Smart Credit Card Point of Sale Terminals Can Be Hacked
Smart credit cards equipped with microchips have been generally viewed as a faster, more convenient, and safer way to purchase items. However, researchers at MWR Labs have demonstrated that “smart” card point of sale (POS) terminals can indeed be hacked.
The demonstration was showcased Thursday at the Black Hat cybersecurity conference in Las Vegas - an annual meeting of internet security researchers and hackers designed to highlight and discuss the latest and most important cybersecurity threats.
The two researchers at MWR Labs showed that they could take full control over a store's smart card POS terminal simply by inserting a smart card preloaded with specially programmed malware. The hack was shown to work on the most recent models of POS terminals, including the new “chip-and-PIN” machines.
Smart Cards Not So Smart After All?
Smart card terminals are supposed to be safer than conventional POS machines because they encrypt your PIN number as you're typing it, so none of your personal card information is ever stored within the store's machines. The new terminals have been purported to be a solution to the data harvesting type attacks that have been launched against Target and other major retail chains within the past year.
Unfortunately, the hack demonstrated by the MWR Labs researchers was able to not only keep the smart card POS machines from encrypting PIN data, it was also able to instruct the terminal to store all card data within the internal memory. The hacker would then return with another smart card at the end of the sales day, but this time the card would be programmed with a different kind of malware that instructs the terminal to transfer all of the harvested data onto the card, letting the criminal walk away with the credit card information of dozens or even hundreds of customers in one quick swoop.
The problem with smart cards is that they may be a little bit too smart. By having a built-in microchip, the card gives skilled hackers the components needed to store and execute malware from the card itself. Even worse, the smart card terminal can then interact with and take commands from the malware installed on the card's microchip, making the loophole top priority for defensive cyber security specialists working with major credit card companies and POS manufacturers to make consumer shopping safer.
Not Yet a Major Concern for the Public
Fortunately, experts say that the hack is not yet common knowledge amongst cyber criminals, and the researchers at MWR Labs have stated that there are no known cases of the tactic being used for illegal purposes. Still, the fact that the hack is even possible to perform is an alerting concern for smart card manufacturers and the many stores that are beginning to utilize and gain trust in this relatively newly implemented technology.
With that said, there is a possibility that some clever hackers have already figured this exploit out and are currently using it to collect the credit card data of untold numbers of consumers. Similar attacks have occurred in the past, where cyber criminals were found to have been storing massive databases of account passwords, so there is now way to tell for sure whether the researchers at MWR Labs are the only people experimenting with this smart card POS terminal flaw. For now, the best action you can take to safegaurd yourself from credit card fraud is to keep a close watch on your credit accounts, sign up for automatic purchase notifications to your email, and subscribe to a credit monitoring service.
