Educause Security Discussion mailing list archives
Re: POint of Sale Device
From: "Duksta, John C." <John_Duksta () BROWN EDU>
Date: Thu, 17 May 2007 14:00:13 -0400
It sounds to me that you're talking about standalone credit card transaction processing terminals, of the sort made by Verifone. http://verifone.com/products/devices/countertop/index.html I've never done any kind of audit of these kind of devices, but since they're an embedded device, you'd probably be hard pressed to find any tools specifically made to examine them. You'd probably have to directly read the flash memory in the device to see what's on there. Off the top of head, I would guess that they don't store the CC numbers anymore. Remembering back to my high school and college days of various retail positions, I think they used to for the end of the day reconciliation and closeout. However, I would imagine that these days, the data that is stored until that daily closeout would be: - Date/Time - Last 4 digits of card - Card expiration mm/yyyy - Dollar amount of transaction - Transaction Number - Approval Number I'd start with looking at the vendor specs. See what industry (PCI, EMV) standards it conforms to. Also look to see if it meets any FIPS-140 standards for tamper resistance. HTH, -john On 5/11/07 6:52 PM, "Gibson, Nathan J. (HSC)" <Nathan-Gibson () OUHSC EDU> wrote:
Actually we want to evaluate the point of sale devices in the university. I was using the gas station as a visual example. I usually get an "application" evaluation response from people and that's not what we want to evaluate. The devices we are wanting to look at are not connected to any machine/device/system. The plug into a phone jack and call the bank when it's time to process. -----Original Message----- From: Valdis Kletnieks [mailto:Valdis.Kletnieks () VT EDU] Sent: Friday, May 11, 2007 6:00 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] POint of Sale Device On Thu, 10 May 2007 13:15:16 CDT, "Gibson, Nathan J. (HSC)" said:Does anyone know of a tool/product that can be used to check a credit card point of sale device to make sure it does not store credit card information? To give you a picture of what I am talking about. Let say you walked into a gas station and purchased a soda with your CC. The attendant swipes your card in a little black box that sits on the edge of the counter. It does not tie into an application, just a device with a modem that sends the information to a bank for processing. I want to be able to check the device to make sure it is not storing information locally?I'm betting somebody read about the Cambridge crew that hacked a point-of-sale terminal to play Tetris: http://www.computerworld.com/action/article.do?command=viewArticleBasic& articleId=9007498 I'll bite - how do you explain to the minimum-wage worker of uncertain nationality and grasp of English that: a) They should let you fool around with their device. b) Why you want to make sure their device isn't hacking your card. c) Explain to them that you aren't hacking their device to do exactly the same thing that you're worried they might be doing to you. At some point, you have to just decide to either pay cash, or quit walking around in public with all that aluminum foil wrapped around your head.. You want to *worry*, I'd worry more about what thet min-wage server at your Applebee's is doing with your credit card while you think they are ringing up your lunch tab. The same goes for anytime you buy something online using computing resources not under your control. Remember that Vint Cerf estimated some 140M pwned boxes out there - your odds are *not* good. The only reason we don't see *more* spyware hijacking credit card numbers is because the crews doing it are quite talented, and know exactly how much they can siphon off without the banks and credit card clearinghouses getting upset and taking action.
-- John Duksta <John_Duksta () brown edu> Lead IT Security Engineer Computing and Information Services Brown University Office: +1.401.863.7335
Attachment:
smime.p7s
Description:
Current thread:
- POint of Sale Device Gibson, Nathan J. (HSC) (May 10)
- <Possible follow-ups>
- Re: POint of Sale Device Bill Ogle (May 10)
- Re: POint of Sale Device Valdis Kletnieks (May 11)
- Re: POint of Sale Device Jim Dillon (May 11)
- Re: POint of Sale Device Gibson, Nathan J. (HSC) (May 11)
- Re: POint of Sale Device Duksta, John C. (May 17)
- Re: POint of Sale Device Hull, Dave (May 18)
- Re: POint of Sale Device Clyde Valdez (May 18)