In the last Black Hat USA 2012, a recognized computer security event held in Las Vegas, researchers Nils and Rafael Domnguez Vega from the company MWR InfoSecurity, disclosed a vulnerability in payment terminals or processors that would allow arbitrary code to be executed. in his memories for capture information from credit cards.
During the conference they demonstrated that they could gain control of the devices for the simple fact of inserting a specially manipulated chip card. For everyone to see, they loaded a racing game into the terminal as you can see in the following video:
Humor is never lacking in this kind of events and the game already has its own card, as can be seen in this photograph that they published on their Twitter account.
The chip system for storing information on cards is known as EMV and in many countries, mainly in Europe, it is used because it is more secure than that of magnetic strips.
While this may sound like fun, it is not if an attacker exploits the vulnerability to run a program that saves card information and the corresponding PIN, the copied data could then be lifted from memory by inserting another bogus card.
The information of the magnetic strips could also be cloned from the reader and could even be cheat sellers to believe that a transaction has been successful, when in reality what appears on the device screen and the ticket that is printed are false.
The tests were carried out on two different terminals, but there was also a third one in which vulnerabilities were demonstrated that would allow man-in-the-middle attacks to be controlled.
To avoid problems, the researchers did not reveal brands or models, however, it is already known what they are as discussed in this Wired note. The manufacturer, for its part, ensures that a solution is already being worked on 🙂
Other types of attacks (skimming):
Although the situation may seem worrying, there are other less sophisticated attacks to which we could be exposed anywhere, such as the direct copy of the card's number, name, date and security code, data that is sufficient to make purchases online.
Slightly more complex are the use of skimmers at ATMs and so-called pocket skimmers. We may also be victims of social engineering, phishing, or theft of information through the use of an infected computer.