Retail chip-and-PIN devices can easily be attacked, exposing banks, retailers and consumers to serious fraud, a British security company has claimed at the Black Hat Security Conference taking place in Las Vegas in the US this week.
Researchers from MWR InfoSecurity demonstrated at the conference that it is possible to attack chip-and-PIN devices using a specially prepared chip-based credit card.
“What our researchers have found reveals huge potential for fraud around the world and demonstrates that the software being used in these machines is not up to the job,” says MWR InfoSecurity MD Ian Shaw.
“In fact, we have found the same sort of vulnerabilities in the major chip-and-PIN machines used around the world that were found in computers 10 to 15 years ago. There is no excuse for this and lessons should have been learnt then. This lack of security is putting millions of businesses around the globe at potential risk.”
In a first scenario, researchers demonstrated how a specially prepared chip credit card is used by an attacker to pay for an item. The PIN pad device produces a receipt and appears to authorise the payment without the payment ever actually be being processed.
In a second scenario, they showed how a specially prepared card containing malware is inserted into the PIN pad device, installing code that will harvest all card numbers and PINs from subsequent users of the terminal. The attacker can then return at a later date and insert another malicious card that will collect the harvested Numbers and PINs, cleaning up the malware and leaving the PIN pad in its original state.
The company says the first scenario exposes merchants to fraud and potential loss as they may find it very difficult to demonstrate the attack ever took place. It will effectively be their word against the payment process and will be very difficult to prove without CCTV or other means to verify the event took place at a certain time.
The second scenario, it says, is “even more worrying” as it could be used to clone the magnetic stripe on the card and be used to withdraw cash in countries where chips on debit and credit cards have not yet been rolled out.
The two example scenarios are just some examples of the issues discovered, the company says. It also found examples of network and interface attacks — very similar to those reported by German researchers SR labs on other devices recently.
MWR’s research team discovered the issues as part of its ongoing research programme into secure payment technologies.
“While criminal attacks are unlikely to be happening on a widespread basis currently, the vulnerabilities exist and previous patterns suggest that attacks like this are only a matter of time,” Shaw says. “We test a lot of technology used in sensitive banking and retail payment environments and were surprised at how vulnerable many PIN pads are to these kinds of attacks.
“We have shown that this can be done and there is no doubt in our minds that criminals are constantly testing these systems. It is surprising that the manufacturers of these machines have done little to safeguard retailers and chip-and-PIN card users.”
MWR declines to say which devices are affected to stop criminals from taking advantages of the flaws. The relevant manufacturers have, however, been notified.
It says the industry needs to examine the security of the devices and the software used as a matter of “high urgency”. — (c) 2012 NewsCentral Media
