Are PIN Pads Insecure By Design?

Now that Verifone has confirmed one of its popular U.K. PIN pads was hacked by a researcher for last week's Black Hat security conference, is it time to rethink how POS devices can be maintained, managed and upgraded? It's very convenient to do so over a network or, in the case of Chip-and-PIN devices, using special maintenance cards. But we may be at the point where that's simply not secure.

To be clear, Verifone only acknowledged that one of three hacked PIN pads came from it. In addition, the secure electronic payment technologies vendor said it's already testing a fix. Great—that means other PIN pad vendors have similar security issues. We just don't know which ones.

In the demonstration on July 25, researchers from U.K.-based MWR InfoSecurity said they bought second-hand PIN pads on eBay to test and found that two of the Chip-and-PIN devices popular in the U.K. could be breached by means of specially programmed smartcards. A third device, used in the U.S., could be breached in multiple ways, including via Ethernet and mobile-network interfaces.

Technical details in the demonstration were sketchy, and the researchers taped over the identifying logos on the devices. But Verifone later owned up to one of the devices, saying it had a fix in the works, while pointing out that the attack was complex, new and only works on older devices using a specific optional software module. July was not a good month for Verifone's PIN pad security image; three weeks ago, German security researchers demonstrated how they could hack a popular Verifone PIN pad to capture card data and PINs and play Pong.

That German attack exploited problems in the PIN pad's network software. But in the Black Hat demonstration, the Chip-and-PIN devices could be breached just by inserting a specially programmed card that took control of the PIN pad.

That shouldn't be possible. Only data associated with a transaction—well-defined messages between the card and the device—should be going back-and-forth. A bad message should result in a rejected transaction. It's supposed to be a smarter, and thus more secure, version of a magstripe swipe. (And yes, there's a real irony in the fact that a magstripe swipe would never be able to take over an unmodified PIN pad this way—it takes EMV to make that possible.)

But obviously, it did happen. The researchers blamed it on a problem with the payments application in the PIN pad, but they may just be being kind. This could well be a designed-in security hole.The problem is that it's really convenient to be able to test and upgrade PIN pads without opening them up. But if that's done by means of specially programmed cards that give a technician access to the software, then the smartcard is doing more than just EMV transactions and the security of EMV is compromised. Even if payments remain secure, everything else in the PIN pad—what's keyed in, what's displayed on the screen, what's sent across the network—has lost its protection.

That's probably still safe in the hands of a vendor technician. But what a tech can do, a security researcher—or a thief—can do, too.

Both vendors and customers like that convenience. It means a PIN pad can be fixed or upgraded in place, without being swapped out and, in effect, remanufactured. That's expensive and time-consuming. It's also less insecure.

Even more popular is the idea of maintaining POS devices remotely—don't even send out a tech with a special smartcard, just do it across the network. But that can just turn a local attack opportunity into a remote attack opportunity.

No national chain really wants to give up the convenience of in-place or remote maintenance. That's understandable. But the security problem may simply be insurmountable.

Worse, PIN pads are increasingly impossible to secure. Simpler devices are easier to harden, but both vendors and retailers want lots of bells and whistles that make them easier to use, especially for handicapped customers. Standard devices are easier to maintain. But that means any thief can buy a PIN pad that's identical to the one sitting on a chain's counter, and then dissect it looking for security holes.

Sure, every POS device has to pass PCI certification. But that means it's been tested—not attacked. Reasonable assumptions about security no longer apply at a time when any POS device can be purchased, reverse engineered, and every security hole found and exploited. (Besides, we all know the reality of passing PCI: As soon as there's a breach, you've retroactively failed.)

That means it's time to be unreasonable. Both vendors and retailers need to start acting genuinely paranoid about their devices—hardening them way beyond what's reasonable, even if it means more cost and inconvenience for retailers. Otherwise the embarrassing demonstrations and, worse, the expensive PIN pad breaches will just keep coming.