Payment Terminal Vulnerabilities Identified by Black Hats
Three widely deployed payment terminals have identified vulnerabilities:
[EMV] cards have malicious code written on their chips that gets executed when they get inserted into the terminals’ smart card readers.
The researchers used this method to install a racing game on one of the three test devices during their demonstration and played it using its PIN pad and display.
For the second device, the researchers used the same method to install a Trojan program designed to record card numbers and PINs. The recorded information was then extracted by inserting a different rogue card into the payment terminal.
The third payment terminal, which is popular in the U.S., is more sophisticated than the other two devices. It has a touchscreen to facilitate signature-based payments, a smart card reader, a SIM card to communicate over mobile networks, support for contactless payments, an USB port, an Ethernet port and an administration interface that can be accessed both locally and remotely.
- Black Hat: Credit Card Payment Terminals at Risk (eweek.com)
- Researcher develops Android app that can steal credit card information via NFC (androidauthority.com)
- Vulnerabilities in payment terminals demonstrated at Black Hat (pcadvisor.co.uk)