Abstract
Payment systems fraud is considered in the center of several types of criminal activities. The introduction of robust payment standards, practices and procedures has undoubtedly reduced criminals’ profit, and significantly hardened their work. Still though, all payment systems’ components are constantly scrutinised to identify vulnerabilities. This chapter focuses on the security of payment terminals, as a critical component in a payment system’s infrastructure, providing an understanding on potential attacks identified in the literature. The attacks are not only limited to those aiming to insult terminals’ tamper-resistance characteristics but also include those that target weak procedures and practices aiming to facilitate the design of better systems, solutions and deployments.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Figures reveal that payment card fraud is one of the most profitable attacks for fraudsters and costly for the card payments industry to defeat. In the U.S. alone, card fraud costs the card payments industry an estimated US$8.6 billion per year [1].
- 2.
Chip and PIN (http://www.chipandpin.co.uk) is the UK’s flavour of EMV introduced in 2004 and fully rolled-out in February 2006.
- 3.
Listed in alphabetical order: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.
- 4.
- 5.
- 6.
- 7.
- 8.
Aka card verification value (CVV or CVV2), card validation code (CVC or CVC2) or Value, or Card Security Code
- 9.
As Professor Chris Mitchell points in his Lecture Slides (Available: http://www.isg.rhul.ac.uk/cjm/IY5601/IY5601_B_060205_83-156.pdf) CDA, if appropriately used, makes EMV robust against wedge attacks.
- 10.
Details were given by the US National Counterintelligence Executive, Dr Joel Brenner in a Daily Telegraph interview, http://www.telegraph.co.uk/news/uknews/law-and-order/3173346/Chip-and-pin-scam-has-netted-millions-from-British-shoppers.html.
- 11.
Johnston et al. [21] demonstrated that bypassing tamper-indicating security, aka security seals, can sometimes be quite trivial.
- 12.
- 13.
- 14.
Skimming devices are even sold on Internet forums for about 8,000€.
- 15.
According to [23], at the end of 2011, more than 134 million UK cards had unique iCVV.
- 16.
- 17.
- 18.
- 19.
- 20.
The attack is only successful with SDA cards used off-line and not with DDA or CDA cards, or on-line transactions as the fraudster cannot have access to the keys necessary for card data authentication.
- 21.
According to http://www.dailymail.co.uk/news/article-389084/Millions-danger-chip-pin-fraudsters.html: “Of the 6.2billion transactions on a credit, debit or charge card carried out every year in this country, one in five happens ‘off-line’, meaning the chip and pin terminal does not connect to the cardholder’s bank.”
- 22.
From 1st January 2011 schemes mandated that all new and replacement cards support DDA. At the end of 2011, 98 million DDA cards were in issue in the UK [23].
References
Aite Group: Card Fraud in the United States: The Case for Encryption. January 2010. Available: http://www.aitegroup.com
ENISA, ATM crime: Overview of the European situation and golden rules on how to avoid it. August 2009. Available: www.enisa.europa.eu
EMVCo. A Guide to EMV. Version 1.0. May 2011. http://www.emvco.com
PCI, SSC Wireless Special Interest Group Implementation Team - Information Supplement: PCI DSS Wireless Guideline. Available: https://www.pcisecuritystandards.org/pdfs/PCI_DSS_Wireless_Guidelines.pdf
Payment card Industry (PCI) Data Security Standard: Requirements and Security Assessment Procedures. Version 2.0. October 2010. Available: https://www.pcisecuritystandards.org
PCI, SSC: PCI Data Storage Do’s and Dont’s. Available: https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf
PCI Encrypting PIN Pad (EPP) - Security Requirements, v2.1. January 2009. Available: https://www.pcisecuritystandards.org/documents/epp_security_requirements.pdf
Payment Card Industry (PCI) Point-to-Point Encryption. September 2011, Available: https://www.pcisecuritystandards.org
Murdoch, S. J., Drimer, S., Anderson, R., and Bond, M.: Chip and PIN is Broken. IEEE Symposium on Security and Privacy (2010) pp 433–444.
Anderson, R., Bond, M., and Murdoch, S. J.: Chip and SPIN. Computer Security Journal v 22 no 2 (2006) pp 1–6.
Desmedt, Y., Goutier, C., and Bengio, S. Special uses and abuses of the Fiat-Shamir passport protocol. In Advances in Cryptology CRYPTO 87: Proceedings (1987), vol. 293 of LNCS, Springer, p. 21.
Murdoch, S.J., EMV flaws and fixes: vulnerabilities in smart card payment systems. Available: http://www.cl.cam.ac.uk/sjm217/talks/leuven07emv.pdf
Everett D. Chip and PIN Security. Available: http://www.smartcard.co.uk/Chip and PIN Security.pdf
EMV Iintegrated Circuit Card Specifications for Payment Systems - Book 2: Security and Key Management. Available: https://www.emvco.com
EMV Iintegrated Circuit Card Specifications for Payment Systems - Book 3: Application Specification. Available: https://www.emvco.com
Murdoch, S. J., Drimer, S., Anderson, R., and Bond, M.: EMV PIN verification "wedge" vulnerability, February 2010. Available: http://www.cl.cam.ac.uk/research/security/banking/nopin/
Drimer, S., and Murdoch, S. J.: Keep your enemies close: Distance bounding against smartcard relay attacks. In USENIX Security Symposium, August 2007. Available: http://www.usenix.org/events/sec07/tech/drimer/drimer.pdf
Centenaro, M., Focardi, R., Luccio, F., Steel, G.: Type-based analysis of PIN processing APIs. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 5368. Springer, Heidelberg (2009).
The UKCARDS Association: Security guidance for card acceptance devices - Deployed in the face-to-face environment.
EMV Integrated Circuit Card Specifications for Payment Systems: Book 4 - Cardholder, Attendant, and Acquirer Interface Requirements, June 2008. Available: www.emvco.com.
Johnston, R. G., Garcia, A. R., and Pacheco, A. N.: Efficacy of tamper-indicating devices. Journal of Homeland Security (April 2002).
Mowery, K., Meiklejohn, S., Savage, S.: Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks. In 5th USENIX Workshop on Offensive Technologies, August 2011. Available: http://www.usenix.org/events/woot11/tech/final_files/Mowery.pdf
Financial Fraud Action UK: Fraud - The Facts 2012. Available: http://www.financialfraudaction.org.uk
SPVA Lifecycle of a Secure Payment Device: Post Manufacturing Stage, June 2011, Available: www.spva.org.
Mastercard, Understanding Terminal Manipulation at the Point of Sale. Available: http://www.mastercard.com/us/company/en/docs/Terminal_Manipulation_At_POS.pdf
Visa Best Practices for Primary Account Number Storage and Truncation. Available: http://usa.visa.com/download/merchants/PAN_truncation_best_practices.pdf
European Association of Payment Service Providers for Merchants. Point-to-Point Encryption and Terminal Requirements in Europe. May 2011. Available: http://www.epsm.eu
VISA, Guide to Data Field Encryption. Available: http://www.visacemea.com/ac/ais/uploads/AIS_Guide_0610_Data_Field_Encryption.pdf
Mastercard Worldwide, An Analysis of End-to-end Encryption as a Viable Solution for Securing Payment Card Data. Available: http://www.mastercardacquirernews.com/pdfs/encryptionAnalysis.PDF
Visa Best Practices for Tokenization Version 1.0. Available: http://usa.visa.com/download/merchants/tokenization_best_practices.pdf
CISP Bulletin, Top three POS system vulnerabilities identified to promote data security awareness. November 2006. Available: http://usa.visa.com/download/merchants/top_three_pos_system_vulnerabilities_112106.pdf
Bond, M., Cvrcek, D., and Murdoch S.J.: Unwrapping the Chrysalis, In: Technical report, No. 592, 2004, Cambridge, GB, p. 15, ISSN 1476–2986.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer Science+Business Media New York
About this chapter
Cite this chapter
Rantos, K., Markantonakis, K. (2014). Analysis of Potential Vulnerabilities in Payment Terminals. In: Markantonakis, K., Mayes, K. (eds) Secure Smart Embedded Devices, Platforms and Applications. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-7915-4_13
Download citation
DOI: https://doi.org/10.1007/978-1-4614-7915-4_13
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4614-7914-7
Online ISBN: 978-1-4614-7915-4
eBook Packages: Computer ScienceComputer Science (R0)