Crooks can trick users into handing over their PIN codes

Aug 6, 2016 21:40 GMT  ·  By

Two researchers at the Black Hat USA 2016 security conference have demonstrated a new method of launching attacks that can intercept credit card details on PoS and adjacent systems and can even be successful in obtaining PIN and CVV codes.

The two, Nir Valtman and Patrick Watson, aren't regular researchers, but employees of NCR Corporation, one of the leading vendors of ATMs and POI hardware.

Valtman and Watson presented a Man-in-the-Middle (MitM) attack that can be implemented both at the hardware and software level.

Attack works at the hardware and software levels

Their attack works because POI (Payment points Of Interaction) devices such as card readers and PIN pads don't encrypt the data they send to the PoS system software, nor do they authenticate to make sure they're talking to their correct counterpart.

PoS software, which is usually an application running on a computer near the POI devices, is the one that gets infected with malware that allows crooks to scrape the PC's memory for credit card numbers.

The MitM attack the two presented allows crooks to use a device that is placed between the PIN pad or the card reader and the computer running the PoS software.

This device has the role of acting as a proxy between the two, intercepting and storing the exchanged data. This usually includes credit card numbers, card holder name, and expiration date.

Attackers can fool users into giving over their PIN and CVV codes

Because of this device's privileged position, researchers say that it is possible to allow the legitimate transaction to pass and then query the user for the PIN again, or even ask for the card's security code (CVV).

Furthermore, if placing a hardware-based device is not a possibility, the researchers said that PoS malware could inject malicious code inside the DLL of a legitimate PoS application that can then ask for PIN and CVV codes.

To mitigate such attacks, researchers recommend that POI vendors implement P2PE (Point-to-Point Encryption) on their devices.

Additionally, users should take a proactive approach and pay attention when making transactions. They should never re-enter their PIN code. or ever enter their CVV code, which is only required for online payments.