LAS VEGAS (CNNMoney) — Chip-enabled “smart” credit cards are supposed to be the solution to mass theft, preventing the kinds of attacks recently launched on Target, Michaels and Neiman Marcus customers.
But smart cards are no good if the shop’s point-of-sale devices are dumb.
At the Black Hat cybersecurity conference in Las Vegas on Thursday, two security researchers showed how easily criminals could take control of a shop owner’s credit card terminals — even if the shop uses the latest chip-and-PIN machines.
Those terminals are supposed to be safe, because they encrypt your PIN as you type it and don’t store your credit card’s data. But MWR Labs researchers found that a hacker could easily tell the machines to do the opposite.
MWR, which works closely with the financial industry and governments, has yet to observe this tactic used by criminals.
But the hack is pretty simple: All it takes is inserting a smart card with malware into the machine.
It’s that easy, because the terminals operate on a false sense of trust. They think whatever cards passed through them are authentic bank cards, explained MWR Labs researcher Jon Butler.
Here’s the scenario: At checkout, a hacker pays with a pre-programmed card that injects this command to the machine: “Stop encrypting PINs and store all subsequent credit card swipes in your computer memory.”
All day long, the machine gathers the information. At day’s end, the hacker returns with another card, which sucks all that data out of the machine. The store clerk wouldn’t even notice.
To demonstrate how easy it is to hack a chip-and-PIN machine, Butler and fellow a researcher “paid” with a card that was loaded with a variant of the game Flappy Bird. The terminal then began running the game.
Hacking the terminals is virtually undetectable. Turning the machine off erases all evidence that the hack ever even happened.
The researchers found the weakness in Miura Shuttle handheld point-of-sale terminals, a popular hardware supplier that is sold by vendors under many other brand names.
The British company did not immediately respond to requests for comment from CNNMoney. However, researchers said the vendors were cooperative in working to fix the issue. Still, it’s up to merchants to update their systems, which in reality, they rarely do.