Black Hat Las Vegas: Point-of-sale experts bypass security measures in popular PIN pad, including EMV protections

Nir Veltman and Patrick Watson of NCR Corporation demonstrate how to hack into a PIN pad-based POS transaction.
Nir Veltman and Patrick Watson of NCR Corporation demonstrate how to hack into a PIN pad-based POS transaction.

After physically demonstrating how to hijack retail point-of-sale transactions – including those using EMV-standard chip cards – two security experts from NCR Corporation offered attendees at Black Hat critical tips on preventing such incidents in real life. 

Nir Veltman, head of application security, and Patrick Watson, software security architect, suggested that merchants use point-to-point encryption (P2PE) to secure the data transfer between a payment terminal or PIN pad and the actual POS solution. If the POS system or payment application doesn't support P2PE, then retailers should ask their vendors to at least use TLS (Transport Layer Security) or SSLv3 (Secure Socket Layer) encryption protocols.

Also, merchants should avoid rote firmware downgrades, and should also confirm that any forms or screens that are to be displayed on the payment solution are officially signed by the manufacturer before downloading them to the system.

Meanwhile, retail customers can better protect themselves by watching out for suspicious prompts at payment terminals that might indicate a POS hijacking. For instance, consumers should never have to enter their PINs more than once. If the POS display asks you to reenter your PIN, “take your card out and restart the transaction,” said Veltman. Nor should consumers be asked for unusual information such as Social Security numbers.

The NCR researchers also suggested that consumers take advantage of mobile app-based payment systems whenever possible to eschew the use of payment cards.

In their session, Veltman and Watson revealed the weaknesses of a commonly used PIN pad (they withheld the brand's name) by simply modifying several files on the point of sale or manipulating the communication protocols. The PIN pad's own operating system was never compromised, but the protections surrounding it were bypassed.