How to hack stuff for cash

How to hack stuff for cash
Weaknesses in ATMs and PoS
systems and how to exploit them
02.06.2014 1Marco Schuster, CashPOINT

About me
• Name: Marco Schuster
• Working in the IT industry since over 15 years, 8 of
which as small business in Germany
• Developer of CashPOINT PoS software
• Maintainer of PHP PC/SC smartcard communication
interface
• Experience in Windows / Linux client and server
management, Web service development, Web security,
smart card development using BasicCard
• Homepage: http://cashpoint-pos.de
• Mail: marco@m-s-d.eu

About this talk
• This talk presents an overview of the most commonly
used attack vectors on ATMs (Automated Teller
Machines), PoS (Point of Sale) software and EPTs
(Electronic Payment Terminal).
• Part I shows the weaknesses in ATMs as well as ways to
exploit them, ordered by the „commonness“ factor (i.e.
how many crimes are committed using the vector and
how widespread this type of crime is)
• Part II shows the weaknesses and exploits in PoS/EPT
systems, ordered as above
• At the end, there will be a summary of the most
important points in this talk

Glossary
• ATM: Automated Teller Machine, a machine distributing /
accepting cash for bank customers
• CC: credit card / customer card
• EFT: Electronic Financial Terminal
• EPT: Electronic Payment Terminal
• EMV: Europay/MasterCard/Visa, a network of card issuing
companies who developed an internationally compatible
standard of communicating with payment smart cards in
order to have a secure replacement for mag-stripe cards
• Mag stripe: magnetic, usually black stripe on the back side
of CCs, containing three tracks for storing data
• PoS: Point Of Sale terminal

Glossary
• RFID: Radio Frequency Identification, once passive-only
the term has now expanded to also include active-
processing capable cards and tags. Early models only
could respond with a unique ID, modern ones are
essentially micro-computers with sophisticated crypto
and processing capabilities
• TEMPEST: also known as „van-Eck-Phreaking“, passive
interception of radio frequency emissions of a device in
order to obtain internal, presumed protected, data like
cryptographic keys
• ZVT / OPI: two protocols for PoS-EPT communication

Part I: ATMs
• ATMs are basically just computers
• Most ATMs run Windows, most of these still run XP (as evidenced
by lots of panic-ridden news articles when MS discontinued XP
support)
• Depending on the operator, these XP machines may or not may be
subject to the usual MS patch days => hackers have a considerable
time window to exploit stuff
• Connectivity is provided in different ways:
– (A)DSL modems+routers embedded into the ATM
– Ethernet connections supplied by the location where the ATM is set up
(e.g. inside a bank an ATM will likely use the building‘s network
infrastructure)
– WiFi
– 3G/UMTS in remote locations

ATMs: components
• ATMs usually consist of the following
components:
– TFT or tube monitor with softkeys and / or touchpanel
interface
– Card slot
– PIN pad
– Cash dispenser, inside a rugged safe
– Some models: cash acceptors / bill recyclers
– Some models: receipt printer
– Some models: 3.5mm jack or speakers for the blind
– Alarm systems, anti-hijack measures, UPS

Photo: component diagram
Component overview of a bank kiosk (without cash dispenser)
Source: http://www.eworldco.cc/atmposkiosk

ATMs: weaknesses
• Obvious: steal the entire ATM
– People have been observed to even rip ATMs out of walls
and loading them onto pickups
– Counter measure: equip cash safe with irreversible
marking ink, equip ATM with battery-backed GPS trackers,
reinforce mountings
• Obvious: blow up the ATM using gas
– Following media reports, this type of crime has risen, with
massive damage for next to zero booty; most attacked
targets are ticket vending machines
– Counter measure: fill empty areas with foam or inert gas,
add gas warning sensors or even catalysts to decompose
the gas

Side note: using gas to blow up ATMs
• Gas source: liquid gas, commonly available in tobacco stores
for lighter refill or by emptying desodorant cans using
propane/butane as carrier/propelllant
• 300ml liquid propane/butane gas mix cost approx. 2-3 €
• 1 liter liquid gas expands to a volume of 260 liters => one of
these refill bottles can be emptied for approx. 86 liters of gas
• Propane/butane gas has a very narrow ignition window:
depending on the mixture ratio of propane and butane,
ignition and explosion can happen only at 1.5 to 9.5% mixture
ratio with oxygen

Side note: using gas to blow up ATMs
• If the thief doesn‘t put enough gas into the machine to
achieve explosion, there‘s no risk for anyone
• If the thief puts in too much gas, though, and leaves the
ATM because of the failed explosion, he creates a time
bomb! As soon as due to air flow enough oxygen replaces
gas, it only needs a single spark to ignite the ATM and
potentially kill or severely injure random bypassers
• Sparks need not necessarily originate inside the machine
(brush-using fans), users can „generate“ sparks by static
discharge on the grounded metal chassis
• Gas attacks haven‘t only targeted ATMs, but also gambling
machines, ticket vending machines (even one in direct line
of view of a prison and a police station in Germany)

ATMs: weaknesses
• Obvious: wait near stand-alone ATMs in lonely areas and extort money
from people at gun/knife point or pickpocket them
• Pretty common: „Lebanese loop“
– Prevent cash or customer card from exiting the ATM by blocking dispenser flap
– wait nearby to offer „assistance“ (act as if you are service personnel, note
down customer data and later on take the cash)
– Addition: replace stickers with the bank‘s phone number with one controlled
by the con artists
• Pretty common: card skimming
– Install a magstripe skimmer and either a double „PIN pad“ or a camera to
record the PIN
– Only install a card skimmer and clone the data onto a blank card to use for
shopping (where no PIN is required)
– Countermeasure: widespread implementation of smartcard chip (EMV chip),
which cannot be skimmed or cloned

Photo: Lebanese Loop
A simple Lebanese Loop
Source: http://scams.wikispaces.com/Lebanese+Loops

Photo: ATM skimmer
Left: skimmer, right: PIN-recording camera
Source: http://www.hoax-slayer.com/atm-skimming.html

Photo: Double PIN pad
Double PIN pad
Source: http://forum.tz-uk.com/showthread.php?257253-Latest-cashpoint-scam

ATMs: weaknesses
• Highly advanced: software manipulation of the ATM
– Method A: simply command the ATM to dump the entire
cash in the safe
– Method B: make the ATM record magstripe data and / or
bank account numbers as well as the PIN
– Needs some form of hardware access to the ATM
– Some ATM models have common, manufacturer-supplied
keys allowing access to the computer or maintenance
ports…
• Highly advanced: network infiltration
– Needs an ATM with known remote vulnerability
– Needs direct access into the network – e.g. by attacking
the building wiring

ATMs: attacking the network
• Many banks have 24/7 operations, outside of normal
business hours the premises are not actively guarded
• Some banks do not protect their Ethernet cables (or worse:
the sockets)
• Attack vector: insert a small wireless router or a network
tap, either by plugging into the sockets or hot-wiring the
Ethernet cable
• Infiltration is best done by posing / working as cleaning
personel (low pay jobs, mostly done by subcontractors
without rigorous security checks)
• If done right, a network-sided IDS cannot detect this (not a
single packet with wrong MAC address may leave the
device, every „spoofed“ packet must be rewritten)

ATMs: attacking the network
• Needs a remote executable vulnerability (as ATM-to-
clearinghouse communication is heavily encrypted)…
turns out these are PLENTY: http://www.exploit-
db.com/platform/?p=windows
• I can haz root access?
• Now the hacker is free to mess with the machine –
including launching the debug or maintenance tools
and dumping the cash in the safe

Photo: WLAN tap
This is a DWL-G730AP micro router, smaller than a box of cigarettes
Photo: http://www.prisguide.no/produkt/d-link-dwl-730ap-pocket-ap-router-23115

ATMs: attacking the machine
• Certain models have front-side USB connectors,
exposed upon opening maintenance hatches
• These can be drilled open – and the hole filled with a
plastic cap (see references for news article)
• Hackers just open the plastic cap and attach devices
like a Rubber Ducky which act as keyboards, or Android
cellphones exposing a HID keyboard and a USB mass
storage to hold the malware
• Countermeasure: disable the USB port using a
hardware switch (cut D+/D- lines) not accessible by
drilling, and remote-notify NOC upon attachment of
any USB peripheral

Multiple exploit vectors for the malware:
– „Hit and run“: command ATM to dispense the cash
and reboot to eliminate the traces
– Persistent malware:
• Harvest CC / magstripe data
• sniff the PIN pad or the softkeys for a secret pattern which
initiates the malware
• dump the cash or print harvested CC data on a receipt
printer
– Network spread: spread to other ATMs or even the
bank network

• Certain models have been known to utilize
manufacturer-supplied, common keys to allow
access to the computer compartment – no need
for drilling, no visible traces of forced entry!
• Some hackers (see references) have installed
cellphones or 3G sticks inside the ATM to obtain
remote access – as long as the only people
opening the ATMs are the guys refilling the safes
this isn‘t noticeable due to the incredibly small
size of these devices

Photo: USB Rubber Ducky
USB Rubber Ducky, US$ 39.90
Photo + Shop: https://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe

ATMs: weaknesses
• Highly advanced: manipulated smartcards
– Fully programmable smart cards with even low-level output manipulation:
„BasicCard“ by ZeitControl (http://www.basiccard.com/), cost 5.50 € for
32kByte storage => enough for common trojan payloads or stub loaders!
– Modern banking cards also allow RFID communication (e.g. German Sparkasse
cards), used as a security feature (anti cloning)
– Other attack way (used e.g. in 2014-05 in Macau): interception of smartcard
commands to e.g. manipulate payment authorisation
• Extremely advanced: TEMPEST attacks
– Record RF emissions from the computer or the components
– Up to a couple of years ago, the components required were only affordable by
state-level actors
– These days, even amateurs can conduct TEMPEST research, the only barrier is
the level of knowledge required

Smart Card overview
• Smart cards are surprisingly complex…
• Low level communication: standard ISO 7816
• Low level either handled by combination of microprocessor in
the card reader and the OS driver (Windows/Linux/OSX:
PC/SC library) or by dedicated microcontroller
• Data transfer between app and card is in APDU format
(Application Data Unit), essentially a binary protocol with
request and responses
• Old versions: 256 bytes input, 256 bytes response, with
extension up to 65536 bytes

Smart Card overview
• Weakness is obvious: higher-level stacks
assuming only 256 bytes return length get more
than 256 bytes from the PC/SC stack… buffer
overflows to the hacker‘s aid!
• Next weakness: most high-level communication
stacks assume TLV (Tag-Length-Value) format =>
overflow the Length byte and cause random
memory seeks, strcpy overflows,…
• Depending which part of the stack you exploit,
you have different possibilities

Photo: Fake smart cards
Smartcard emulators, manipulated smartcards
Source: http://krebsonsecurity.com/2014/05/thieves-planted-malware-to-hack-atms/

ATMs: TEMPEST attacks
• Inarguably, TEMPEST attacks are the by far
most dangerous attacks since some TEMPEST
forms even work over dozens of meters of
distance between attacker and target
• For now, TEMPEST attacks are rare due to the
high knowledge required to execute them
• Multiple attack vectors: even the power lines
can be used to derive cryptographic keys!

ATMs: TEMPEST attacks
• New RFID functionality in banking cards, used as
security measure, can infact even endanger the
system – what happens when a smartcard is
talked to simultaneously by RFID and by wire?
How robust are the smartcard operating systems?
• Currently, TEMPEST protection is only required by
military or secret service for their IT devices – this
is bound to change!
• As traditional card/ATM fraud attacks becomes
harder, hacker groups will redirect substantial
financial and R&D resources to TEMPEST attacks

ATMs: Situation overview
• Volume of ATM and card clone fraud: SEPA area approx. € 1 billion
in 2012 according to ECB
• Constant arms race between ATM manufacturers and criminals
• card cloning occurs in „rich“ Western countries with high-secure
ATMs and everything
• Usage of the cloned cards mostly happens in lesser developed
countries like the former Soviet bloc and Mexico where ATMs still
accept magstripe-only cards and security awareness is not
widespread
• With these sums at stake, the chance is high that criminal
enterprises will research and employ previously unheard-of tactics
like TEMPEST compared to earlier, more common tactics
• Development of „kits“ for usage by small criminals has been
observed in the gambling fraud industry as well as in the card-fraud
industry, this trend is likely to rise

Part II: PoS software
• PoS (Point of Sale) systems are software systems used by
cashiers, barkeepers etc. in all kinds of retail stores
• Usage sometimes required by law (e.g. in Belgium for bars)
• PoS systems widely vary in functionality (and price)
– Simple ones just allow receipt printing
– Full-blown solutions like SAP or CashPOINT allow entire business
management, including customer management, payment
tracking and more
– Depending on legislation, a „fiscal memory“ may be required to
allow tax authorities to check revenue/sales records for tax
fraud
• Standalone systems or server-based systems, some even
with mobile device support

PoS: Weaknesses
• Obvious: Manipulation by clerks
– Tax fraud by entering wrong VAT rates (takeaway vs in-
house)
– Overcharging customers (e.g. in bars, strip clubs,
discotheques)
– Deletion of receipt positions
• Obvious: fraudulent swiping of credit cards by clerks
– Clerk takes customer‘s CC to the payment terminal and
silently swipes it through a cloner or a Stripe reader
– Double swipe of the same amount
– Weakness of the system: CC swiping does not require PIN
authorisation!

PoS: Weaknesses
• Advanced: Many PoS systems in the US work directly
with raw magstripe data from credit cards
– Magstripe / CC data usually must be strongly protected
and encrypted
– This is how Target was hacked – the hacker manipulated
the PoS software to silently record CC data
– Countermeasure: dedicated, protected terminals (EFT –
Electronic Financial Terminal / EPT – Electronic Payment
Terminal) which do not store data on the terminal, but in a
centralized clearing house
• European system usually works with central clearing
houses and Chip+PIN (aka EMV), eliminating swipe
fraud

Photo: EPT (CCV VX680)
CCV VX680 EPT
http://www.ccv.eu/web/ALLCASH-de/ecTerminals/ecTerminals/CCV-Mobile-VX-680-3.htm

PoS: Communication with EPTs
• This describes ONLY the situation in Germany, I
am not familiar with US EPT systems
• Mode 1: the cashier enters the amount by hand
and just takes the receipts => manipulation only
possible with CCs without EMV enforcement,
everything other requires customer PIN
• Mode 2: PoS system transfers commands to EPT
by RS232, LAN or WiFi; EPT and PoS work
together to execute the payment

EPT: Communication with PoS
• Two widely adopted protocols, both developed by vendors Wincor,
CCV and others
– ZVT
• old, REALLY old protocol with structures and handling similar to smartcard
APDUs
• Same weaknesses apply here: boundary overflows, widespread, subtle
differences in implementations across vendors
• CONSTANT upgrade of stacks required in order to be able to parse the binary
protocol!
• Communication via RS232 or wrapped in TCP/IP
• Open specification
– OPI (Open Payments Initiative)
• XML messages transferred by TCP/IP allow usage of robust, well-tested
software stacks
• Specification not public, but freely obtainable from CCV and Wincor
• Neither ZVT nor OPI support any form of encryption or message
authentication! Only the clearinghouse communication is encrypted

EPT: Communication with PoS
• PoS transfers high-level commands to EPT, EPT acts and
returns response
• Commands include stuff like „Deduct payment, refund
payment, Increase/decrease loyalty card points, Sync
with clearing house, Read raw magstripe data“
• YES. „Read raw magstripe data“ or „CardSwipe“ (OPI).
This is no joke. It will return the raw data of all three
tracks of any mag stripe.
• EPTs respond to pings; while ZVT does not require a
specific port, OPI hard-wired TCP 20007 – thus making
discovery incredibly easy

EPT: Normal payment data/command
flow
1. Cashier presses „Pay Card“ button on PoS
2. PoS software sends „Deduct 5.00 €“ to EPT
3. EPT asks customer to insert card or swipe card
4. Customer does as required – if the POS
determines that a PIN is required, then the EPT
accepts the PIN, else the customer has to sign
the backside of the merchant receipt
5. EPT returns „Payment successful“ or „Payment
denied“ to PoS

EPT: Attack 1 – manipulated PoS
software
• Now, we assume a manipulated PoS…
1. Cashier presses „Pay Card“ button
2. PoS software sends „Swipe Card“ command to EPT
3. EPT tells customer „Swipe card…“
4. Customer assumes that EPT wants a swipe payment => swipes card
5. EPT returns all three tracks to PoS
6. PoS (trojan) stores the track data
7. PoS sends „Deduct 5.00 €“ to EPT
8. (see normal payment flow)
• Cashier assumes a mis-read of the card, no one has any reason to
be suspicious… until a couple of months later, when cloned cards
appear!
• A video demonstrating this attack will be published on our website

EPT: Attack 2 – Card swipe by network
intrusion
• This only works with network-attached EPT
• OPI does not require any form of authentication,
it will blindly follow ANY orders from ANY IP
address! No way of restriction!
• ZVT protocol supports authentication but many
EPTs don‘t implement it! Besides, it‘s just a 6-digit
PIN which is sent unencrypted => one Wireshark
trace obtained using ARP spoofing will deliver it
• Attacker, using a cellphone, launches the card
swipe command right before the cashier presses
„Pay Card“ button on PoS

EPT: Attack 3 – hack the EPT by
network intrusion
• Again, this attack requires a network-connected EPT
• ZVT is an ugly, complex, grown protocol full of quirks
• ZVT was built originally as a serial-port, RS232
communication protocol and thus had no security built in –
as it was not needed. Only when it was wrapped in TCP/IP,
the security problems arose
• OPI was initiated in 2003 – the author fails to understand
why in 2003 anyone right in his mind would develop a
network-based standard without thinking about security!
• Every implementation has bugs
• People have used offset attacks, length attacks and other
stuff to obtain code execution on EPTs

EPT: Attack 4 – hack the EPT in
hardware
• Automated fuel pumps are unmonitored…
• Open the fuel pump using common master
keys or by lockpicking
• Reflash the EPT firmware to sniff CC data and
PINs
• Close the fuel pump
• Wait a couple of months, then profit! (See
references for an example news article)

EPT: Attack 5 – silently swap EPTs
• Stores are a primary target for thieves
• So, thieves break in into a retail store and steal a couple
low-value items… everyone thinks a couple junkies needed
stuff to sell for drugs, just the usual shit every merchant has
to deal with sooner or later
• No one bothers to check the EPTs – after all, everything
looks like the usual junkies, not like a bunch of pro hackers
• Only a couple of months later, massive card fraud appears
with the retail store as common denominator
• Now the EPTs turn out to be swapped with manipulated
ones or the PoS systems hotwired…
• This has happened multiple times already, see the
References

• EPT swaps can also be done by rogue staff
• MANY people do not protect their EPTs, not even
from customers
• The author knows about people using the
manager PIN „000000“ in multiple restaurants to
silently disable their EPTs (by deactivating their
network interface)
• All you need to swap an EPT is the Terminal ID
and the network config parameters – the TID is
on every receipt and the network config can be
printed via Manager PIN

• A manipulated and swapped EPT can only be detected by visually
inspecting it and comparing the sticker with the hardware ID
• The only identifier visible to a PoS system is the TID
• As long as no stolen card data is used and the fraud detected and
the frauds linked to the specific terminal, usually no one will inspect
it
• Countermeasure: implement HSM and a challenge-response
cryptography
– Every terminal has a priv/pub keypair, kept only on the device
– Every transaction must be signed with the private key so that the PoS
or the cashier can check the signature against the public key
– Even this measure only protects against terminal swap, but not against
firmware reflashing or memory-only exploits…

EPT: Attack 6 – MITM the payment
flow to reduce the paid amount
• Once again, this requires network access,
preferably in form of a WiFi tap
• As said, both ZVT and OPI totally lack any form
of encryption and authentication or state
tracking
• Divert all traffic to and from the EPT to your
cellphone

Assume a fraudulent customer buying a MacBook
1. Cashier presses „Pay Card“
2. PoS transfers „Deduct 2.000 €“
3. EPT displays „Pay 2.000 €“ to cashier, cashier hands over
EPT to customer so he can input the PIN
4. Customer cellphone sends „Abort“ and „Pay 2 €“ to EPT
5. Customer pays 2 €
6. Customer cellphone transmits „2.000 € successfully paid“
to PoS, together with a faked receipt to be printed on the
invoice
7. Only at the end of the day the discrepancy is detected
when syncing

• It is not sufficient to just return a „Payment successful“ without
paying at all, as the cashier might determine something is wrong by
listening
• Most terminals use different beep tones for successful or declined
payments
• Best use stolen cards or strawmen for this type of fraud as the faked
purchase will show up in the books
• Two-headed terminals with one display for the cashier and one for
the customer prevent this exploit as long as the cashier looks on the
display
• The smaller the faked amount is, the less likely is an investigation
(no one will try to find out where 10 € went missing, but 1.000 €
discrepancy will definitely raise red flags)

EPT: Attack 7 – MITM intercept the
receipts
• A passive MITM attack (either half-active by ARP spoofing or totally
passive by e.g. using hubs instead of switches, connecting to
monitor port on the switch etc.) can yield interesting data, too
• Remember that OPI and ZVT are unencrypted?
• Both OPI and ZVT allow for receipt printout by the PoS system =>
the receipt data passes in cleartext on the network
• Customers keep throwing away the receipts, same for merchants
– merchants are required to keep them in case of disputes
– customers should be required, but are not
– Many just throw them away and rely on the banks to not mess stuff up
• These receipts carry personal data of the cardholder

EPT: Attack 7 – MITM intercept the
receipts
• Merchant receipts contain raw data, including the card
number
• Customer receipts contain the data with sensitive parts
blanked / replaced by „X“
• Merchant receipts and customer receipts can be
intercepted or replaced (see attack #7 for an exploit)
• Current receipts do not include bank account data any
more, older terminals still do
– Reason: fraud using the data from thrown away receipts
– This problem will be eliminated over time as the terminals
get updated

EPT: Attack 8 – technician software
• „If it looks like a duck, quacks like a duck, it must be a duck“
vs „If it looks like a manufacturer technician, quacks like a
manufacturer technician, it IS a manufacturer technician“
• Use the vendor-provided configuration software to read
out the terminal configuration
• This hasn‘t been confirmed fixed by the manufacturer, so
the brand and model will not be named
• Vendor management tools run either over RS232, USB or
even the network
• These tools were built on the assumption „Local links may
never be MITMd, no hackers will ever use this software to
hack“… WRONG.

• The service tool allows read and write of every
configuration setting… yes, every single one
• No, it does not require any authentication
• Yes, it even works over TCP/IP (tap the target network!)
• The readable settings include all three PINs (cashier,
manager and service technician) as well as the WLAN
password… in cleartext.
• Anyone on the same network as the EPT is able to read
and write the whole configuration without even having
to resort to any „real“ hacking
• Only firmware upgrades require authentication
(pubkey checks on the device itself)

EPT: Attack 9 – technician software #2
• The configuration settings actually even include
the communication targets for the clearing house
• These are writable, too
• Just set up your own payment processor
(reimplement the Poseidon/Atos Worldline
protocol or others supported by the EPT)
• This is quite a challenging task, but if finished one
e.g. can set up a server that allows all cards and
all PINs, or allows magstripe reads for CCs
• Exploitable e.g. by „shopping for free“,…

#3
• So, we again assume we have a vulnerable EPT model as
well as a network tap
• OPI standard supports returning the raw, unprotected track
data
• Normally, an EPT should be configured to suppress the PAN
and other sensitive CC track data
• Needless to say, this feature can be re-enabled using the
vendor management tool…
1. Re-enable the track data transfer
2. monitor the network for OPI frames
3. clone the track data and go shop for free or…
4. sell them on the Darknet, cloneable card data fetches far
better prices than just the number+exp date

EPT: Attack #11 – technician software
#4
• Export and load configuration
• Combined with a EPT swap attack, you can
essentially do an undetectable swap as even
the PINs and the network config will be cloned
• Best done by rogue staff

EPT: Attack 12 – Offline payments
• By disrupting communication with the payment processor, you can
force the terminal into „offline mode“
• Normally, offline transactions carry a limit set by the network
provider (e.g. no offline transactions > 50 €) to reduce fraud or
bouncing of payments (online transaction checks the limits and the
money available as well as stolen cards checking)
• Offline mode is used to speed up processing times as the
connection setup and teardown is done only at sync
• The limits can be overridden by requiring an offline transaction in
the OPI command – use network MITM to manipulate it
• Alternative: manipulate the terminal settings to change the limits
• Easier alternative: some terminals allow changing the limits with
the Manager PIN

EPT: Countermeasures
• CCV and others have equipped their EPTs with
anti-opening and anti-reverse engineering
measures
• If you open the casing, the ROMs erase
themselves
• To hinder manipulation efforts, PoS terminals and
EPTs should reboot themselves daily using
netbooting and signature checks
• CashPOINT systems check their own source via git
and netboot (the terminal clients are nothing
more than a browser, anyway)

EPT: Countermeasures
• Stores should deploy basic security measures
– ALWAYS keep operating systems and software up to date
– Deploy IDS (Intrusion Detection System) and ARP sponges (these prevent the
described MITM attack)
– isolate EPTs into own network and allow only specific PoS terminals to talk to
specific EPTs (by firewall rules in the router)
– Connect EPTs via separate WiFi network only in order to prevent hotwiring
attacks, keep the keys off-site to prevent terminal swap attacks during
burglaries
– Find out the ports of the manufacturer tools and lock them down in the
firewall!
• Thwart manipulation of EPT command traffic: Replace the hardware
firewall between EPT and PoS LAN with a locked-down server
– validates EPT payment commands against billing databases
– prevents Abort/CardSwipe-based attacks
– If done as an abstraction layer, this prevents attackers in the PoS LAN to send
arbitrary/malicious data to the EPTs

EPT: Situation overview
• Fraud volume: SEPA area in 2012 had € 1 billion according to ECB,
unfortunately EPT/PoS fraud and ATM fraud is summarized in this
report
• In contrast to ATMs, the Electronic Payment world widely lacks
regulations unless the merchant does the CC processing themselves
(in this case, the strict PCI DSS ruleset applies)
• Lack of standardization, home-grown solutions dominate the
market
• „Security by obscurity“ and „Security by not looking“ are the most
common security guidelines
• Biggest threat for merchants: their own staff
– Ignorant to security issues (e.g. the CardSwipe attack or plugging in
attacker‘s smartphones to charge them)
– Malevolent, actively involved, e.g. by installing network taps
– Infiltration by external entities

EPT: Situation overview
• Merchants and hardware/software vendors don‘t really
take care of security unless something happens
• Small merchants most often have no IT security
experience and background, most also don‘t consult IT
security experts when setting up their systems
• Even big EPT vendors do not distribute basic IT security
guidelines (like network separation) to their clients,
most people simply plug their EPTs into their LAN
without taking any further care
• The author has seen even internet cafés with the EPTs
reachable from the café computers… and the café
provided open WiFi!

EPT: What Is Badly Missing
• The ZVT protocol should be out-phased and
replaced by OPI or a successor. It is too complex
and subtle implementation differences make
software development harder (and thus more
error-prone)
• OPI should be revised to include mandatory
transport encryption using well-known
cryptography (e.g. TLS) as well as authentication,
both of the PoS-EPT relationship as well as access
rights

EPT: What Is Badly Missing
• EPT receipts and data communication should include digital
signatures to prevent MITM attacks or forgery
– the INSIKA project, digitally signing receipts with ECC to prevent
tax fraud, can serve as a technology demonstrator where
verification of a receipt is possible for everyone, without access
to the store systems
– These digital signatures should also be device-unique to prevent
EPT swap attacks
• The card swipe should be eliminated for every kind of
usage, including customer loyalty programs. Magstripe
technology simply has proven to be totally insecure and
ripe with fraudsters. Current usage is, next to credit cards,
also the German OLV (Offline Lastschrift-Verfahren)

EPT: How To Revise OPI
1. The entire development process for an OPI successor
MUST be done fully public, led by one working group. The
OPI situation where one part of the spec is authored by
Wincor and another part is authored by CCV or other
vendors must not repeat.
2. The new specification (called hereafter SPT – „Secure
Payment Transport“) must support TLS encryption and
public-key authorization using robust cryptography from
the beginning and require it for all communication.
3. The entire payment terminal software, or at the very least
the stacks responsible for communications, MUST be
open-sourced. Security by obscurity is not an option
anymore.

Summary: Customers
• Ask your bank to deactivate the magstripe so that
in the event the card becomes stolen or cloned,
the clone is useless
• Do not write the PIN down on the cards or in your
pockets…
• Do not use simple PINs if you can choose them
(especially not 0000, 1234 and the likes)
• Do not throw away payment receipts, black them
out with a lighter or an old clothing iron first
(receipts are printed on thermal-sensitive paper)

Summary: Customers
• Get IT consulting and keep your computer safe! Basic anti-
virus solutions are free for personal use and keep a lot of
the script-kiddies away.
• Use an ad blocker, ad networks are a very effective way of
malware distribution
• If you can afford it: use a secondary computer only for
banking, preferably with a Linux system booted from CD-
ROM.
• Do not do online banking in internet cafés, public WiFis or
on any other system out of your control!
• Do not do online banking on smartphones, if possible.
• Use encryption features of your computers and
smartphones.

Summary: banks / ATM owners /
Payment processors
• Banks already know most of the contents of this talk
• But a number of companies operate private ATMs, e.g.
for employees or host ATMs of banks
• Customers need to be educated about security,
especially small-business clients. This is often enough
overlooked.
• Provide all customers with basic IT consulting for free
• In the event of a card data breach, you are the ones
who have to pay the upfront costs as well as the lack of
trust of customers resulting from the breach and the
inconvenience observed in the Target hack, when CCs
had to be revoked right during Christmas shopping!

Summary: banks / ATM owners /
Payment processors
• Magstripe solutions MUST be eradicated
world-wide, the sooner the better for
everyone. No excuses.
• Invest in security consulting and pen testing!
• If you decide to cooperate and make
standards, do so in the open. Invite the
community to work with you
• Make standards available free of charge so
they can be inspected for security issues!

Summary: merchants accepting cards
• Get external IT and security consulting
• Even the $10/h CS student from next door is
better than no consulting at all (simply plugging
in the EPT/PoS and hope it works)
• Do not fall for anyone claiming to „guarantee
security“. The bad guys always are at the
advantage
• The harder you make it for thieves and hackers to
invade your security, the more likely is they‘ll just
go away and find someone easier to exploit

Summary: merchants accepting cards
• Basic IT security and procedures do not cost
much to implement, lots of them are even free
• This includes AV and firewall solutions
• Keep up with the IT world – most business areas
have their own focused news magazines,
regularly carrying information relevant to IT
• Update your systems, as soon as patches arrive!
• When vendors discontinue a product, replace it
as soon as possible. Unsupported (and therefore
unpatched) systems are a prime target for
hackers

Summary: software developers / IT
Consulting
• Educate yourself about IT security
• Collaborate with others, hire others to check your
security work
• Do not roll your own crypto, use well known
building blocks from known-good sources
• Even if OpenSSL and GnuTLS have had their major
issues: these libraries are far more unlikely to
contain bugs than your own crypto
• Publish your source code. Given enough eyeballs,
all bugs are shallow

Summary: software developers / IT
Consulting
• Do not make any assumptions when building threat models (e.g. do
not assume that no unauthorized people can enter the premises
without monitoring)
• If you experience a breach, tell others about it. It may be shameful,
it may cost your company some clients, but it is better for the
whole community
• Assume all user input and all communications to be hostile. Do not
skip security because „a RS232 link cannot be monitored, hijacked
or manipulated“ or the likes.
• Do not consider a small merchant an unlikely target for hackers. Bad
guys are after the cards, not after the merchant
• Do not use low-level security just because the ROI is too low.
Security is paramount in a world filled with crooks

References
• ATM USB stick infection:
http://www.extremetech.com/extreme/173701-atms-running-
windows-xp-robbed-with-infected-usb-sticks-yes-most-atms-still-
run-windows
• ATM network infiltration (by installing a cellphone!):
http://www.postcut.com/computer-technology/using-mobile-
phone-to-hack-atm-machine-with-an-sms.html
• ATM PIN pad security: http://hackedgadgets.com/2006/12/01/atm-
pin-numbers-hacked/
• Fake smart cards hacking ATMs:
http://krebsonsecurity.com/2014/05/thieves-planted-malware-to-
hack-atms/
• Manipulated fuel pumps:
http://www.ruhrnachrichten.de/staedte/castrop/Manipulierte-SB-
Tankstelle-geschlossen;art934,1213712

References
• ATM hacker who published common-hardware-
key vulnerability at Black Hat 2010, died in July
2013: http://bigstory.ap.org/article/hacker-who-
made-atms-spit-out-cash-dies-calif
• EPTs manipulated during burglary:
http://www.bild.de/news/leserreporter/kreditkar
tenbetrug/fg-ec-karten-betrug-an-der-
supermarkt-kasse-20937022.bild.html
• ECB fraud report 2012:
http://www.ecb.europa.eu/pub/pdf/other/cardfr
audreport201207en.pdf

How to hack stuff for cash

More Related Content

What's hot (20)

Viewers also liked (12)

Similar to How to hack stuff for cash (20)

Recently uploaded (20)

How to hack stuff for cash

Editor's Notes