Schneier on Security
A blog covering security and security technology.
« The Failure of Anti-Virus Companies to Catch Military Malware |
| Switzerland National Defense »
June 19, 2012
Attack Against Point-of-Sale Terminal
When you pay a restaurant bill at your table using a point-of-sale machine, are you sure it's legit? In the past three months, Toronto and Peel police have discovered many that aren't.
In what is the latest financial fraud, crooks are using distraction techniques to replace merchants' machines with their own, police say. At the end of the day, they create another distraction to pull the switch again.
Using information inputted by customers, including PIN data, the criminals are reproducing credit cards at an alarming rate.
Presumably these hacked point-of-sale terminals look and function normally, and additionally save a copy of the credit card information.
Note that this attack works despite any customer-focused security, like chip-and-pin systems.
Posted on June 19, 2012 at 1:02 PM
• 40 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Bruce says that it works on chip-and-pin systems, but the article says the opposite. Can anyone elaborate?
No, Rich, I understand Bruce's text to say that the attack works because it circumvents the chip-and-pin system.
This will be fun. If I suspect this is happening to me, I will smash the machine on the floor. That could lead to an interesting discussion with the manager. :)
If the fake ATM is designed appropriately, it would be both. The article describes how the fake ATM has an extra deep slot, so that it can read the entire magnetic stripe, but if it also functions correctly as an ATM that processes the sales transaction, then, as Bruce said, the fake ATM can simply record the PIN that the customer types in for the transaction along with the data read from the stripe.
The immediate countermeasure is clear - the bank should be validating the ATM machine's internal code with the restaurant code and flagging if it changes. An immediate police response will catch the person trying to switch the ATM back later that day. (At which time, the crackers will make their ATM use a wireless broadcast to pass on the collected data so that they don't have to get their ATM back...)
No, as it was reported already, cards with chips don't work there.
From the article:
“The only data that is capable of being compromised to our knowledge is the data associated to magnetic strips,” said Det. Ian Nichol. “The industry is taking steps to minimize this.”
After switching the terminals, I bet the theives go in the restaurant and order an expensive meal !
The attack cannot reproduce the cryptographic chip (and keys) in a chip-and-pin (EMV) card, but does allow the attacker to intercept the PIN and card number which can be used to reproduce the magstripe on the card.
In a mixed chip-and-pin and magstripe world, the attacker could use it for magstripe transactions. In a country like The Netherlands where (almost) everything is chip-and-pin, the use is very limited. For this reason Dutch banks have started disabling foreign and non-EMV use of cards by default.
For ECommerce transactions, the attacker doesn't get the CVV2/CVC2 code and the 3D Secure (Verified By Visa/Mastercard SecureCode) credentials.
If an additional magnetic head is placed in the smart card slot, it will be possible to read the magnetic stripe even if the clerk tries to read the card chip (using the front slot). However, this strategy has 2 downsides:
* The clerk will probably realize that the card has gone deeper than usual (so the head can read the stripe) and something may be wrong
* Applications in POS devices usually ask for the card chip when they detect (by reading the stripe) that the card should have a chip on it
Im probably wrong but the way i see it, it wouldnt need to be a working PoS. the attacker has your creds and could input them into a genuine terminal after the fact.
This is similar to what was done at Ralph's grocery stores in Southern California a couple years back. The stores are open 24 hours and suspects would come in at night and swap out the device at the checkout line, then come back a week later and swap it back out, using a capture device inside that was getting the data unencrypted prior to sending.
@John Macdonald, that wont work. I expect they are using something like a "credit card terminal" (google gives good pictures for that). All they would need to do is hack in there own custom firmware that never even talks to the outside world, accepts any credit card it is handed and records whatever it sees.
The only way I see around this is to have a credit card that generates one time uses numbers for every swipe and then reports back to home base (say via NFC and your smartphone) to make sure things match up. OTOH that puts the cost on a party that have no motive to help.
some criminals once switched all the POS terminals in an entire mall in W Vancouver (very rich area) that processed the cards and wirelessly sent them the codes to somebody waiting in the parking lot. After a few months a team of russians cashed all the cards in 24hrs they didn't catch anybody. Pin+ chip is useless
Chip and PIN will only offer increased security once mag stripe systems are completely eliminated. Until then, it's just an additional attack vector.
This is likely why the Canadian debt system, Interac, is planning to eliminate all mag stripe transactions by 2013.
There is one customer-side defence -- always enter a wrong PIN the first time. If the system challenges you, then you enter the correct value.
If it simply accepts your incorrect PIN, and claims to have successfully run the transaction, then you know that something is amiss. And - you haven't given up your real PIN.
@Annon E Mouse: That still doesn't solve the man-in-the-middle problem though, unfortunately.
I have read that in Germay the placing of manipulated POS terminals in recent times has mainly happened at large stores of the Home Depot type. There, it is Fairly easy to hide at closing time and get locked in overnight, leaving plenty of time for the job.
"Note that this attack works despite any customer-focused security, like chip-and-pin systems."
Using a smartcard may well help to spoil such attacks, if used properly.
No idea if the particular chip-and-pin system is "proper", though...
@Annon E Mouse - and if it isn't a man-in-middle attack you don't want to detect it.
If this is just a dummy card reader then you get your meal for free and when the credit card bill later shows a Rolex being bought in Moscow or whatever the hackers do, you just dispute that charge.
Leading to the interesting point, does the store then come after you for shiplifting, or do you go after the store for conspiracy to commit credit card fraud?
This is pretty much a social exploit of 1960's technology.
The bigger picture is that the PCI requirements are designed to push the responsibility back on the merchant rather than exposing the providers to the expense of changing to something more secure.
I imagine a card that talks to a server and changes a number on the front (epaper?) every time the card is used. The cashier can see a picture of you and your signature or some biometric info.
With the government regulating the industry - innovation and advancement is unlikely.
If I'm not mistaken some pos terminals have a fail sale built in for situations when chip malfunctions, mag strip with pin goes through.
In my eyes, the best customer-side defense is to never use debit.
This is seriously worrying. Except if the bank have increased the security recently, many ATMs still allow to retrieve money using only the magnetic stripe and the PIN.
Credit cards are a stupid invention. Just use cash and improve your life!
@jmdesp - yes that's the wonderful irony.
They introduce a secure chip+PIN system but use the same pin as the magnetic stripe which they also keep.
The same pin that you are told never to reveal to anyone - is now the number you type into any keypad waved in front of you.
At a government site I worked at there was a totally separate 'secure' lan. It even used token ring rather than ethernet so that there was no possibility of any leakage of confidential data.
But since most people needed access to confidential data AND email every PC I ever found had card connected to both networks - twice as secure !
When properly implemented, the track data read from the chip is slightly different from the magnetic data, and thus cannnot be used to copy the card even in a mixed chip and magnetic world.
This kind of attack is relatively easy to prevent: terminal serial numbers can be monitored in real time by transaction processors, so an alarm will be triggered as soon as the hardware is replaced without authorization. Their service provider (and the merchant itself) just does not take this threat seriously.
A simple precaution for the store would be to modify the appearance of their chip and PIN device, in some fairly unique way. Put a sticker onto the thing, draw a floral decor, wrap coloured tape around it, a large jingly set of old keys or whatever. Something obvious and time consuming for thieves to replicate.
@Michiel, devices which have been detected so far may not get the CVV2, but since it only requires a small digital camera it's sure not exactly difficult in principle to modify a card device to capture it.
This attack has been widely exploited in Italy in the past years. When I first heard of it I immediately disabled the magnetic stripe of my ATM and credit cards by placing a piece of electric tape on it.
Most ATMs in my area try to read the magnetic stripe 4-5 times before switching to the chip, some don't read the chip at all and in that case I can remove the tape or move to another ATM.
And since I don't trust restaurants and POS I never use my cards in those places.
@J. B. Rainsberger If I suspect this is happening to me,
What would make you suspicious? How would you be able to tell?
Two controls have been suggested the first by @Slava Gomzin
This kind of attack is relatively easy to prevent: terminal serial numbers can be monitored in real time by transaction processors,
Requires system redesign and modification. Or in the words of one system owner "You want me to parse every input for specific characters? Do you know what that will cost in performance?"
I'm not sure how these POS terminals work. I assume they are sold as a package with the processor service. If they are independent of the service then the service itself needs to be informed of any adds/changes/deletes of the POS terminal.
In either case they can still be subject to interception and immitative deception between them and the service
This idea from @adam I like.
the store would be to modify the appearance of their chip and PIN device, in some fairly unique way... a sticker ...draw a floral decor, wrap coloured tape...
It's simple, cheap, it puts the detection on people who are there daily and should notice tampering.
It doesn't however protect against insiders or a thief who takes the time to surveill the target. All they'd have to do is eat lunch there pay for it with a credit card while photographing the modification.
About a year ago I had a job repairing these POS (my theory was after the engineers completed the job to build a "POS" they were surprised it was supposed to mean "point of sale") machines. Virus attacks were fairly widespread, and the only real "security" was obscurity.
Essentially all you need is a floppy drive and adapter (read expensive: they are custom to the POS manufacturer) to root one (i.e. the same as any other PC). This attack is probably easier for an outsider than trying to bring a POS machine during business hours, but would likely require at least some insider knowledge about the POS software (likely a hard drive image, but you could attack any other chain store without burning your insider.)
@BF Skinner I think most thieves upon seeing a chip and pin which didn't match the one in their bag would abort the scam and try an easier target the following day.
This attack was demonstrated on The Real Hustle (BBC TV, UK).
Relying on the host processor to validate the POS terminal is pointless. As has been mentioned: the "imposter" POS terminal does not need to communicate with the host - it only needs to appear to have done so. Its only goal may be to harvest PINs and track images by satisfying the client and merchant. The merchant will only discover at a later stage when the account is reconciled/settled.
That makes the following 2 defences previously mentioned worth considering:
1. Merchant customises POS terminal appearance to easily indicate imposters (from Adam).
2. Client deliberately enters invalid PIN first to verify negative result before retrying with correct PIN for positive result (from: Annon E Mouse).
Certainly not foolproof - but simple to implement.
@BF Skinner -
1. Requires system redesign and modification - I would say POS systems require secure design in the first place rather than "redesign". By the way, I did not mention it in the original post - there are systems that already implement this feature.
2. Communication between the terminal and processor is encrypted (in systems with secure design) so this measure would not be "subject to interception and imitative deception".
@adam, @BF Skinner - Interesting idea, but I don't think in reality "It's simple, cheap": if you make it simple and cheap, it would be easy to replicate. If you make it complex and expensive - it will not pass the cost-benefit test.
I'd like to add one more to POS terminal customisation and deliberately using a wrong PIN on the first try, i.e. increasing the sentences that come with a conviction for specific types of financial fraud. Today, in many countries the benefits far outweigh the risks, which is one of the main drivers behind this type of crime.
Mark them with a UV pen, and check them at the start of each shift. You now need an insider to pull off the switch, which increases the risk for the fraudster.
A merchant can choose to customise his terminal.
A client can choose to enter a correct or incorrect PIN.
However, it can be more difficult to effect law changes. In these cases the individual frauds may be minor (below some threshold) and so cannot attract a harsh sentence.
Bear in mind that the wise perpetrators will know all the limits and boundaries at stake, e.g. authorisation limits, daily card limits, legal limits, policing thresholds, etc, etc. They will seek to optimise their return for minimal risk.
For merchants, wouldn't the easiest solution be to padlock the terminal to the counter, to make it harder to replace?
Private key or public key? :)
The fundamental problem here is that the card holder must trust an input device (the terminal) to behave correctly. The entire PIN security portion of the PCI standards is premised on this requirement. Terminals undergo certification to ensure correct behaviour, but even an appropriately knowledgeable customer has no way to tell a real device from a fake one.
Online terminal verification does not solve the problem. For starters it prevents offline transactions, which makes your ability to accept card payments fragile. Online transactions also cost more than offline+batch transactions. So it makes financial sense (for large retailers in particular) to accept offline transactions rather than turn away customers who have no alternative tender.
Since this is a card cloning attack, online verification is easily bypassed. Assume that the attack is conducted by an insider to the retailer or restaurant. They use your card on one terminal, you enter your PIN, it shows the message "Cannot connect to host" and prints a failure slip for you. Card cloned, PIN captured. The clerk shows you the screen message and slip and you consent to using the backup terminal (most stored have a backup for this sort of situation) where your payment completes successfully.
EMV chip cards (both contact and contactless) are not necessarily secure against cloning. Many banks have issued Static Data Authentication (SDA) cards, which are cheaper to manufacture. SDA cards can be cloned and used for offline transactions without knowing your PIN (for offline transactions your PIN is submitted to the card for verification, so it is trivial to create a card that accepts any PIN). Even cards that generate dynamic a iCVV are susceptible to skimming (see e.g. Kristin Paget "Credit Card Fraud - the contactless generation" at Shmoocon 2012).
So long as there is an untrusted device between the cardholder and the card, this problem isn't going to go away.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.