Credit Card Roulette: Payment Terminals Pwned in Vegas
At least three widely used credit and debit card purchasing terminals in the U.S. and U.K. have vulnerabilities that would allow attackers to install malware on them and sniff card data and PINs.
The vulnerabilities can also be used to make a fraudulent card transaction look like it’s been accepted when it hasn’t been, printing out a receipt to fool a salesclerk into thinking items have been successfully purchased.
Or an attacker can design a hack that would invalidate the chip-and-PIN card system, a security feature that is standard in Europe but only nascent in the U.S. It uses cards embedded with a chip and requires cardholders to enter a PIN to validate a transaction.
The hacks were demonstrated at the Black Hat Security conference last week by Rafael Dominguez Vega, a Spanish security researcher and consultant for MWR InfoSecurity, and a German researcher who goes by the name Nils, who is head of research for MWR. Nils cemented his security bona fides in 2009 when he hacked three browsers at the Pwn2own contest at the CanSecWest conference.