Chip and Pin Terminals
Last Update: 9th November 2010
Status: In Progress
I wanted to learn more about tamper protection circuits and a good way to do this is to get a second hand UK Chip and Pin credit card terminal from your favourite auction site. I went for one that received “certification” by an independent evaluation lab, because I hoped that would mean it would be more secure.
The first thing I noticed when I powered on the device was that it could reprint the receipts from recent transactions. I didn’t know this before, but the merchant copy of the receipt contains the full unmasked card number along with the usual expiry and name of the card holder.
Tamper Detection Circuits
Since I don’t have x-ray vision I got a second device so that I could break the first one learning where the tamper detection was located. I suppose I could have used a fibre optic camera and lots of patience, but 10 quid for a second device is hard to argue with.
Some devices are ultrasonically sealed meaning they’re as hard to open as that vacuum packed plastic packaging that you always end up cutting yourself on. This one just opened right up after removing a couple of screws. It contained 1 tamper switch for the back casing and 2 for the front casing. The switches are circuit traces which have a conductive rubber plug pushed onto them. When you pull off the casing the plug retracts and the circuit is broken, causing the device to alarm and wipe the encryption keys. At this point it will boot into a service menu from where an engineer can upload new keys.
As it turns out, the rubber plug does not cover the entire switch and there are 2 exposed pads. With the second terminal we can now drill the casing near the switch and connect these 2 pads, so that when the casing is removed the switch will still be closed. We can replace the drilled casing with the casing from the original device so it looks untouched.
Sniffing Card Data
Even though this terminal had received certification from a lab, it didn’t seem to have any additional protection. In fact there is no potting, no conductive mesh or other mechanisms to restrict access to the data buses. The card reader circuitry was exposed and card details easily sniffed. Since most UK banks currently use the cheaper SDA cards you can also sniff the PIN which is sent to the card by the terminal just after the customer enters it. Of course criminals have already been doing this for a while.
So it is possible to bypass the tamper protection, add a data sniffer, and collect card details. What is a customer to do to protect themselves? The day after I took this device apart I ate at a restaurant and when I went to pay I flipped over the pin pad and saw the tamper-evident label had been pulled off. Would you have refused to pay? Would you check every pin terminal you used first for signs of tamper?
I cut this project a little short because it didn’t really provide much of a challenge. I don’t really have an interest making a fully functional card skimmer and besides, you could just as easily pop in a bluetooth-serial board with a couple of components and see the data on your smart phone. I then stumbled across something that would make a much better project:
The Trintech (now VeriFone) Smart 5000.
Some important specs:
- ARM 7 Processor
- Embedded Linux! – kernel V2.4
- 132 × 64 pixel (8 line) backlit graphics display
- Serial (RS 232)
- Track 1,2&3 magswipe reader
- EMV L1 certified chip card reader
- EMV 2000 level 1 and 2 certified
- Visa PED certified
With so many shops sadly going bankrupt at the moment it is very easy to find lots of these for only a few pounds at auction. Interestingly this appears to be the same device Shell deployed in their petrol stations only to have fraudsters come and install skimming devices inside. I haven’t seen any mention of what exactly was inside, so it will be interesting to see how they might have done it.
This device runs Linux and you can compile your own applications to run on it. It utilises code signing so that unless you get VeriFone to sign it you can only run your own code on development devices, which have a serial number of all zeros. It also uses policies to restrict what resources applications have access to.
So, we have tamper resist, code signing, secure boot loader, serial connection and an embedded Linux operating system. The challenge will be to root it! So far I have got some software on Linux that behaves like a Point of Sale system and can communicate with the pin pad, read data, run commands, etc. This is all using a serial connection and the well documented API.
Will update when I have more…