Chip and pin terminals shown to harvest customer info

Jul 31, 2012 by Nancy Owano report

( -- For all customers, merchants and restaurant owners making use of card readers for transactions, well, this is not the best of news. Experts have found a security flaw in chip and PIN terminals that allows thieves to download customers’ card details. According to a UK-based security firm, MWR InfoSecurity, hackers can steal details from chip and PIN machines. MWR was able to prove how easily it can be done. According to a report on Sunday, thousands of credit and debit card readers, such as those sitting in shops and restaurants, will need to be reprogrammed following revelations that they can be hacked into and used to steal cardholders' details.

For criminals, lifting info would be all in a day’s work, enjoying a daily catch of many cardholder details. MWR performed a test to show how this can work. Criminals can load their fake cards with malicious software. The card can be made to look like any credit or . A criminal could use it in any retail shop or eating establishment.

Using second-hand terminals that they purchased on eBay, MWR accessed the computer code on which the terminals run. They used this code to program a fake chip and PIN card, loading the chip with malicious software that is capable of reprogramming the reader. Once used in shops, the fakes - made to look like a normal credit or debit card - infect the . Once the malicious card transfers its software to the reader, it begins storing details of all subsequent cards inserted. The criminal can then return later and use a second card to download this data, which by then has all the card details and PINs.

The team purchased three point-of-sale terminals on eBay, one of which is a popular model that comes with a touchscreen and a feature for capturing cardholder signatures. The other two have a port for inserting chip-and-PIN cards, as well as a mag stripe reader.

As a result of this feat, thousands of terminals need reprogramming, according to reports. VeriFone, which makes most of the UK's terminals, confirmed that MWR was on to something and the terminal maker said it is working on an "expedited" update after learning of the hacking vulnerability.

"We have confirmed that MWR implemented a sophisticated scenario that is technically feasible on some older systems,” said the company.”VeriFone has developed a software update to resolve this issue in deployed systems and has already submitted the code for testing and approval on an expedited basis.” The company said it will provide the software update “to all impacted parries” to implement.

Security watchers see the significance in the fact that the chip could be loaded with capable of reprogramming the reader, leaving the system open to data theft.

Law enforcement agents have discovered that account numbers and PINs are being sold in bulk on carding websites, as the Internet has become an easy conduit to leverage stolen credit card, bank account, and other personal identification information of victims globally.

At the recent Black Hat 2012 meeting, MWR InfoSecurity also demonstrated how to attack point of sale terminals that use a microchip and PIN identification system with a specially prepared chip-based credit card. The security company first showed how a bogus chip could be used to pay for an item and obtain a receipt for a valid transaction without the payment ever being processed. The second display from MWR was the terminal reader demo, showing how a card with malware can harvest all the card numbers and PINs from previous users of the terminal.

Explore further: Laptop used for first US presidential email finds a buyer

More information:

Related Stories

Payment startup Square rolls out iPad sales app

May 23, 2011

(AP) -- First, mobile payment service Square made it easier for merchants to accept credit cards anytime, anywhere, with just a smart phone and a tiny, plastic credit-card reader. Now the startup led by Twitter co-founder ...

Hack turns Square into criminal tool

Aug 05, 2011

Hackers have shown how to turn mobile payment service Square into a convenient tool for criminals to pump cash from stolen credit card numbers.

Recommended for you

Freight train industry to miss safety deadline

Apr 16, 2014

The U.S. freight railroad industry says only one-fifth of its track will be equipped with mandatory safety technology to prevent most collisions and derailments by the deadline set by Congress.

Gaza cops trade bullets for laser-tech in training

Apr 14, 2014

Security forces in the Hamas-ruled Gaza Strip are using technology to practice shooting on laser simulators, saving money spent on ammunition in the cash-strapped Palestinian territory.

User comments : 6

Adjust slider to filter visible comments by rank

Display comments: newest first

5 / 5 (1) Jul 31, 2012
At some point, banks are going to have to adopt a more secure authentication mechanism. Hopefully sooner rather than later, as the longer this fundamentally insecure architecture exists, the more entrenched, more resourceful, the exploiters become, and the harder it will be to eradicate them.

The cost to society of this criminal activity is greater than the sum of the costs to affected banks
2.6 / 5 (5) Jul 31, 2012
Just don't use cards. Period. Where's the problem? Cash isn't THAT heavy.

At some point, banks are going to have to adopt a more secure authentication mechanism.

Banks are insured against losses. As long as the cost of that insurance is less than the cost of fielding a more secure system (plus insurance against THAT one being hacked) they will not do so.

The cost to society of this criminal activity is greater than the sum of the costs to affected banks

But banks don't care about society (at least not last I looked). So...meh.
5 / 5 (4) Jul 31, 2012
I think it is recipe for trouble to load code from card and then run that. Of course that might be very convenient way to update the software on the reader, but still...
1.8 / 5 (5) Jul 31, 2012
Aaiiieeee! I'm SHOCKED!!!??? And those wicked wicked wicked credit card companies and the banks that own them and the queen of england that owns them all have said through therrre mouthpieces and 'pr' public liar men that all that the cards hold on those mag strips are the person's credit card number and name as the strips ability to hold data is soooooooooo limited!?? Whata crock from those republican crooks.
1 / 5 (1) Aug 01, 2012
Carry cash. Simple.
Anyone who uses 'point and shoot' payment methods is just asking for trouble. Remember, even though the 'payment company' may reimburse you for losses, those losses are factored into the cost of their doing business.... so, over time, they get it back, plus interest.
2.3 / 5 (3) Aug 01, 2012
If I didn't know better, I'd think that hackers are designing these terminals... how far does something have to go to be more than a co-incidence?

More news stories

Venture investments jump to $9.5B in 1Q

Funding for U.S. startup companies soared 57 percent in the first quarter to a level not seen since 2001, as venture capitalists piled more money into an increasing number of deals, according to a report due out Friday.

Hackathon team's GoogolPlex gives Siri extra powers

( —Four freshmen at the University of Pennsylvania have taken Apple's personal assistant Siri to behave as a graduate-level executive assistant which, when asked, is capable of adjusting the temperature ...

White House updating online privacy policy

A new Obama administration privacy policy out Friday explains how the government will gather the user data of online visitors to, mobile apps and social media sites. It also clarifies that ...

Scientists tether lionfish to Cayman reefs

Research done by U.S. scientists in the Cayman Islands suggests that native predators can be trained to gobble up invasive lionfish that colonize regional reefs and voraciously prey on juvenile marine creatures.

Leeches help save woman's ear after pit bull mauling

(HealthDay)—A pit bull attack in July 2013 left a 19-year-old woman with her left ear ripped from her head, leaving an open wound. After preserving the ear, the surgical team started with a reconnection ...