LAS VEGAS -- While retailers are pushing for credit card companies to require PINs for new EMV cards, security researchers at Black Hat 2016 showed how insecure point-of-sale systems are exposing sensitive user information -- including PINs.
In a presentation titled "Breaking Payment Points of Interaction (POI)," Nir Valtman and Patrick Watson, researchers at payment technology firm NCR Corp., demonstrated several man-in-the-middle attacks on widely-used POS systems and PIN pads and showed how even new EMV cards are vulnerable to such MitM attacks. Specifically, the two used a simple Raspberry Pi running Wireshark to intercept credit card transactions and capture track 2 data in real time from a PIN pad; the researchers did not disclose the PIN pad vendor name or product type, but they did say that many such POI and POS systems were vulnerable to these types of attacks.
The stolen track 2 data included the card number, account holder's name, expiration date and even the CVV code. "It's just right there," Watson said of the track 2 data during the demo. "There's no encryption."
Valtman said during the demo that they contacted the PIN pad vendor about their research findings and encouraged the company to implement TLS connections to encrypt the track 2 data. The company, however, said its point of sale hardware was too old to support TLS. And while most common POS systems and PIN pads are PCI DSS compliant, that standard doesn't require transactions over a local area network to be encrypted, the team explained, which leaves the transactions vulnerable to MitM attacks.
The duo also showed how new EMV cards were susceptible to the same kinds of passive MitM attacks, which called into question the adequacy of chip and PIN security. While the track 2 data for EMV card transactions was much larger and appeared to be unformed, Watson and Valtman demonstrated how to turn the muddled information into readable data that included the EMV card's PIN.
"EMV is cool, but it is an old standard," Valtman said, "and it is not a secure standard."
The NCR researchers further explained that while EMV does many things well, the technology doesn't stop attackers from using a stolen card number elsewhere nor does it prevent attackers from modifying stolen track 2 data from the card. For example, the researchers showed how attackers could take an intercepted track 2 packet and alter the data to switch EMV cards from online mode to offline mode, which does not require issuer authorization or PIN validation.
"All the attacker has to do is change a 2 to a 1," Watson said, "and they can use the card for offline transactions."
The researchers also demonstrated another MitM attack that allowed them to send a malicious form to the PIN pad and trick users into resubmitting their CVV or PINs. "Most consumers are trained to trust the PIN pad," Watson said, but added that consumers should never re-enter their PINs on such POS or POI systems and to be cautious of any unusual prompts.
The researchers stressed that the passive MitM attacks used in the demonstration did not require any exploit of the PIN pad operating system or hack of the chip and PIN security measures. All that was required, they said, was finding the LAN used by a PIN pad and intercepting the track 2 data packets with passive MitM attacks.
"It's relatively easy to exploit POI deployments,"Valtman said, "if you're in the right place."
Find out more about how MitM attacks are adapting to new technologies.
Learn about the best practices to defend against MitM attackers.