If you’ve ever paid for groceries, or settled a bar tab by swiping your credit or debit card and typing a Personal Identification Number, you likely didn’t know the device you just used poses a security risk for you and the hundreds of millions of other consumers who use them.
The chip- and card-based terminals are used by retailers and others in Canada, the U.S., Europe and elsewhere allowing customers to punch in their secret PIN to complete a transaction. In the U.K. alone more than 852 million card payments were processed using PIN pad terminals in April, according to the U.K. Cards Association trade body.
Researchers at U.K.-based IT security company MWR InfoSecurity claim that the terminals are not secure and that cybercriminals can use fake cards containing software code to gain access not only to a customer’s PIN and primary account number shown on the front of a plastic card, but also to the merchant’s IT network.
“Our research shows security of PIN pads is below that which consumers should expect for transactions of this nature,” said Ian Shaw, managing director of MWR. “Our investigations have shown that the range of vulnerabilities found in these devices could compromise consumers’ card details and PIN.
“It may also leave merchants unprotected and cause serious disruption to their businesses, potentially exposing both of them to serious fraud.”
The MWR researchers claim that a sophisticated attacker may even be able to gain access to PIN pad terminals without the terminal owner being aware that their security systems have been breached.
For example, a customer at a restaurant could pretend to be making a payment with a “Trojan card” but instead could gain access to the payment terminal. From that point onwards, all PIN numbers and other cardholder information that passes through that terminal could be gathered by the criminal.
Cyber thieves could then use existing communication channels such as an Internet connection, WiFi, Bluetooth or a mobile cellular network to retrieve that information. Alternatively, the criminal could return and insert again the malicious smart card to collect the recorded data from the payment device.
MWR, which plans to highlight its findings at the Black Hat security conference in Las Vegas this month, says that in line with its disclosure policy, it has already alerted PIN pad terminal manufacturers.
The leading terminal manufacturers have yet to respond publicly to the warning and credit card issuers said they have not yet seen the research but noted that in general, PIN-based transactions are considered more secure than those based on a signature.
Despite the growing threat posed by hackers and cyber criminals, this is believed to be the first time that a security vulnerability has been identified within PIN pad software. MWR says its early research indicates that “tens of thousands” of PIN pad terminals are affected by these vulnerabilities.
Mr. Shaw noted that in general, security efforts have been directed to securing the PIN pads physically, but that the software installed in the terminals remains highly vulnerable. “Even the typical consumer smartphone deploys more security features than the technology used in these devices,” he said.