Pro-Grade Point-of-Sale Skimmer

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://krebsonsecurity.com/2013/02/pro-grade-point-of-sale-skimmer/

Every so often, the sophistication of the technology being built into
credit card skimmers amazes even the experts who are accustomed to
studying such crimeware. This post focuses on one such example —
images from one of several compromised point-of-sale devices that used
Bluetooth technology to send the stolen data to the fraudsters
wirelessly.

This point-of-sale device was one of several found in an as-yet
undisclosed merchant breach.

In October 2012, forensics experts withTrustwave Spiderlabs were
called in to examine the handiwork of several Bluetoothbased
point-of-sale skimmers found at a major U.S. retailer. The skimmers
described and pictured in this blog post were retrieved from a retail
breach that has not yet been disclosed, said Jonathan Spruill, a
security consultant at Trustwave.

Spruill said the card-skimming devices that had been added to the
small point-of-sale machines was beyond anything he’d encountered in
skimmer technology to date.

“The stuff we’ve been seeing lately is a leap forward in these types
of crimes,” said Spruill, a former special agent with the U.S. Secret
Service. “You hate to say you admire the work, but at some point you
say, ‘Wow, that’s pretty clever.’ From a technical and hardware
standpoint, this was really well thought-out.”

Spruill declined to name the breached merchant, and said it was
unclear how long the devices had been in place prior to their
discovery, or how they were introduced into the stores. But the
incident is the latest in a string of breaches involving
bricks-and-mortar merchants discovering compromised point-of-sale
devices at their retail stores. Late last year, bookseller Barnes &
Noble disclosed that it had found modified point-of-sale devices at 60
locations nationwide.

The picture below shows the card skimmer in more detail. The entire
green square circuit board with the grey square heat shield and the
blue element to the left are the brains of the device. The
eight-legged black component in the upper right is the memory module
that stored stolen credit and debit card and PIN data from unwitting
store customers.

Beneath the large grey heat shield in the center of the circuit board
are the chips that control the Bluetooth radio. That entire component
is soldered to the base of the board. The blue and white wires leading
from the skimming device connect the skimming module to the card
reader on the point-of-sale device, while the group of eight orange
wires that come out of the bottom connect directly to the device’s PIN
pad.

The image below shows the eight orange wires from the skimmer soldered
to the POS device. Spruill said the quality of the soldering job
indicates this was not made by some kid in his mom’s basement.

“One of the reasons suggesting that the attacker was fairly
accomplished is the quality of the solder done with those very small
connections to the PIN pad,” he said.

The reverse side of the skimmer circuit board is shown in the somewhat
blurry picture below. Clockwise from the top are the yellow and white
wires that connect the skimmer to the POS device’s power and ground,
respectively. The six open holes running down the bottom right of the
board can be used to program the micro controller (the big black chip
in the center). The blue and white wires at seven o’clock connect the
POS device’s PIN pad to a Magtek chip. Spruill said while Magtek is
the technology that’s in virtually every card reader out there, the
entire circuit board appears to have been custom made — and possibly
mass-produced — to be used expressly for skimming POS devices.

“There is really no other function that this skimming device could
have done,” he said. “I would imagine this was manufactured somewhere,
but it’s not clear where. Based on the componentry, there is no other
function that I could see this being used for. What other
implementation would you use to capture magnetic stripe and PIN data
and transfer it over Bluetooth?”

Spruill said that beneath the access panel on the device were some SIM
card holders, which could enable the device to be used to transmit
data wirelessly via a GSM network to anywhere in the world. For
whatever reason, whoever modified these point-of-sale devices chose to
transmit the stolen card data via Bluetooth. The thieves who planted
the skimmers could then periodically retrieve the stolen data simply
by using a Bluetooth-enabled wireless phone or other device. Bluetooth
devices can generally be accessed within 30 meters, but that range can
be extended with special antennas, meaning the thieves could have
retrieved the data either by shopping in the store, or potentially
from inside of a car or van out in the store’s parking lot.

Card skimmers that transmit data are becoming increasingly common,
particularly in skimming devices added to gas station pumps. But this
skimmer included some extra technology that indicates its designers
had taken precautions to prevent outsiders from being able to
intercept or read the stolen card and PIN data: Spruill said the
skimming device encrypted the stolen data both while stored on the
device’s memory module and when it was to be transmitted wirelessly.

“In this case, the stolen data is encrypted, both at rest and when
transmitted over Bluetooth,” Spruill said. “That is strange in my
experience, because usually you will find it is stored in plain text
or XORed” [a very simple cipher that can be trivially broken].

Trustwave Spiderlabs is still working on decrypting the data on the
devices, which Spruill said uses a custom AES block cipher; AES, short
for Advanced Encryption Standard, is an encryption scheme that has
been adopted by the U.S. government and is now widely used worldwide.
Complicating matters more, the skimmer maker set the micro
controller’s “lock bit,” a hardware security mechanism that controls
whether the code on the chip can be dumped off the chip or read, and
prevents any additional writing to the chip.

Whether Trustwave can break the cipher and determine which card brands
may have been impacted by the skimming attacks could affect the fines
paid by the breached merchant, he said.

“We’ve got a lot smart people working on it, but at present it’s not
easy to get around,” Spruill said. “There were no keys or algorithms
that we could pull from the controller.”
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.