Chip and pin terminals shown to harvest customer info

Jul 31, 2012 by Nancy Owano report

(Phys.org) -- For all customers, merchants and restaurant owners making use of card readers for transactions, well, this is not the best of news. Experts have found a security flaw in chip and PIN terminals that allows thieves to download customers’ card details. According to a UK-based security firm, MWR InfoSecurity, hackers can steal details from chip and PIN machines. MWR was able to prove how easily it can be done. According to a report on Sunday, thousands of credit and debit card readers, such as those sitting in shops and restaurants, will need to be reprogrammed following revelations that they can be hacked into and used to steal cardholders' details.

For criminals, lifting info would be all in a day’s work, enjoying a daily catch of many cardholder details. MWR performed a test to show how this can work. Criminals can load their fake cards with malicious software. The card can be made to look like any credit or . A criminal could use it in any retail shop or eating establishment.

Using second-hand terminals that they purchased on eBay, MWR accessed the computer code on which the terminals run. They used this code to program a fake chip and PIN card, loading the chip with malicious software that is capable of reprogramming the reader. Once used in shops, the fakes - made to look like a normal credit or debit card - infect the . Once the malicious card transfers its software to the reader, it begins storing details of all subsequent cards inserted. The criminal can then return later and use a second card to download this data, which by then has all the card details and PINs.

The team purchased three point-of-sale terminals on eBay, one of which is a popular model that comes with a touchscreen and a feature for capturing cardholder signatures. The other two have a port for inserting chip-and-PIN cards, as well as a mag stripe reader.

As a result of this feat, thousands of terminals need reprogramming, according to reports. VeriFone, which makes most of the UK's terminals, confirmed that MWR was on to something and the terminal maker said it is working on an "expedited" update after learning of the hacking vulnerability.

"We have confirmed that MWR implemented a sophisticated scenario that is technically feasible on some older systems,” said the company.”VeriFone has developed a software update to resolve this issue in deployed systems and has already submitted the code for testing and approval on an expedited basis.” The company said it will provide the software update “to all impacted parries” to implement.

Security watchers see the significance in the fact that the chip could be loaded with capable of reprogramming the reader, leaving the system open to data theft.

Law enforcement agents have discovered that account numbers and PINs are being sold in bulk on carding websites, as the Internet has become an easy conduit to leverage stolen credit card, bank account, and other personal identification information of victims globally.

At the recent Black Hat 2012 meeting, MWR InfoSecurity also demonstrated how to attack point of sale terminals that use a microchip and PIN identification system with a specially prepared chip-based credit card. The security company first showed how a bogus chip could be used to pay for an item and obtain a receipt for a valid transaction without the payment ever being processed. The second display from MWR was the terminal reader demo, showing how a card with malware can harvest all the card numbers and PINs from previous users of the terminal.

Explore further: Expanding the breadth and impact of cybersecurity and privacy research

More information: www.channel4.com/news/credit-c… e-hacked-for-details

Related Stories

Payment startup Square rolls out iPad sales app

May 23, 2011

(AP) -- First, mobile payment service Square made it easier for merchants to accept credit cards anytime, anywhere, with just a smart phone and a tiny, plastic credit-card reader. Now the startup led by Twitter co-founder ...

Hack turns Square into criminal tool

Aug 05, 2011

Hackers have shown how to turn mobile payment service Square into a convenient tool for criminals to pump cash from stolen credit card numbers.

Recommended for you

Tesla loss widens as it ramps up expansion plan

32 minutes ago

US electric automaker Tesla Motors reported Thursday a widening loss in the past quarter amid record revenues as it ramped up plans for a giant battery plant for future vehicles.

CIA director reverses himself on Senate spying

56 minutes ago

For months, CIA Director John Brennan had stood firm in his insistence that the CIA had little to be ashamed of after searching the computers of the Senate Intelligence Committee. His defiant posture quickly ...

Tesla says decision on battery factory months away

1 hour ago

(AP)—Electric car maker Tesla Motors said Thursday that it is preparing a site near Reno, Nevada, as a possible location for its new battery factory, but is still evaluating other sites.

Taking great ideas from the lab to the fab

12 hours ago

A "valley of death" is well-known to entrepreneurs—the lull between government funding for research and industry support for prototypes and products. To confront this problem, in 2013 the National Science ...

User comments : 6

Adjust slider to filter visible comments by rank

Display comments: newest first

alfie_null
5 / 5 (1) Jul 31, 2012
At some point, banks are going to have to adopt a more secure authentication mechanism. Hopefully sooner rather than later, as the longer this fundamentally insecure architecture exists, the more entrenched, more resourceful, the exploiters become, and the harder it will be to eradicate them.

The cost to society of this criminal activity is greater than the sum of the costs to affected banks
antialias_physorg
2.6 / 5 (5) Jul 31, 2012
Just don't use cards. Period. Where's the problem? Cash isn't THAT heavy.

At some point, banks are going to have to adopt a more secure authentication mechanism.

Banks are insured against losses. As long as the cost of that insurance is less than the cost of fielding a more secure system (plus insurance against THAT one being hacked) they will not do so.

The cost to society of this criminal activity is greater than the sum of the costs to affected banks

But banks don't care about society (at least not last I looked). So...meh.
PPihkala
5 / 5 (4) Jul 31, 2012
I think it is recipe for trouble to load code from card and then run that. Of course that might be very convenient way to update the software on the reader, but still...
Osiris1
1.8 / 5 (5) Jul 31, 2012
Aaiiieeee! I'm SHOCKED!!!??? And those wicked wicked wicked credit card companies and the banks that own them and the queen of england that owns them all have said through therrre mouthpieces and 'pr' public liar men that all that the cards hold on those mag strips are the person's credit card number and name as the strips ability to hold data is soooooooooo limited!?? Whata crock from those republican crooks.
rwinners
1 / 5 (1) Aug 01, 2012
Carry cash. Simple.
Anyone who uses 'point and shoot' payment methods is just asking for trouble. Remember, even though the 'payment company' may reimburse you for losses, those losses are factored into the cost of their doing business.... so, over time, they get it back, plus interest.
Argiod
2.3 / 5 (3) Aug 01, 2012
If I didn't know better, I'd think that hackers are designing these terminals... how far does something have to go to be more than a co-incidence?