NCR Corp. researchers demonstrated how credit card chip-and-PIN protections could be bypassed with a passive man-in-the-middle...
attack on point-of-sale terminals and PIN pads, allowing card data to be used and modified elsewhere. How does this type of attack work, and what can be done to prevent PIN pads from exposing card data?
Nir Valtman and Patrick Watson, security researchers from payment technology firm NCR Corp., presented their findings on vulnerabilities in payment environments, like PIN pads, at Black Hat USA 2016. Their research showed that legacy systems and modern systems with legacy functionality are insecure and can be exploited by monitoring the network connections where credit card data passes unencrypted.
The specific details they presented are new, but this exploit is a variant of a well-known problem. An attacker that gets into a man-in-the-middle position can capture this data or make changes in the transaction flow to make the transaction look like it occurred offline.
The researchers' mitigation recommendations for these vulnerabilities include using strong encryption, using signed firmware and encrypting offline transaction data for PIN pads. While these are very good recommendations, it is unlikely legacy systems will be able to take advantage of them. The best case would be for businesses to upgrade their technology to take advantage of point-to-point encryption, but, given the cost, some businesses may choose to accept the risk of a security incident.
The risks are significant, but enterprises can take some steps to minimize them, such as not storing payment card numbers past transaction settlement, purging primary account numbers that are stored when operating offline after transactions are settled and implementing tokenization if the data is stored.
The Payment Card Industry (PCI) Standards Council has best practices for preventing card skimming that enterprises can put in place to protect their point-of-sale terminals. Enterprises should also be cautious of unusual prompts during payment entry and when using PIN pads in their security awareness training programs.
Find out how your company can benefit from using PCI Data Security Standard
Read about out-of-band security controls for credit card data protection in your enterprise
Learn if chip-and-PIN technology is effective for preventing credit card hacking
Dig Deeper on Data loss prevention technology
Related Q&A from Nick Lewis
Sophos researchers believe the SamSam ransomware campaign could be the work of one or a few threat actors using manual techniques. Learn how it works... Continue Reading
The hacking group Magecart was recently found to have run a card skimming campaign that put customer information at risk. Learn how this attack ... Continue Reading
A new version of GandCrab was discovered by researchers in July 2018 and involves the use of legacy systems. Learn how this version differs and who ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.