LAS VEGAS–Chip-and-pin or EMV cards have been touted as a more secure alternative to traditional cards, but security researchers have found several methods for bypassing the security of these systems by abusing flaws in the point of interaction devices.
Nir Valtman and Patrick Watson demonstrated several techniques for getting around the security on pinpad devices, allowing them to capture the track data, CVV code and other key information needed to use a card number later for fraudulent transactions. By replacing key libraries and files on the pinpad device and using some other techniques to handle the communications protocol the devices use, Valtman and Watson were able to defeat the protection offered by EMV cards.
“EMV doesn’t prevent you from using the card number elsewhere or prevent you from modifying the captured data offline,” Watson said during a talk at the Black Hat conference here Wednesday.
Valtman and Watson demonstrated several different attack methods during their talk, using both passive and active man-in-the-middle attacks to inject their modified files onto the target pinpad device. They key weakness that allowed them to do this is the lack of authentication to pinpad devices, the small terminals that consumers use to enter PINs during payment transactions. Once their files are on the device, the pair then is able to capture the card track data and eventually the CVV number.
With that done, they needed a way to get the user’s PIN, which is required for EMV transactions. The PIN typically is encrypted as the user enters it. But, by using an active MITM attack, Valtman and Watson then injected a form that asked the user to re-enter their PIN a second time, capturing it in plaintext.
“The user is conditioned to trust these devices, so if they see this screen, they just assume that they typed their PIN in wrong,” Watson said.
“If you see a screen that asks you to re-enter your PIN, take the card out and start a new transaction.” Valtman said.
Despite the bugs and weaknesses they found, Valtman and Watson said there are a number of mitigations that can be put in place to make these attacks more difficult or prevent them entirely. The attacks Valtman and Watson developed do not work against devices with point-to-point encryption enabled, they said. They recommend that manufacturers use hardware-based encryption only, and that the build their devices to only trust signed updates from the vendor itself.
“We need to make sure no one can downgrade the firmware or replace it,” Watson said. “Sometimes you can that with just a command. Then we can perform these same attacks.”
They also urged manufacturers to sign all of their requests to the POI devices.