Most people are well aware of how using credit cards is becoming a significant security risk these days. Not just online, where data breaches are running rampant these days. But also in real life, as Hotel point-of-sale devices are vulnerable to attacks and malware injections. The world needs a better way to transfer money between users; that much is certain.
The annual DefCon conference is a great event where security researchers showcase their recent findings and exploit them through a proof-of-concept. Rapid7 researchers will focus on the many different vulnerabilities affected point-of-sale devices dealing with payment cards.
Using Point-of-Sale Devices As A Keyboard
One of the most common types of attacks comes in the form of reading the card’s magnetic stripe. As all of the sensitive payment information is stored on this stripe, assailants can clone credit cards for nefarious purposes. Although this vulnerability has been around for many years now, finding a solution is proving to be a bigger challenge than assumed.
The Rapid7 team has discovered a way to inject operating system commands into a Windows-based point-of-sale system through the magstripe reader. In most cases, this part of the magstripe reader is configured to act as a ‘general purpose device”. This allows misuse of the instrument commands, including the installation of malware or opening the register. None of these attacks should be possible in this capacity, yet the majority of point-of-sale devices is vulnerable to this type of attack.
To make matters worse, these attacks can be executed by a device with a programmable electromagnetic field. Distract the cashier for a few seconds, and before you know it, the point of sale device turns into a remotely controllable keyboard. Interestingly enough, Rapid7 has discovered this exploit is affecting nearly all point-of-sale devices manufactured by Samsung,
Manufacturers Need To Take Responsibility
Addressing these problems should not be overly difficult, as two key areas need to be targeted. First of all, magstripe readers should never be used as a keyboard, which can be solved by a software fix. Additionally, applications running on these devices need to be limited regarding accepted commands and data. Injecting keystrokes should never be possible, to begin with, yet right now, assailants can inject those without problems.
Given the mounting number of data breaches around the world, it is not difficult to see where the problems are coming from. Point-of-sale hardware and software used for standard payment methods are both inherently insecure. More secure solutions need to be created, and it will be up to manufacturers to create better countermeasures.
Header image courtesy of Shutterstock