POSWorld. Should You be Afraid of Hands-On Payment Devices?

Conference: BlackHat EU 2020

2020-12-10

Summary

The presentation discusses vulnerabilities in point-of-sale terminals and how they can be weaponized for fraudulent transactions. The focus is on Ingenico pin pads and their weaknesses in terms of software components.

Point-of-sale terminals have vulnerabilities that can be exploited to gain access to internal FTP servers and manipulate traffic between the point of sale and the acquire.
Ingenico pin pads have several vulnerabilities, including the use of an insecure protocol for opening FTP servers and a trace mode with no authentication or encryption.
Cloning terminals is possible by stealing various keys, allowing for fraudulent transactions and money movements.
The presentation also discusses how the new payment rules in Europe can be bypassed using modified terminals.
The vendor took two years to confirm and fix the vulnerabilities, but it is unclear how well they were actually fixed.

The algorithm for pin entry on most point-of-sale terminals is not as secure as one might think. The pin pad sends the pin directly to the main operating system, where it can be accessed by malware before encryption. This allows hackers to obtain pin codes and track 2 data before they are encrypted and carry out fraudulent transactions.

Abstract

The dark market is full of cloned Point of Sales terminals and offers for fake merchant accounts. But how do they get there if every terminal is built to have anti-tampering mechanisms, segregated memory for private crypto keys, and multiple other layers of protection? In this talk, we follow the life cycle of the most popular PoS terminals of major vendors from their release onto the retail market through to breaking the device and cloning the terminal. We show you exactly what it takes for hackers to use PoS terminals to cash out.

Materials:

Slides

Paper

Tags: