Verifone, the manufacturer of most of the UK’s PIN card reader terminals, recently acknowledged that a researcher at the Black Hat security conference had managed to hack one of its readers. So is it time to rethink how POS devices can be maintained, managed and upgraded?
It’s convenient to do so over a network or, in the case of chip-and-PIN devices, using special maintenance cards. But we may be at the point where that’s simply not secure.
Verifone announced that it was already working on an update to address the security issue, but terminals by other manufacturers had also been targeted, and that means other PIN pad vendors have similar security issues. We just don’t know which ones.
In the demonstration on July 25, researchers from UK-based MWR InfoSecurity said they tested second-hand PIN pads on eBay and found that two of the chip-and-PIN devices popular in the UK could be breached through specially programmed smartcards that took control of the PIN pad.
That shouldn’t be possible. Only data associated with a transaction - well-defined messages between the card and the device - should be going back and forth. A bad message should result in a rejected transaction. It’s supposed to be a smarter, and thus more secure, version of a magstripe swipe.
But it did happen. The researchers blamed it on a problem with the payments application in the PIN pad. But this is being kind. This could well be a designed-in security hole.
The problem is that it’s really convenient to be able to test and upgrade PIN pads without opening them up. But if that’s done by means of specially programmed cards that give a technician access to the software, then the smartcard is doing more than just Europay, MasterCard and VISA (EMV) transactions and the security of EMV is compromised.
Even if payments remain secure, everything else in the PIN pad - what’s keyed in, what’s displayed on the screen, what’s sent across the network - has lost its protection.
That’s probably still safe in the hands of a vendor technician. But what a technician can do, a security researcher - or a thief - can do, too.
Both vendors and customers like the convenience of allowing technicians software access. It means a PIN pad can be fixed or upgraded in place, without being swapped out and, in effect, remanufactured, which even though more secure, is expensive and time-consuming.
Even more popular is the idea of maintaining POS devices remotely - not even sending out a technician with a special smartcard, just just upgrading a system over the network. But that can just turn a local attack opportunity into a remote attack opportunity.
No national chain wants to give up the convenience of in-place or remote maintenance. But the security problem may be insurmountable.
Every POS device has to pass Payment Card Industry certification. But that means it has been tested - not attacked. Reasonable assumptions about security no longer apply at a time when any POS device can be purchased, reverse engineered, and every security hole found and exploited.
That means it’s time to be unreasonable. Both vendors and retailers need to start acting genuinely paranoid about their devices - hardening them way beyond what’s reasonable, even if it means more cost and inconvenience.
Otherwise the embarrassing demonstrations and, worse, the expensive PIN pad breaches will keep coming.
StorefrontBacktalk is the U.S.’s leading source for global retail technology, e-commerce and mobile commerce issues, including security, in-store strategies and CRM issues.