Two security researchers have demonstrated how attackers can steal unsuspecting users’ payment card data via a PIN pad.
On Wednesday, researchers Nir Valtman and Patrick Watson of NCR Corp described to an audience at Black Hat USA 2016 how an attacker can extract cardholder data from intercepted communications between a PIN pad and a point-of-sale (POS) system.
The problem, the duo explained, is that many payment card readers do not implement proper authentication or encryption measures, which means an actor could intercept communication between a PIN pad and POS system by routing those communications through a man-in-the-middle (MitM) device.
In their presentation, entitled “Breaking Payment Points of Interaction (POI),” the researchers used a Raspberry Pi computer to conduct a MitM attack. They successfully captured Track 2 data packets read by the POS card reader, with the network protocol analyzer Wireshark picking up on two data interactions entered into a PIN pad running flawed production software.
Valtman and Watson spoke with the software vendor about those flaws, but the company said it couldn’t because of its use of old hardware.
Next, the duo demonstrated they could extract readable data from those packets, including information regarding whether the payment card used EMV technology.
For the attack to work, an actor needs to either gain access to the payment system or modify the payment application itself. The latter is much easier.
Additionally, an attacker could compromise a PIN pad in an attempt to steal even more information from customers. For instance, by surreptitiously injecting a form into the application, the duo stated, an attacker could manipulate a PIN pad into prompting each and every customer to reenter their PIN number.
As a reminder, card holders should never reenter their PIN numbers for a payment card reader. A secondary PIN request often indicates the payment application has been compromised.
For more information on Valtman and Watson’s research, please click here.