NCR Corp. researchers demonstrated how credit card chip-and-PIN protections could be bypassed with a passive man-in-the-middle...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
attack on point-of-sale terminals and PIN pads, allowing card data to be used and modified elsewhere. How does this type of attack work, and what can be done to prevent PIN pads from exposing card data?
Nir Valtman and Patrick Watson, security researchers from payment technology firm NCR Corp., presented their findings on vulnerabilities in payment environments, like PIN pads, at Black Hat USA 2016. Their research showed that legacy systems and modern systems with legacy functionality are insecure and can be exploited by monitoring the network connections where credit card data passes unencrypted.
The specific details they presented are new, but this exploit is a variant of a well-known problem. An attacker that gets into a man-in-the-middle position can capture this data or make changes in the transaction flow to make the transaction look like it occurred offline.
The researchers' mitigation recommendations for these vulnerabilities include using strong encryption, using signed firmware and encrypting offline transaction data for PIN pads. While these are very good recommendations, it is unlikely legacy systems will be able to take advantage of them. The best case would be for businesses to upgrade their technology to take advantage of point-to-point encryption, but, given the cost, some businesses may choose to accept the risk of a security incident.
The risks are significant, but enterprises can take some steps to minimize them, such as not storing payment card numbers past transaction settlement, purging primary account numbers that are stored when operating offline after transactions are settled and implementing tokenization if the data is stored.
The Payment Card Industry (PCI) Standards Council has best practices for preventing card skimming that enterprises can put in place to protect their point-of-sale terminals. Enterprises should also be cautious of unusual prompts during payment entry and when using PIN pads in their security awareness training programs.
Find out how your company can benefit from using PCI Data Security Standard
Read about out-of-band security controls for credit card data protection in your enterprise
Learn if chip-and-PIN technology is effective for preventing credit card hacking
Dig Deeper on Data loss prevention technology
Related Q&A from Nick Lewis
The OurMine hacking group recently used DNS poisoning to attack WikiLeaks and take over its web address. Learn how this attack was performed from ...continue reading
Typosquatting was used by threat actors to spread malware in the NPM registry. Learn from expert Nick Lewis how this method was used and what it ...continue reading
Threat actors are using phishing email campaigns to fool users with tech support scams and fake Blue Screens of Death. Learn how these campaigns work...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.