Vulnerability Management

Point-of-sale experts bypass security measures in popular PIN pad, including EMV protections


After physically demonstrating how to hijack retail point-of-sale transactions – including those using EMV-standard chip cards – two security experts from NCR Corporation offered attendees at Black Hat critical tips on preventing such incidents in real life. 

Nir Veltman, head of application security, and Patrick Watson, software security architect, suggested that merchants use point-to-point encryption (P2PE) to secure the data transfer between a payment terminal or PIN pad and the actual POS solution. If the POS system or payment application doesn't support P2PE, then retailers should ask their vendors to at least use TLS (Transport Layer Security) or SSLv3 (Secure Socket Layer) encryption protocols.

Also, merchants should avoid rote firmware downgrades, and should also confirm that any forms or screens that are to be displayed on the payment solution are officially signed by the manufacturer before downloading them to the system.

Meanwhile, retail customers can better protect themselves by watching out for suspicious prompts at payment terminals that might indicate a POS hijacking. For instance, consumers should never have to enter their PINs more than once. If the POS display asks you to reenter your PIN, “take your card out and restart the transaction,” said Veltman. Nor should consumers be asked for unusual information such as Social Security numbers.

The NCR researchers also suggested that consumers take advantage of mobile app-based payment systems whenever possible to eschew the use of payment cards.

In their session, Veltman and Watson revealed the weaknesses of a commonly used PIN pad (they withheld the brand's name) by simply modifying several files on the point of sale or manipulating the communication protocols. The PIN pad's own operating system was never compromised, but the protections surrounding it were bypassed.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.