Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Vulnerabilities in payment terminals demonstrated at Black Hat

Lucian Constantin | July 27, 2012
Three widely deployed payment terminals have vulnerabilities that could allow attackers to steal credit card data and PIN numbers, according to a pair of security researchers from penetration testing firm MWR InfoSecurity in the U.K.

The third payment terminal, which is popular in the U.S., is more sophisticated than the other two devices. It has a touchscreen to facilitate signature-based payments, a smart card reader, a SIM card to communicate over mobile networks, support for contactless payments, an USB port, an Ethernet port and an administration interface that can be accessed both locally and remotely.

The communication between these terminals and a remote administration server is not encrypted, which means that attackers can interfere with it, Nils said. If attackers gain access to the local network, they can use techniques like ARP or DNS spoofing to force the payment terminals to communicate with a rogue server under their control.

During the demonstration, the researchers were able to turn on the telnet service remotely and log in as root -- the administrative account on Linux systems -- which allowed them to take control of the device.

There is too much trust placed in such devices, Nils said. Merchants trust payment terminals to tell them when a payment is legitimate and payment processors trust them to handle credit card numbers and PINs securely.

Earlier this month a different team of security researchers demonstrated vulnerabilities in a POS device widely deployed in Germany. The vulnerabilities could have allowed attackers to compromise such devices over the local network and use them to steal card magstripe data and PIN numbers.

Nils didn't have any evidence that models from other manufacturers also contain vulnerabilities. However, these are computers systems so they're fairly likely to have some weaknesses, he said.

The quality of the software found on devices tested by MWR researchers was very different, Nils said. There might be some devices that have better software security, but no system is perfect, he said.

All of the affected vendors have been notified about the vulnerabilities and one of them has already developed a patch. However, it will probably take a while for the new version to be certified and then deployed to all customers.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.