I wanted to learn more about tamper protection circuits and a good way to do this is to get a second hand UK Chip and Pin credit card terminal from your favourite auction site. I went for one that received "certification" by an independent evaluation lab, because I hoped that would mean it would be more secure.
The first thing I noticed when I powered on the device was that it could reprint the receipts from recent transactions. I didn't know this before, but the merchant copy of the receipt contains the full unmasked card number along with the usual expiry and name of the card holder.
Since I don't have x-ray vision I got a second device so that I could break the first one learning where the tamper detection was located. I suppose I could have used a fibre optic camera and lots of patience, but 10 quid for a second device is hard to argue with.
Some devices are ultrasonically sealed meaning they're as hard to open as that vacuum packed plastic packaging that you always end up cutting yourself on. This one just opened right up after removing a couple of screws. It contained 1 tamper switch for the back casing and 2 for the front casing. The switches are circuit traces which have a conductive rubber plug pushed onto them. When you pull off the casing the plug retracts and the circuit is broken, causing the device to alarm and wipe the encryption keys. At this point it will boot into a service menu from where an engineer can upload new keys.
As it turns out, the rubber plug does not cover the entire switch and there are 2 exposed pads. With the second terminal we can now drill the casing near the switch and connect these 2 pads, so that when the casing is removed the switch will still be closed. We can replace the drilled casing with the casing from the original device so it looks untouched.
Even though this terminal had received certification from a lab, it didn't seem to have any additional protection. In fact there is no potting, no conductive mesh or other mechanisms to restrict access to the data buses. The card reader circuitry was exposed and card details easily sniffed. Since most UK banks currently use the cheaper SDA(Static Data Authentication) cards you can also sniff the PIN which is sent to the card by the terminal just after the customer enters it. Of course criminals have already been doing this for a while.
So it is possible to bypass the tamper protection, add a data sniffer, and collect card details. What is a customer to do to protect themselves? The day after I took this device apart I ate at a restaurant and when I went to pay I flipped over the pin pad and saw the tamper-evident label had been pulled off. Would you have refused to pay? Would you check every pin terminal you used first for signs of tamper?Share via Twitter