Last week at the security conference Black Hat USA 2012, vulnerabilities in the point-of-sale (PoS) terminals were demonstrated by two security researchers from penetration testing firm MWR InfoSecurity in the U.K. According to the security experts, these vulnerabilities could allow attackers to steal credit card data and PIN numbers, as well as other personal information.
The two security experts were MWR's head of research, a German security researcher who only identifies himself as "Nils," and Rafael Dominguez Vega, a Spanish security researcher and MWR security consultant.
PCWorld.com reports that Nils and Vega focused their research on three particular models of the PoS terminals. While two of them are popular in the U.K. and are also used in the U.S., the third model is widely deployed in the U.S.
Nils and Vega showed that the third popular PoS terminal with more sophisticated features – such as touchscreen, smart card reader, SIM card, support for contactless payments, USB port, Ethernet port and an administration interface – can be accessed both locally and remotely. Additionally, because the communication between these terminals and a remote administration server is not encrypted, the attackers can interfere with it, Nils said.
As per the report, the MWR researchers did not provide any further details of the models, and also declined to identify companies that manufacture them. In fact, during live demonstration, stickers were used to cover logos and printed text printed on the model, wrote IDG News reporter Lucian Constantin. The reporter believes that the security experts are giving these vendors sufficient time to address the issues.
Nils told conference attendees that these vulnerabilities can give attackers control over various components of these devices, such as the display, receipt printer, card reader or PIN inputting pad, wrote Constantin. Plus, added Nils, “they can be exploited by using specially crafted EMV (Chip-and-PIN) cards.”
These experts believe that these EMV cards have malicious codes written on their chips which get executed when they get inserted into the terminals' smart card readers.
During this demonstration, the researchers used this card to install a racing game on one of the three test devices, and played with it using its PIN pad and display, according to Constantin’s report. Likewise, added Constantin, the researchers used the same method to install a Trojan program on the second machine to record card numbers and PINs. “The recorded information was then extracted by inserting a different rogue card into the payment terminal,” wrote Constantin.
In practice, the report indicates that criminals can also leverage these vulnerabilities to trick store clerks into thinking that a transaction was authorized by the bank when in fact it wasn't, allowing them to buy things without actually paying.
Furthermore, Nils told the conference attendees that a malicious program could be installed on the device to block payment attempts made with the card and print a valid receipt to mislead the merchant.
Want to learn more about the latest in communications and technology? Then be sure to attend ITEXPO West 2012, taking place Oct. 2-5, in Austin, TX. ITEXPO (News - Alert) offers an educational program to help corporate decision makers select the right IP-based voice, video, fax and unified communications solutions to improve their operations. It's also where service providers learn how to profitably roll out the services their subscribers are clamoring for – and where resellers can learn about new growth opportunities. For more information on registering for ITEXPO click here.
Stay in touch with everything happening at ITEXPO. Follow us on Twitter.
Edited by Allison Boccamazzo
- SIM Management for Mobile Termination
To offer better rates on local mobile networks, Internet Telephony Service Providers (ITSPs) have to optimize Call Termination costs and maximize SIM cards usage.
- SIM Management for M2M Platform Validation
The M2M solutions deployment is very complex and difficult to test and validate in the lab. Gateways and probes on-site deployment are subject to numerous constraints such as GSM 3G coverage, unexpected multi-operator roaming, international roaming, tariff and service restrictions.
- SIM Management for Mobile Testing
In order for a Mobile Network Operator to be successful, reduce churn and increase customer loyalty, the need to shift from testing network to perform a complete “end to end” QoS Testing has become obvious.
IRON SIM SERVER ONE
SIM CONTROL, SIM PROTECTION AND SIM STORAGE
- Ready to Go SIM Server (no additional server required)
- IRON Technology: Bonus/Promotion, Credit Synchronization
- Integrated Capacity of 416 SIMs cards
- Protect your investment: Secure & Scalable Product
- Mobile Termination
IRON Suite, iQsim's SIM Server technology, is born from 10 years of experience in Virtual SIM Management in the service of offering the most appropriate solution to terminate voice calls and SMS worldwide...
How to validate M2M Platforms?Before deploying a large number of probes and sensors, it is key to anticipate and pre-validate the M2M Platform and the type of communication data exchanged between the M2M end-point and central management systems...
- Mobile Network Quality of Service (QoS)
How to test Mobile Network QoS available for roaming users?Testing network to perform a complete QoS has become obvious to ensure the quality of services delivered to end-users is conformed to their expectations...
Providing you a Ready to Go solution or a carrier class redundant and scalable product.
- Always use the right SIM at the right time
- Up to 416 SIM cards per SIM Rack
- Highly scalable architecture: Up to 50,000 SIM Cards
- Specifically designed for multi-operator and cross country deployment
- Maximize SIM price plan usage
- Call routing with the most appropriate SIM
- Real-time GSM port supervision
- Centralized CDRs
- GSM gateway configuration time reduced by 70%
- Call processing time reduction (PDD)