Skip to main content
SpringerLink
Log in

Analysis of Potential Vulnerabilities in Payment Terminals

  • Chapter
  • First Online:
Book cover Secure Smart Embedded Devices, Platforms and Applications

Abstract

Payment systems fraud is considered in the center of several types of criminal activities. The introduction of robust payment standards, practices and procedures has undoubtedly reduced criminals’ profit, and significantly hardened their work. Still though, all payment systems’ components are constantly scrutinised to identify vulnerabilities. This chapter focuses on the security of payment terminals, as a critical component in a payment system’s infrastructure, providing an understanding on potential attacks identified in the literature. The attacks are not only limited to those aiming to insult terminals’ tamper-resistance characteristics but also include those that target weak procedures and practices aiming to facilitate the design of better systems, solutions and deployments.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 189.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 249.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 249.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Figures reveal that payment card fraud is one of the most profitable attacks for fraudsters and costly for the card payments industry to defeat. In the U.S. alone, card fraud costs the card payments industry an estimated US$8.6 billion per year [1].

  2. 2.

    Chip and PIN (http://www.chipandpin.co.uk) is the UK’s flavour of EMV introduced in 2004 and fully rolled-out in February 2006.

  3. 3.

    Listed in alphabetical order: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.

  4. 4.

    http://news.bbc.co.uk/2/hi/uk_news/england/4980190.stm

  5. 5.

    http://www.theregister.co.uk/2007/02/06/card_security_attack/

  6. 6.

    http://www.theregister.co.uk/2008/08/13/pin_security_analysis/page2.html

  7. 7.

    http://www.telegraph.co.uk/news/uknews/law-and-order/3173346/Chip-and-pin-scam-has-netted-millions-from-British-shoppers.html

  8. 8.

    Aka card verification value (CVV or CVV2), card validation code (CVC or CVC2) or Value, or Card Security Code

  9. 9.

    As Professor Chris Mitchell points in his Lecture Slides (Available: http://www.isg.rhul.ac.uk/cjm/IY5601/IY5601_B_060205_83-156.pdf) CDA, if appropriately used, makes EMV robust against wedge attacks.

  10. 10.

    Details were given by the US National Counterintelligence Executive, Dr Joel Brenner in a Daily Telegraph interview, http://www.telegraph.co.uk/news/uknews/law-and-order/3173346/Chip-and-pin-scam-has-netted-millions-from-British-shoppers.html.

  11. 11.

    Johnston et al. [21] demonstrated that bypassing tamper-indicating security, aka security seals, can sometimes be quite trivial.

  12. 12.

    http://www.theregister.co.uk/2008/08/06/id_fraud_hacking_case/

  13. 13.

    http://www.theregister.co.uk/2009/08/17/heartland_payment_suspect/

  14. 14.

    Skimming devices are even sold on Internet forums for about 8,000€.

  15. 15.

    According to [23], at the end of 2011, more than 134 million UK cards had unique iCVV.

  16. 16.

    http://www.wired.com/threatlevel/2009/04/pins/

  17. 17.

    http://www.google.com/hostednews/afp/article/ALeqM5isP_cJaxnqSGaPVgUy0P3tSvpqrA

  18. 18.

    http://www.spiegel.de/wirtschaft/soziales/0,1518,670433,00.html

  19. 19.

    http://www.lightbluetouchpaper.org/2009/08/25/defending-against-wedge-attacks/

  20. 20.

    The attack is only successful with SDA cards used off-line and not with DDA or CDA cards, or on-line transactions as the fraudster cannot have access to the keys necessary for card data authentication.

  21. 21.

    According to http://www.dailymail.co.uk/news/article-389084/Millions-danger-chip-pin-fraudsters.html: “Of the 6.2billion transactions on a credit, debit or charge card carried out every year in this country, one in five happens ‘off-line’, meaning the chip and pin terminal does not connect to the cardholder’s bank.”

  22. 22.

    From 1st January 2011 schemes mandated that all new and replacement cards support DDA. At the end of 2011, 98 million DDA cards were in issue in the UK [23].

References

  1. Aite Group: Card Fraud in the United States: The Case for Encryption. January 2010. Available: http://www.aitegroup.com

  2. ENISA, ATM crime: Overview of the European situation and golden rules on how to avoid it. August 2009. Available: www.enisa.europa.eu

  3. EMVCo. A Guide to EMV. Version 1.0. May 2011. http://www.emvco.com

  4. PCI, SSC Wireless Special Interest Group Implementation Team - Information Supplement: PCI DSS Wireless Guideline. Available: https://www.pcisecuritystandards.org/pdfs/PCI_DSS_Wireless_Guidelines.pdf

  5. Payment card Industry (PCI) Data Security Standard: Requirements and Security Assessment Procedures. Version 2.0. October 2010. Available: https://www.pcisecuritystandards.org

  6. PCI, SSC: PCI Data Storage Do’s and Dont’s. Available: https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf

  7. PCI Encrypting PIN Pad (EPP) - Security Requirements, v2.1. January 2009. Available: https://www.pcisecuritystandards.org/documents/epp_security_requirements.pdf

  8. Payment Card Industry (PCI) Point-to-Point Encryption. September 2011, Available: https://www.pcisecuritystandards.org

  9. Murdoch, S. J., Drimer, S., Anderson, R., and Bond, M.: Chip and PIN is Broken. IEEE Symposium on Security and Privacy (2010) pp 433–444.

    Google Scholar 

  10. Anderson, R., Bond, M., and Murdoch, S. J.: Chip and SPIN. Computer Security Journal v 22 no 2 (2006) pp 1–6.

    Google Scholar 

  11. Desmedt, Y., Goutier, C., and Bengio, S. Special uses and abuses of the Fiat-Shamir passport protocol. In Advances in Cryptology CRYPTO 87: Proceedings (1987), vol. 293 of LNCS, Springer, p. 21.

    Google Scholar 

  12. Murdoch, S.J., EMV flaws and fixes: vulnerabilities in smart card payment systems. Available: http://www.cl.cam.ac.uk/sjm217/talks/leuven07emv.pdf

  13. Everett D. Chip and PIN Security. Available: http://www.smartcard.co.uk/Chip and PIN Security.pdf

  14. EMV Iintegrated Circuit Card Specifications for Payment Systems - Book 2: Security and Key Management. Available: https://www.emvco.com

  15. EMV Iintegrated Circuit Card Specifications for Payment Systems - Book 3: Application Specification. Available: https://www.emvco.com

  16. Murdoch, S. J., Drimer, S., Anderson, R., and Bond, M.: EMV PIN verification "wedge" vulnerability, February 2010. Available: http://www.cl.cam.ac.uk/research/security/banking/nopin/

  17. Drimer, S., and Murdoch, S. J.: Keep your enemies close: Distance bounding against smartcard relay attacks. In USENIX Security Symposium, August 2007. Available: http://www.usenix.org/events/sec07/tech/drimer/drimer.pdf

  18. Centenaro, M., Focardi, R., Luccio, F., Steel, G.: Type-based analysis of PIN processing APIs. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 5368. Springer, Heidelberg (2009).

    Google Scholar 

  19. The UKCARDS Association: Security guidance for card acceptance devices - Deployed in the face-to-face environment.

    Google Scholar 

  20. EMV Integrated Circuit Card Specifications for Payment Systems: Book 4 - Cardholder, Attendant, and Acquirer Interface Requirements, June 2008. Available: www.emvco.com.

    Google Scholar 

  21. Johnston, R. G., Garcia, A. R., and Pacheco, A. N.: Efficacy of tamper-indicating devices. Journal of Homeland Security (April 2002).

    Google Scholar 

  22. Mowery, K., Meiklejohn, S., Savage, S.: Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks. In 5th USENIX Workshop on Offensive Technologies, August 2011. Available: http://www.usenix.org/events/woot11/tech/final_files/Mowery.pdf

  23. Financial Fraud Action UK: Fraud - The Facts 2012. Available: http://www.financialfraudaction.org.uk

  24. SPVA Lifecycle of a Secure Payment Device: Post Manufacturing Stage, June 2011, Available: www.spva.org.

  25. Mastercard, Understanding Terminal Manipulation at the Point of Sale. Available: http://www.mastercard.com/us/company/en/docs/Terminal_Manipulation_At_POS.pdf

  26. Visa Best Practices for Primary Account Number Storage and Truncation. Available: http://usa.visa.com/download/merchants/PAN_truncation_best_practices.pdf

  27. European Association of Payment Service Providers for Merchants. Point-to-Point Encryption and Terminal Requirements in Europe. May 2011. Available: http://www.epsm.eu

  28. VISA, Guide to Data Field Encryption. Available: http://www.visacemea.com/ac/ais/uploads/AIS_Guide_0610_Data_Field_Encryption.pdf

  29. Mastercard Worldwide, An Analysis of End-to-end Encryption as a Viable Solution for Securing Payment Card Data. Available: http://www.mastercardacquirernews.com/pdfs/encryptionAnalysis.PDF

  30. Visa Best Practices for Tokenization Version 1.0. Available: http://usa.visa.com/download/merchants/tokenization_best_practices.pdf

  31. CISP Bulletin, Top three POS system vulnerabilities identified to promote data security awareness. November 2006. Available: http://usa.visa.com/download/merchants/top_three_pos_system_vulnerabilities_112106.pdf

  32. Bond, M., Cvrcek, D., and Murdoch S.J.: Unwrapping the Chrysalis, In: Technical report, No. 592, 2004, Cambridge, GB, p. 15, ISSN 1476–2986.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Technological Educational Institute of Kavala, Kavala, Greece

    Konstantinos Rantos

  2. Information Security Group, Smart Card Centre, Royal Holloway, University of London, London, United Kingdom

    Konstantinos Markantonakis

Authors
  1. Konstantinos Rantos
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Konstantinos Markantonakis
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Konstantinos Rantos .

Editor information

Editors and Affiliations

  1. Information Security Group Smart Card Centre, Royal Holloway, University of London, Egham, Surrey, United Kingdom

    Konstantinos Markantonakis

  2. Information Security Group Smart Card Centre, Royal Holloway, University of London, Egham, Surrey, United Kingdom

    Keith Mayes

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer Science+Business Media New York

About this chapter

Cite this chapter

Rantos, K., Markantonakis, K. (2014). Analysis of Potential Vulnerabilities in Payment Terminals. In: Markantonakis, K., Mayes, K. (eds) Secure Smart Embedded Devices, Platforms and Applications. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-7915-4_13

Download citation

  • DOI: https://doi.org/10.1007/978-1-4614-7915-4_13

  • Published:

  • Publisher Name: Springer, New York, NY

  • Print ISBN: 978-1-4614-7914-7

  • Online ISBN: 978-1-4614-7915-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation