Chip and pin terminals shown to harvest customer info

July 31, 2012 by Nancy Owano report

( -- For all customers, merchants and restaurant owners making use of card readers for transactions, well, this is not the best of news. Experts have found a security flaw in chip and PIN terminals that allows thieves to download customers’ card details. According to a UK-based security firm, MWR InfoSecurity, hackers can steal details from chip and PIN machines. MWR was able to prove how easily it can be done. According to a report on Sunday, thousands of credit and debit card readers, such as those sitting in shops and restaurants, will need to be reprogrammed following revelations that they can be hacked into and used to steal cardholders' details.

For criminals, lifting info would be all in a day’s work, enjoying a daily catch of many cardholder details. MWR performed a test to show how this can work. Criminals can load their fake cards with malicious software. The card can be made to look like any credit or . A criminal could use it in any retail shop or eating establishment.

Using second-hand terminals that they purchased on eBay, MWR accessed the computer code on which the terminals run. They used this code to program a fake chip and PIN card, loading the chip with malicious software that is capable of reprogramming the reader. Once used in shops, the fakes - made to look like a normal credit or debit card - infect the . Once the malicious card transfers its software to the reader, it begins storing details of all subsequent cards inserted. The criminal can then return later and use a second card to download this data, which by then has all the card details and PINs.

The team purchased three point-of-sale terminals on eBay, one of which is a popular model that comes with a touchscreen and a feature for capturing cardholder signatures. The other two have a port for inserting chip-and-PIN cards, as well as a mag stripe reader.

As a result of this feat, thousands of terminals need reprogramming, according to reports. VeriFone, which makes most of the UK's terminals, confirmed that MWR was on to something and the terminal maker said it is working on an "expedited" update after learning of the hacking vulnerability.

"We have confirmed that MWR implemented a sophisticated scenario that is technically feasible on some older systems,” said the company.”VeriFone has developed a software update to resolve this issue in deployed systems and has already submitted the code for testing and approval on an expedited basis.” The company said it will provide the software update “to all impacted parries” to implement.

Security watchers see the significance in the fact that the chip could be loaded with capable of reprogramming the reader, leaving the system open to data theft.

Law enforcement agents have discovered that account numbers and PINs are being sold in bulk on carding websites, as the Internet has become an easy conduit to leverage stolen credit card, bank account, and other personal identification information of victims globally.

At the recent Black Hat 2012 meeting, MWR InfoSecurity also demonstrated how to attack point of sale terminals that use a microchip and PIN identification system with a specially prepared chip-based credit card. The security company first showed how a bogus chip could be used to pay for an item and obtain a receipt for a valid transaction without the payment ever being processed. The second display from MWR was the terminal reader demo, showing how a card with malware can harvest all the card numbers and PINs from previous users of the terminal.

Explore further: Cambridge researchers show Chip and PIN system vulnerable to fraud

More information: … e-hacked-for-details

Related Stories

Payment startup Square rolls out iPad sales app

May 23, 2011

(AP) -- First, mobile payment service Square made it easier for merchants to accept credit cards anytime, anywhere, with just a smart phone and a tiny, plastic credit-card reader. Now the startup led by Twitter co-founder ...

Hack turns Square into criminal tool

August 5, 2011

Hackers have shown how to turn mobile payment service Square into a convenient tool for criminals to pump cash from stolen credit card numbers.

Recommended for you

A not-quite-random walk demystifies the algorithm

December 15, 2017

The algorithm is having a cultural moment. Originally a math and computer science term, algorithms are now used to account for everything from military drone strikes and financial market forecasts to Google search results.

US faces moment of truth on 'net neutrality'

December 14, 2017

The acrimonious battle over "net neutrality" in America comes to a head Thursday with a US agency set to vote to roll back rules enacted two years earlier aimed at preventing a "two-speed" internet.

FCC votes along party lines to end 'net neutrality' (Update)

December 14, 2017

The Federal Communications Commission repealed the Obama-era "net neutrality" rules Thursday, giving internet service providers like Verizon, Comcast and AT&T a free hand to slow or block websites and apps as they see fit ...

The wet road to fast and stable batteries

December 14, 2017

An international team of scientists—including several researchers from the U.S. Department of Energy's (DOE) Argonne National Laboratory—has discovered an anode battery material with superfast charging and stable operation ...


Adjust slider to filter visible comments by rank

Display comments: newest first

5 / 5 (1) Jul 31, 2012
At some point, banks are going to have to adopt a more secure authentication mechanism. Hopefully sooner rather than later, as the longer this fundamentally insecure architecture exists, the more entrenched, more resourceful, the exploiters become, and the harder it will be to eradicate them.

The cost to society of this criminal activity is greater than the sum of the costs to affected banks
2.6 / 5 (5) Jul 31, 2012
Just don't use cards. Period. Where's the problem? Cash isn't THAT heavy.

At some point, banks are going to have to adopt a more secure authentication mechanism.

Banks are insured against losses. As long as the cost of that insurance is less than the cost of fielding a more secure system (plus insurance against THAT one being hacked) they will not do so.

The cost to society of this criminal activity is greater than the sum of the costs to affected banks

But banks don't care about society (at least not last I looked). So...meh.
5 / 5 (4) Jul 31, 2012
I think it is recipe for trouble to load code from card and then run that. Of course that might be very convenient way to update the software on the reader, but still...
1.8 / 5 (5) Jul 31, 2012
Aaiiieeee! I'm SHOCKED!!!??? And those wicked wicked wicked credit card companies and the banks that own them and the queen of england that owns them all have said through therrre mouthpieces and 'pr' public liar men that all that the cards hold on those mag strips are the person's credit card number and name as the strips ability to hold data is soooooooooo limited!?? Whata crock from those republican crooks.
1 / 5 (1) Aug 01, 2012
Carry cash. Simple.
Anyone who uses 'point and shoot' payment methods is just asking for trouble. Remember, even though the 'payment company' may reimburse you for losses, those losses are factored into the cost of their doing business.... so, over time, they get it back, plus interest.
2.3 / 5 (3) Aug 01, 2012
If I didn't know better, I'd think that hackers are designing these terminals... how far does something have to go to be more than a co-incidence?

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.