and PINs, cleaning up the malware and leaving the pin pad in its original state.

The first scenario exposes merchants to fraud and potential loss as they may find it very difficult to demonstrate the attack ever took place. It will effectively be their word against the payment process and will be very difficult to prove without CCTV or other means to verify the event took place at a certain time. The second scenario is even more worrying as it could be used to clone the magnetic stripe on the card and be used to withdraw cash in countries where chips on debit and credit cards have not yet been rolled out.

The scenarios above are just some examples of the issues discovered. MWR InfoSecurity also found examples of network and interface attacks – very similar to those reported by German researchers SR labs on other devices recently.

MWR’s research team discovered the issues as part of its ongoing research programme into secure payment technologies. Shaw added: “While criminal attacks are unlikely to be happening on a widespread basis currently, the vulnerabilities exist and previous patterns suggest that attacks like this are only a matter of time. We test a lot of technology used in sensitive banking and retail payment environments and were surprised at how vulnerable many pin pads are to these kinds of attacks.

“We have shown that this can be done and there is no doubt in our minds that criminals are constantly testing these systems. It is surprising that the manufacturers of these machines have done little to safeguard retailers and chip and pin card users,” says Shaw.

MWR has notified the vendors involved and have assisted with the relevant information needed to address the identified issues. They are obviously unable to provide any specific details on the issues found as the devices concerned are currently being used at thousands of retail outlets in the UK and around the world

The vendor has confirmed that they have created a software patch for the issues that were reported to them.

For more information contact MWR Info Security South Africa, +27 (0)10 100 3159, Harry.Grobbelaar@mwrinfosecurity.com, www.mwrinfosecurity.com





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

More than just a criminal record check
iFacts Security Services & Risk Management
When it comes to human-related risks, organisations and their most senior leaders focus on a narrow set of workforce risks, the potential risks that human workers pose to the business.

Read more...
Tech developments lead hologram growth in 2024
News & Events Security Services & Risk Management
Micro-lenses, micro-mirrors and plasmonics are among the rapidly-emerging optical devices that have evolved on the back of holographic and diffractive technologies, and are seen as part of the natural evolution of optical science by R&D teams.

Read more...
Are you leaving money on the table?
Editor's Choice Security Services & Risk Management
How many customers have you helped since starting your business? Where does most of your new business come from? If the answer is not from your database’s existing customers, you might have a problem.

Read more...
The business value of ChatGPT
Security Services & Risk Management Risk Management & Resilience
Transparency, policy and integrity. It is critical for organisations to have a line of sight into processes and procedures that clearly define employee use cases when it comes to ChatGPT, says Lizaan Lewis, Head of the Legal Department at Altron Systems Integration.

Read more...
BMS for smaller businesses
Security Services & Risk Management Products & Solutions Risk Management & Resilience
Small businesses can also benefit from tailored energy management solutions just like large corporations. Effective energy management is essential for more sustainable and efficient operations.

Read more...
Kidnapping for ransom
News & Events Security Services & Risk Management Risk Management & Resilience
There has been an 8,6% increase in reported kidnapping cases in South Africa compared to last year, with 3 854 cases reported between April and June this year, leaving ordinary South Africans increasingly vulnerable.

Read more...
The difference between a SOP and a SOP
Residential Estate (Industry) Integrated Solutions Security Services & Risk Management Risk Management & Resilience
SOPs are a touchy issue that need careful attention and automation to ensure they deliver the desired security results. Beyond design and automation, implementation is the ultimate road to success.

Read more...
Scoping out potential estates
Alwinco Security Services & Risk Management
When an intruder surveys a residential estate of 200 houses, they see at least 200 cars, 400 cell phones, 400 computers, 200 flat screen TVs, 600 bank cards, and various other items of value.

Read more...
Your face is the key
Suprema Editor's Choice Access Control & Identity Management Security Services & Risk Management Risk Management & Resilience
FaceStation 2, Suprema’s newest facial authentication terminal, is an access control, time and attendance terminal, featuring a better user experience with Android 5.0 Lollipop and Suprema’s latest algorithm, hardware, and software.

Read more...
Security without the skin
Alwinco Editor's Choice Security Services & Risk Management Residential Estate (Industry) Risk Management & Resilience
We all know about the layers of security required to form a comprehensive solution, but the layers go deeper than most consider. Andre Mundell dissects security in this article to start the journey into what is under the covers.

Read more...