Chip and pin terminals shown to harvest customer info

Jul 31, 2012 by Nancy Owano report

(Phys.org) -- For all customers, merchants and restaurant owners making use of card readers for transactions, well, this is not the best of news. Experts have found a security flaw in chip and PIN terminals that allows thieves to download customers’ card details. According to a UK-based security firm, MWR InfoSecurity, hackers can steal details from chip and PIN machines. MWR was able to prove how easily it can be done. According to a report on Sunday, thousands of credit and debit card readers, such as those sitting in shops and restaurants, will need to be reprogrammed following revelations that they can be hacked into and used to steal cardholders' details.

For criminals, lifting info would be all in a day’s work, enjoying a daily catch of many cardholder details. MWR performed a test to show how this can work. Criminals can load their fake cards with malicious software. The card can be made to look like any credit or . A criminal could use it in any retail shop or eating establishment.

Using second-hand terminals that they purchased on eBay, MWR accessed the computer code on which the terminals run. They used this code to program a fake chip and PIN card, loading the chip with malicious software that is capable of reprogramming the reader. Once used in shops, the fakes - made to look like a normal credit or debit card - infect the . Once the malicious card transfers its software to the reader, it begins storing details of all subsequent cards inserted. The criminal can then return later and use a second card to download this data, which by then has all the card details and PINs.

The team purchased three point-of-sale terminals on eBay, one of which is a popular model that comes with a touchscreen and a feature for capturing cardholder signatures. The other two have a port for inserting chip-and-PIN cards, as well as a mag stripe reader.

As a result of this feat, thousands of terminals need reprogramming, according to reports. VeriFone, which makes most of the UK's terminals, confirmed that MWR was on to something and the terminal maker said it is working on an "expedited" update after learning of the hacking vulnerability.

"We have confirmed that MWR implemented a sophisticated scenario that is technically feasible on some older systems,” said the company.”VeriFone has developed a software update to resolve this issue in deployed systems and has already submitted the code for testing and approval on an expedited basis.” The company said it will provide the software update “to all impacted parries” to implement.

Security watchers see the significance in the fact that the chip could be loaded with capable of reprogramming the reader, leaving the system open to data theft.

Law enforcement agents have discovered that account numbers and PINs are being sold in bulk on carding websites, as the Internet has become an easy conduit to leverage stolen credit card, bank account, and other personal identification information of victims globally.

At the recent Black Hat 2012 meeting, MWR InfoSecurity also demonstrated how to attack point of sale terminals that use a microchip and PIN identification system with a specially prepared chip-based credit card. The security company first showed how a bogus chip could be used to pay for an item and obtain a receipt for a valid transaction without the payment ever being processed. The second display from MWR was the terminal reader demo, showing how a card with malware can harvest all the card numbers and PINs from previous users of the terminal.

Explore further: Japan orders air bag maker to conduct probe

More information: www.channel4.com/news/credit-c… e-hacked-for-details

Related Stories

Payment startup Square rolls out iPad sales app

May 23, 2011

(AP) -- First, mobile payment service Square made it easier for merchants to accept credit cards anytime, anywhere, with just a smart phone and a tiny, plastic credit-card reader. Now the startup led by Twitter co-founder ...

Hack turns Square into criminal tool

Aug 05, 2011

Hackers have shown how to turn mobile payment service Square into a convenient tool for criminals to pump cash from stolen credit card numbers.

Recommended for you

Japan orders air bag maker to conduct probe

Nov 21, 2014

Japan's transport ministry said Friday it has ordered air bag maker Takata to conduct an internal investigation after cases of its air bags exploding triggered safety concerns in the United States and other countries.

Senators get no clear answers on air bag safety

Nov 20, 2014

There were apologies and long-winded explanations, but after nearly four hours of testimony about exploding air bags, senators never got a clear answer to the question most people have: whether or not their ...

Winter-like temps can reduce tire pressure

Nov 19, 2014

The polar plunge that has chilled much of the nation does more than bring out ice scrapers and antifreeze. It can trigger vehicles' tire pressure monitoring systems overnight, sending nervous drivers to dealers ...

US: Gov't aircraft regulations apply to drones (Update)

Nov 18, 2014

The U.S. government has the power to hold drone operators accountable when they operate the remote-control aircraft recklessly, a federal safety board ruled Tuesday in a setback to small drone operators chafing ...

Mapping the crisis of displaced peoples

Nov 17, 2014

Population displacement is a global problem, one that historically has been insufficiently quantified and analyzed, especially given its wide-ranging effects. Displacement can result from a number of factors, ...

User comments : 6

Adjust slider to filter visible comments by rank

Display comments: newest first

alfie_null
5 / 5 (1) Jul 31, 2012
At some point, banks are going to have to adopt a more secure authentication mechanism. Hopefully sooner rather than later, as the longer this fundamentally insecure architecture exists, the more entrenched, more resourceful, the exploiters become, and the harder it will be to eradicate them.

The cost to society of this criminal activity is greater than the sum of the costs to affected banks
antialias_physorg
2.6 / 5 (5) Jul 31, 2012
Just don't use cards. Period. Where's the problem? Cash isn't THAT heavy.

At some point, banks are going to have to adopt a more secure authentication mechanism.

Banks are insured against losses. As long as the cost of that insurance is less than the cost of fielding a more secure system (plus insurance against THAT one being hacked) they will not do so.

The cost to society of this criminal activity is greater than the sum of the costs to affected banks

But banks don't care about society (at least not last I looked). So...meh.
PPihkala
5 / 5 (4) Jul 31, 2012
I think it is recipe for trouble to load code from card and then run that. Of course that might be very convenient way to update the software on the reader, but still...
Osiris1
1.8 / 5 (5) Jul 31, 2012
Aaiiieeee! I'm SHOCKED!!!??? And those wicked wicked wicked credit card companies and the banks that own them and the queen of england that owns them all have said through therrre mouthpieces and 'pr' public liar men that all that the cards hold on those mag strips are the person's credit card number and name as the strips ability to hold data is soooooooooo limited!?? Whata crock from those republican crooks.
rwinners
1 / 5 (1) Aug 01, 2012
Carry cash. Simple.
Anyone who uses 'point and shoot' payment methods is just asking for trouble. Remember, even though the 'payment company' may reimburse you for losses, those losses are factored into the cost of their doing business.... so, over time, they get it back, plus interest.
Argiod
2.3 / 5 (3) Aug 01, 2012
If I didn't know better, I'd think that hackers are designing these terminals... how far does something have to go to be more than a co-incidence?

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.