Security Resources

Archive for the POS-ATM-NFC Payment Security Category

Is Everything We Know About Password Stealing Wrong?

note_encryptedFrom Microsoft Research comes an interesting article about the viability of password stealing as a criminal business (in the context of committing financial fraud/theft). Here is a summary:

Federal Reserve Regulation E guarantees that US consumers are made whole when their bank passwords are stolen. The implications lead us to several interesting conclusions. First, emptying accounts is extremely hard: transferring money in a way that is irreversible can generally only be done in a way that cannot later be repudiated. Since password-enabled transfers can always be repudiated this explains the importance of mules, who accept bad transfers and initiate good ones. This suggests that it is the mule accounts rather than those of victims that are pillaged. We argue that passwords are not the bottle-neck, and are but one, and by no means the most important, ingredient in the cyber-crime value chain. We show that, in spite of appearances, password-stealing is a bad business proposition.

Link to the full report.

Skimmer Innovation Coming to a POS Near You

Matt Krebs recently posted another entry to his detailed and entertaining catalog of skimming devices, available at Krebs on Security. The device in question was found inside the credit card terminals of a yet-to-be-named U.S. retailer, and is presently being evaluated by Trustwave Spiderlabs. By itself, this is not particularly newsworthy, since there have been many similar cases involving devices attached PIN pads at retailers like Barnes and Noble, as well skimmers on/inside gas pumps and ATMs. So what makes this one interesting? The engineering and installation are worth a closer look:

  • The stolen data is encrypted using AES before being stored/transmitted
  • Card numbers and PINs can be retrieved by Bluetooth, and optionally, via cellular
  • The microprocessor was secured against tampering (lock bit set)
  • The PCB appears to have been produced professionally
  • There was delicate soldering work required to attach the device inside the credit card terminal

There is [very reasonable] speculation that the skimming devices were installed either early in the card terminal supply chain, prior to installation, or that the terminals were swapped out at some point with modified versions. Given the complexity of the connections, it is highly unlikely that the devices could have been modified on-site, even by a dishonest service technician.

The quality of these devices is increasingly impressive, and it seems plausible that future versions will be integrated into replacement system boards or peripherals, making their identification even more difficult.

Here are some photos of the Bluetooth skimming module:

BTSkimmer1 BTSkimmer2

POS Malware Found in 40 Countries

PC_with_creditcardsAs reported by the Israel-based IT security firm, Seculert, malware has been found in POS systems in 40 countries, stealing credit card information from hundreds of thousands of consumers. Why should this matter to security integrators? Read on…

“Dexter” – the name given to the malware – appears to target Windows based systems and servers, and uses a command and control server to tailor attacks and collect stolen data. It is custom-made, and has been used over the past 2-3 months to infect hundreds POS systems. Some of the targeted systems include big-name retailers, hotels, restaurants and even private parking providers.

One of the unknowns is the method of delivery, since many of the affected systems are servers which would typically not be used for web browsing or other common tasks which might result in infection. It is believed that the attackers may have compromised other computers or devices on the same network, then launched an attack on the server from inside the target’s network.

Once installed, Dexter looks for processes that correspond to specific POS systems, and when it finds them, dumps the memory and parses it for credit card (track one and two) information to send to the C&C server. End-to-end encryption, which protects data from the card reader all the way to the payment processor, would prevent the attack from being successful – but adoption of this technology is slow due to the cost of new hardware.

Security integrators should be concerned about the possibility of their hardware being an attractive vector for future attacks. With the proliferation of DVR/NVR systems (and other security equipment) that integrate with POS – or those that simply share the store LAN/WAN – attackers may find these targets irresistible. PC-based video recorders, in particular, would provide a powerful platform from which to probe the network and infect vulnerable systems. See this post for additional thoughts on the subject.

Stickers vs. Skimmers: Can’t We Do Better?

There is no doubt that securing the global infrastructure against card skimming is a critical task. Despite the cost and complexity of upgrading our technology, the U.S. has reached a point where we can no longer sit idly by while the frequency and sophistication of credit card thefts grows. This problem has always come down to cost. The sheer number of card reading devices in use today has made it economically unjustifiable to switch technologies, given the losses incurred by credit card issuers. It is estimated that bank losses from compromised cards is $2.4 Billion (not including losses borne by merchants themselves, which could be tens of billions), while replacing all payment cards, terminals, and ATM/gas pump readers would top $5.8 Billion.

The reluctance to switch to “EMV” or “Chip and PIN” cards, as many countries in Europe and elsewhere have done, seems shortsighted, but certainly not surprising where such large expenditures are involved. The trends in crime and loss, however, paint a much more serious picture – and will become the driving force to bring the U.S. closer to where we need to be. As one would expect, as countries around the world transitioned to more secure payment systems, crime shifted to the ones that did not – primarily the U.S. – and figures reported by some banks show that fraud has quintupled here in the past five years.

Compounding the problem is the availability of custom electronic devices, known as skimmers, that make reading cards are retrieving PINs easier than ever. Brian Krebs has a great collection of posts and photos of such equipment here (look for “All About Skimmers” in his Categories section). Skimmers can be designed to blend into the exterior of ATMs, mounted inside gas pumps, and attached to retail credit card terminals, making detection very difficult. The security industry has helped raise awareness, but realistically, there is little that can be done to protect the current technology. Applying tamper-evident tape to gas pump access panels, as the Association for Convenience and Fuel Retailing suggests, barely qualifies as a countermeasure, and Barnes & Noble’s PIN pads were compromised, despite being located in a busy public space (to be fair, it is unclear whether the B&N terminals were modified in-place or prior to installation). Even with a vigilant public and reliable tamper detection for these devices (neither of which exist today), the inherent insecurity of today’s magnetic stripe credit cards demands change. Consider the proliferation of low cost, high resolution cameras – some of which are already finding their way into skimmers. With cameras mounted on either side of a card reader, the potential exists to capture the card number, PIN, and verification code of a card without direct tampering of any kind – and at greater and greater distances.

The good news, as reported early in 2012, is that a program to support smart-card technology upgrades is in the works. The costs will likely be paid by both the merchants and card issuers through direct investment, and changes to the rules regarding security (PCI-DSS), auditing, and liability for fraud. More information can be found here. It is sure to be a long process, however, despite the fact that some retailers are already installing upgraded card readers.

Meanwhile, a press release this week from MasterCard makes it clear that card security will continue to advance. They announced a partnership with Standard Chartered Bank Singapore to roll out cards with an embedded keypad and one-time password generator (picture above). Don’t expect to find one of these in your (U.S.) mailbox anytime soon…

— UPDATE 12-11-2012 —

I decided to make this an anchor post, and will update it periodically with stories and information about skimmers and countermeasures.

12-07-2012 Article from NBC in Southern California about the widespread use of skimmers, including pictures of newer devices with Bluetooth capabilities. Here is one of the images:


8-13-2013 Well, we’re finally seeing some better options being deployed. Here is an article detailing a few of them.

RFID and Zigbee Hacking – Security Directors Beware…

In the security world, few technologies have become more entrenched than proximity-based access control. The cards and readers are everywhere – and overall, they provide a level of convenience and security that far exceeds the systems they replaced, such as mechanical locks, barcodes, magnetic stripes, and the like. A typical access card operates in the same manner as an RFID tag – since it is essentially the same thing. A reader emits RF energy, which energizes a coil inside the card powering a small circuit, which in turn, communicates a unique ID number back to the reader. There are many data formats and matched reader/card frequencies involved, but almost all systems operate in this (simplified) manner.

Over the years, there have been many documented examples of proximity access control hacking. From card emulation and brute-force transmissions at the reader, to surreptitious card data capture. So with that in mind, why revisit the subject here? The answer lies in the proliferation and rapidly declining cost of RFID components and other low-energy RF communications, which are poised to transform the way in which we connect and interact with systems and assets of all types.

The growing popularity of RFID tagging (especially in retail), environmental monitoring, intelligent edge devices, and building automation has spurred the development of a wide range of wireless/RF-enabled data collection and triggering. Examples include Zigbee (and similar 802.15.4 products), advanced RFID readers, and Z-Wave. For some developers, security is an afterthought, since the equipment is believed to be so obscure and/or specialized that it is unlikely to be attacked. What we are beginning to see, however, is that the same tactics used by “war-drivers” in the early days of commercial WiFi can expose insecure platforms and potentially open the door (pun intended) to serious security problems.

The good news is that security can be engineered into most of these platforms – in fact, it is often a core component – but it must be “switched on” and used properly. Follow the links below to read about some of the vulnerabilities and hacks that exist today. In practice, being aware of the potential for hacking – especially with immature products, proximity cards, etc… will help you make good design decisions. For example, once you understand how an access badge can be cloned – you probably won’t allow that badge to also disarm your alarm system, even if the vendor promotes it as a convenience feature. Likewise, if you are testing a new Zigbee-based data collection solution in your retail store, have a discussion with your vendor about how security has been implemented – and even if you like the answer, keep that network isolated until it is well-proven.

More on this subject:

Wardriving for Zigbee: Blog article describing a method for finding and mapping Zigbee networks

Kisbee: Open-source hardware project to capture Zigbee wireless communication

Bootable RFID Live Hacking System: A platform for hacking MIFARE access control cards

Proximity Card Cloning: HID ProxCard-II, ISOProx, and others

iClass Card Details and Cloning

RFID Tutorial

Long Range Cloning: 125KHz Proximity Cards

Barnes & Noble PIN Pads “Hacked”

Barnes and Noble reported today that PIN pads at their registers had been tampered with at 63 stores across nine states.

Even though only one pad per store was compromised, this clearly represents an organized effort to target the chain. B&N has advised customers to change their PIN numbers, and keep a watchful eye for fraudulent charges on cards used at their stores. At this time, the retailer reports that the perpetrator(s) did not gain access to their customer database, and that online/mobile transactions are secure.

All existing PIN pads were disconnected on September 14th until the situation could be addressed.

Some POS vendors have begun supervising the connection between the PIN pad and POS terminal in an effort to detect device substitution. It will be interesting to learn more about the approach used here, and whether such a feature would have prevented the hack. The official statement references a “bug” being placed in the devices, but it is unclear whether the bugs were installed “hot” in the field, or if the PIN pads were swapped out with matching devices that were modified elsewhere.

Here is the company’s press release.