StorefrontBacktalk

This is page 2 of:

Are PIN Pads Insecure By Design?

August 1st, 2012

The problem is that it’s really convenient to be able to test and upgrade PIN pads without opening them up. But if that’s done by means of specially programmed cards that give a technician access to the software, then the smartcard is doing more than just EMV transactions and the security of EMV is compromised. Even if payments remain secure, everything else in the PIN pad—what’s keyed in, what’s displayed on the screen, what’s sent across the network—has lost its protection.

That’s probably still safe in the hands of a vendor technician. But what a tech can do, a security researcher—or a thief—can do, too.

Both vendors and customers like that convenience. It means a PIN pad can be fixed or upgraded in place, without being swapped out and, in effect, remanufactured. That’s expensive and time-consuming. It’s also less insecure.

Even more popular is the idea of maintaining POS devices remotely—don’t even send out a tech with a special smartcard, just do it across the network. But that can just turn a local attack opportunity into a remote attack opportunity.

No national chain really wants to give up the convenience of in-place or remote maintenance. That’s understandable. But the security problem may simply be insurmountable.

Worse, PIN pads are increasingly impossible to secure. Simpler devices are easier to harden, but both vendors and retailers want lots of bells and whistles that make them easier to use, especially for handicapped customers. Standard devices are easier to maintain. But that means any thief can buy a PIN pad that’s identical to the one sitting on a chain’s counter, and then dissect it looking for security holes.

Sure, every POS device has to pass PCI certification. But that means it’s been tested—not attacked. Reasonable assumptions about security no longer apply at a time when any POS device can be purchased, reverse engineered, and every security hole found and exploited. (Besides, we all know the reality of passing PCI: As soon as there’s a breach, you’ve retroactively failed.)

That means it’s time to be unreasonable. Both vendors and retailers need to start acting genuinely paranoid about their devices—hardening them way beyond what’s reasonable, even if it means more cost and inconvenience for retailers. Otherwise the embarrassing demonstrations and, worse, the expensive PIN pad breaches will just keep coming.

Posted in In-Store, IT Strategy/Industry, Payment Systems, Security/Fraud, Software

One Comment | Read Are PIN Pads Insecure By Design?

A Reader Says:
August 3rd, 2012 at 1:01 am
Hardening PIN pads just kicks the can a few feet down the road, the way PCI kicked mag stripes down to Chip and PIN. But it’s still the same can and the same road, so why do we think the same problems won’t keep chasing us?

The next attacks are even visible from here. Instead of hacking and reprogramming PIN pads, the bad guys will simply put their own computers into hollowed out PIN pad cases. Customers and cashiers won’t even know the difference.

The unreasonable but secure answer is to stop doing the same thing. We need to stop trying to keep identities and account numbers secret, and stop asking merchants to carry secrets worthy of bank vault protection. Instead, we need 100 on-card security, including the UI, to protect transaction authorizations. This will remove the merchants from ever handling the customer’s secrets.

Smart cards are already capable of doing encryption. Add a 10-key pad to each customer’s card, and a small screen to display the amount to authorize, and each customer is now carrying their own full PIN pad for about $5-10 per card. This is equipment given them by their bank, which they can trust. It’s not on a network, not upgradable, sealed hardware, and cannot be hacked remotely. The banks then have true end-to-end encryption all the way from their own tiny PIN pads to their own mainframes, and not the hop-to-hop-to-hop that exists today (that is mislabeled E2E by every vendor selling the stuff.)

The customer doesn’t have to worry about trusting the merchant systems anymore. The customer can see that each transaction is for exactly the amount the merchant terminal sent to their card, and that it can’t be abused by a crooked retailer.

The merchants can stop hiding account numbers behind tokens, or sending keys to their PIN pads, or updating security in them. They just carry the encrypted authorizations from the cards to the banks and back, then ship them to their payment processors for the payouts.

The merchants aren’t completely off the hook for security, though. They need to make sure their own systems aren’t having payments diverted to someone else’s bank. But that’s the merchant’s problem that would result only in losses to the merchant, not one that impacts the customers, the banks, or the card networks.

Industry security experts are beginning to agree that zero-trust is the future of security, and that all network endpoints are inherently untrustworthy. Let’s stop pretending that shared PIN pads on a network are a good idea. If we’re going to do something unreasonable, let’s at least do something different.

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Kindle Convenience - StorefrontBacktalk is now available natively on the Kindle so you can read us on the place without a connection.

Read StorefrontBacktalk's Retailing Column every month at Retail-Week.com. Please click here for an archive of those columns.

Read StorefrontBacktalk's Retail Realities Column every week at CBSNews.com. Please click here for an archive of those columns.