Payment terminals allow for remote PIN capture and card cloning
All card flavors and technologies have in common that they regularly interact with point-of-sale payment terminals, today’s Achilles Heel of cash-less payment.
Hacking Payment Terminals
An analysis of the most widely deployed payment terminal in Germany found serious weaknesses.
A. Remote exploitation. The device’s network stack contains buffer overflows that can be used to execute code at system level.
B. Local compromise. There are at least two interfaces over which the device can be exploited locally:
- Serial. Some versions of the terminal software are vulnerable to a buffer overflow that gains code execution through the readily accessible serial interface.
- JTAG. The JTAG interface of the application processor is accessible without opening the device. It allows full debugging control over the device.
Abuse scenarios
Once exploited, the terminal under the control of an adversary can be used for fraud:
- Card cloning. Collect credit/EC card data and PIN numbers
- Alter transactions. Change transaction – including EMV transactions – in type (debit vs. credit), value, or other fields
- Fake transactions. Spoof transactions towards the payment back-end or the cash register (i.e., falsely signal a successful transaction)
Software vulnerabilities demand software patches. Fortunately, the payment terminals are patchable, often remotely by their connected payment back-ends. This post will be updated with information on which software versions mitigate the software attacks described herein.
Hardware-level vulnerabilities are harder to mitigate. The device’s application processor, for instance, does not provide configuration settings for JTAG to be switched off. Deployed devices will likely stay vulnerable to local attacks, potentially undermining trust in cash-less payment considerably for a long time. Unfortunately, the world-wide payment infrastructure’s planned updates to EMV do not protect from compromised terminals adding one more bit of concern about the EMV standard that others have criticized for its protocol imperfections (PDF, PDF).
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.