For all those paranoid people who worry about contactless being risky it is great to read: “Officer Rodriguez said the easiest way to try and prevent having a card compromised is to … use the ‘tap and go’ function whenever possible. The tap feature makes it much harder for thieves to retrieve any of your card’s information.”
You and Danny are talking about ATMs, which is not relevant to this topic, which is discussing an app-only PIN keypad for a merchant card machine. There are very different security issues around ATMs, as they are unattended machines that don’t have to actually do anything useful.
A merchant’s card reader has to connect to the acquirer network and perform a transaction. Card readers that are tampered with will erase their keys, making this impossible.
1 Like
You don’t need to check the resin – removing the resin destroys the circuit board, so the unit won’t work. Also, as I said in my previous response, if it was tampered with in transit, it would lose the encryption keys it needs to talk with the acquirer network, so it wouldn’t work when the merchant tried to use it.
Whether you feel the hardware-based security that currently exists is sufficient or not, the fact is that allowing app-based PIN entry on a random phone/iPad opens up a whole new set of attack vectors, and I’d be interested to know how these are being mitigated.
EMV were very strict with their physical security requirements in the past. It’s been over ten years since I’ve built credit card machines, so I don’t know how these have evolved, which is why I’m curious. I certainly won’t enter my PIN into an app on a random phone until I know more.
Danny’s post with the newspaper article was NOT about an ATM but a merchant card reader which was tampered with.
There has previously been an incident of over 10,000 tampered chip and pin POS machines being used in the UK after they entered the supply chain http://www.telegraph.co.uk/news/uknews/law-and-order/3173346/Chip-and-pin-scam-has-netted-millions-from-British-shoppers.html
Merchant card reader terminals regardless of spec and any resin over internal circuitry are often not used in isolation but connected to till computers for garantee issue, stock taking, loyalty points, etc.
While criminals may attempt to install skimmers that read and transmit data from bank cards on ATMs, credit card terminals and point of sale equipment. Criminals also target merchant’s computers by installing spyware that accesses point of sale databases and installing hardware “bugs” that intercept card data transmitted from their POS terminals to servers.
Yes, there are likely social engineering methods for a dishonest person to obtain card details and PINs, but I’m (personally) more concerned with whether a third-party can compromise the card reading PIN entry device of a merchant I trust.
As for your specific example 
, I’m not sure it would work because:
-
I don’t think the ‘fake’ guts would be able to get the card number, expiry date, etc, as the chip won’t give this up without proper authentication, which involves card network keys as well as your PIN (I believe, to the best of my recollection). You could try and rig up a camera device to photograph the card the moment before it goes into the machine, but this will likely be conspicuous at a market stall, especially as people usually take the machine and insert their card, so there wouldn’t be a single position/angle to photograph card details from. And you wouldn’t have the CCV numbers from the back.
-
I think you’d need to provide some details to get the machine you plan to gut, so it would raise the potential for you to be traced once the fraud is discovered.
All-in-all, I think the fake/skimmed ATMs are a much easier way of stealing card details, and much easier to do without leaving a trace of who you are, so a ‘fake’ merchant with a ‘fake’ PIN machine is unlikely. But I’d be interested to know if anyone’s ever heard of this happening!
Andrey Komarov, head of international projects at the electronic security consultancy Group-IB said crooks tampering with point-of-sale (POS) terminals and selling them isn’t new - but the bundling of money-stealing support services, allowing fraud to be carried out more easily, is a new development in the digital underground.
This is why Square’s method for PIN entry concerns me. Up to now, hardware PIN entry devices never transmit the PIN outside of the secured device. It never gets near merchant hardware. If you’re running an app on a phone, how is this (previously hardware-based) separation maintained? This is why, to date, all card readers that work with phones have their own keyboards.
1 Like
So I replace the destroyed circuit board with my own evil one. If my objective is to steal PINs I don’t actually need to talk to the acquirer network, so I don’t need the encryption keys - my device just need to appear like it’s any other legitimate device as far as the user is concerned.
1 Like
The chip gives up all that info without any issue. You can try it for yourself with this software (safe and open-source) and a standard USB smart card reader.
2 Likes
VISA USA say:
"Criminal gangs worldwide are illegally accessing active POS terminals and modifying them by inserting an undetectable electronic ‘bug’ that captures cardholder data and PINs during normal transaction processing.
The impact of this type of crime can be significant to all key parties involved in card acceptance. An attack can not only undermine the integrity of the payment system, but diminish consumer trust in a merchant’s business. In response to this emerging threat, acquirers, merchants and their processors need to proactively secure their POS terminals and make them less vulnerable to tampering."
(extract from http://usa.visa.com/download/merchants/data-security-protect-terminals-from-illegal-tampering-020513.pdf)
Avivah Litan, a Gartner Research vice-president and an expert in banking security and related topics, said that tampering with card readers has been going on for years. She agreed with Group-IB’s observation that since banks are investing more in securing cashpoints, penetrating point-of-sale terminals can be an easier way to make money for criminals.
“The bad guys will go after anything they can, but it can be easier to find dishonest merchants to cooperate in running tampered terminals [to harvest bank details] than going after ATMs,” Litan added that this kind of fraud was rife in South America, particularly in countries such as Brazil.
That refers to skimming devices on mag-stripe machines and presumably old-style US PINs, which are not stored on a chip (there isn’t one!), but transmitted to the bank. This isn’t relevant to EMV chip & PIN which is used in the UK.
Interesting, I wasn’t aware of that, thanks!
As I say, though, my concern with Square is a trusted/honourable merchant being hacked, rather than a malicious merchant.
Again, this seems to refer to older-style terminals, not EMV chip-and-PIN.
I’m not saying fraud can’t happen. I’m saying that until now, there were significant hardware-based restrictions that ensured a PIN never left the secure area of a PIN entry device, and never entered the merchant’s network. Additionally, a merchant would not be able to unwittingly use a tampered machine and connect to the acquirier. All I’d like to know is what has changed that allows a reader like Square’s? Is it that the hardware security requirements are considered unnecessary for some reason? Or that there is some software architecture that provides the same level of security?
Basically, if Square’s reader does get approval, there has been a fundamental shift in the EMV security requirements, and I’m curious why.
1 Like
I don’t think Square itself will be hacked - to steal PINs on a large scale you basically need to compromise their development/build infrastructure and use it to secretly push a new, malicious version of their app to the App Store, and keep it undetected long enough for people to update.
I would be more concerned with malware on the devices themselves, but assuming the Square app would require a secure version of iOS I don’t think it’s an issue (iOS kernel exploits - the kind needed to steal PINs from a running app - are scarce and retail for millions - even if such an exploit was discovered by a malicious actor I don’t think he would waste it on stealing card PINs where he can instead sell it to a malicious state-level attacker for much more than he’d get for the PINs).
2 Likes
If you are swiping a card or entering a chip card into a reader and entering your pin it matters not if it is a stripe or chip as your pin in conjunction with that chip unlocks all the data they need and if the tampered device is sending info to hackers by wifi, bluetooth or GSM your card has been compromised. You are safest when only doing contactless transactions rather than having your card read, but don’t think the chip protects you over magstripe, if the card reads the chip and you enter your pin it is as vunerable as magstripe. Also even without a pin, if chip is copied it can be used in countries where they have chip and dip where chip card inserted and removed without the need for a pin (e.g. some retailers in Netherlands). Finally while people worry contactless cards can be cloned by people standing near them with an NFC reader, the technology to actually read a magstrip remotely over a short distance without physically contacting the card has been developed and proven.
Yes, this is my concern, too. Does the Square app not run on Android? That’s where I would be worried. How do I, as a customer, know if the Android device I’ve been handed is secure or not?
According to their compatibility matrix they list the magstripe reader as compatible with the Google Pixel. Whether they would allow PIN entry is unknown though, but yes I’d be extremely worried considered the (in)security track record of that awful platform.
1 Like
POS tampering is so advanced machines have been opened, tampered with and perfectly resealed “so that it was impossible to tell even for someone working at the factory that they had been tampered with.” acclording to expert Dr. Brenner.
A MasterCard International investigator said: “…there were several teams of people roaming around Europe putting the machines on scales and weighing them.” as they had a 3,5 oz difference in weight due to the tampered devices having extra equipment. As visually they appeared the same inside it was the only way to tell without dismantling the device to such an extent they would have had to be written off.
-
You can read the number and expiry using NFC on a phone, and I have read my own cards in the past with smartcard reader, which revealed the same data
-
search for pin pad on ebay, you can get a mobile one for about £60 or a wired one for about £20
2 Likes
so your not getting the pin from the card, you are getting the user to enter it. There’s also no need to check the pin with the chip (would be nice though)
1 Like