Re: POint of Sale Device

["Hull, Dave" <dphull () KU EDU>]

I imagine you'll have to break out your oscilliscope and multimeter. I
suspect that these POS machines are subject to side-channel attacks in
the lab, but I'd guess it would difficult to pull something off in the
real world.

A quick glance through various documentation on these devices indicates
that they have 64K - 128K EPROMs, that is more than enough to store
thousands of credit card numbers. The EPROMs have battery backup so if
the CC data is stored locally, it could persist through a power outage.

I'm guessing that the Payment Card Industry has issued standards for
these devices and that document may layout what data can be stored for
later retrieval. I don't know if these devices have to comply with PCI
DSS.

Here's some possibly useful information:
http://www.merchantexpress.com/terminals.htm
http://www.cdeinc.com/remanufacturerepairs.html
http://www.dunfield.com/dave/readme.txt

There's an interesting blurb in this pdf:
http://www.greensheet.com/pdf/060401.pdf

"In this most recent compromise, most agree that fraudsters
copied card data, cardholder verification value
(CVV) and card value code (CVC), from magnetic stripes
at POS terminals."

I wonder how that worked exactly. I see that a person can purchase these
POS devices on eBay. A well funded attacker could probably manufacture
bogus devices that would pass collected data to the credit card
processor and an attacker.

-- 
Dave Hull, CISSP, CHFI
IT Director
KU School of Architecture & Urban Planning
785-864-2629 

"The free world says that software is the embodiment of knowledge about
technology, which needs to be free in the same way that mathematics is
free." -- Eben Moglen, Software Freedom Law Center


On 5/11/07 6:52 PM, "Gibson, Nathan J. (HSC)" <Nathan-Gibson () OUHSC EDU>
wrote:

> Actually we want to evaluate the point of sale devices in the 
> university. I was using the gas station as a visual example. I usually

> get an "application" evaluation response from people and that's not 
> what we want to evaluate.
>
> The devices we are wanting to look at are not connected to any 
> machine/device/system. The plug into a phone jack and call the bank 
> when it's time to process.
>
>
>
>
> -----Original Message-----
> From: Valdis Kletnieks [mailto:Valdis.Kletnieks () VT EDU]
> Sent: Friday, May 11, 2007 6:00 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] POint of Sale Device
>
> On Thu, 10 May 2007 13:15:16 CDT, "Gibson, Nathan J. (HSC)" said:
>
> > Does anyone know of a tool/product that can be used to check a credit

> > card point of sale device to make sure it does not store credit card 
> > information?  To give you a picture of what I am talking about. Let 
> > say you walked into a gas station and purchased a soda with your CC.
> > The attendant swipes your card in a little black box that sits on the

> > edge of the counter. It does not tie into an application, just a 
> > device with a modem that sends the information to a bank for 
> > processing. I want to be able to check the device to make sure it is 
> > not storing information locally?
>
> I'm betting somebody read about the Cambridge crew that hacked a 
> point-of-sale terminal to play Tetris:
>
> http://www.computerworld.com/action/article.do?command=viewArticleBasi
> c&
> articleId=9007498
>
> I'll bite - how do you explain to the minimum-wage worker of uncertain

> nationality and grasp of English that:
>
> a) They should let you fool around with their device.
> b) Why you want to make sure their device isn't hacking your card.
> c) Explain to them that you aren't hacking their device to do exactly 
> the same thing that you're worried they might be doing to you.
>
> At some point, you have to just decide to either pay cash, or quit 
> walking around in public with all that aluminum foil wrapped around 
> your head..
>
> You want to *worry*, I'd worry more about what thet min-wage server at

> your Applebee's is doing with your credit card while you think they 
> are ringing up your lunch tab.  The same goes for anytime you buy 
> something online using computing resources not under your control.  
> Remember that Vint Cerf estimated some 140M pwned boxes out there - 
> your odds are
> *not* good.  The only reason we don't see *more* spyware hijacking 
> credit card numbers is because the crews doing it are quite talented, 
> and know exactly how much they can siphon off without the banks and 
> credit card clearinghouses getting upset and taking action.