NCR Corp. researchers demonstrated how credit card chip-and-PIN protections could be bypassed with a passive man-in-the-middle...
attack on point-of-sale terminals and PIN pads, allowing card data to be used and modified elsewhere. How does this type of attack work, and what can be done to prevent PIN pads from exposing card data?
Nir Valtman and Patrick Watson, security researchers from payment technology firm NCR Corp., presented their findings on vulnerabilities in payment environments, like PIN pads, at Black Hat USA 2016. Their research showed that legacy systems and modern systems with legacy functionality are insecure and can be exploited by monitoring the network connections where credit card data passes unencrypted.
The specific details they presented are new, but this exploit is a variant of a well-known problem. An attacker that gets into a man-in-the-middle position can capture this data or make changes in the transaction flow to make the transaction look like it occurred offline.
The researchers' mitigation recommendations for these vulnerabilities include using strong encryption, using signed firmware and encrypting offline transaction data for PIN pads. While these are very good recommendations, it is unlikely legacy systems will be able to take advantage of them. The best case would be for businesses to upgrade their technology to take advantage of point-to-point encryption, but, given the cost, some businesses may choose to accept the risk of a security incident.
The risks are significant, but enterprises can take some steps to minimize them, such as not storing payment card numbers past transaction settlement, purging primary account numbers that are stored when operating offline after transactions are settled and implementing tokenization if the data is stored.
The Payment Card Industry (PCI) Standards Council has best practices for preventing card skimming that enterprises can put in place to protect their point-of-sale terminals. Enterprises should also be cautious of unusual prompts during payment entry and when using PIN pads in their security awareness training programs.
Find out how your company can benefit from using PCI Data Security Standard
Read about out-of-band security controls for credit card data protection in your enterprise
Learn if chip-and-PIN technology is effective for preventing credit card hacking
Dig Deeper on Data loss prevention technology
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading