Playing Games With Merchants’ POS Terminals

by Raymond Pucci 0

Can the age-old video game Doom double as a payment card fraud fighter? Yes—when it demonstrates how vulnerable some retail POS terminals are to hackers. As the following article describes, one security expert used Doom to show how easy it can be to hijack a store checkout terminal.

A security researcher recently figured out how to install and play the classic first-person shooter video game Doom on point-of-sale credit card readers, the ubiquitous devices at store registers around the world that complete purchases when you swipe, tap, or insert your credit card.

While Nolan Ray’s hack isn’t going to blow up the POS world, it helps demonstrate the potential insecurities of our retail transactions.

At the annual hacker conference DefCon in July, Ray demonstrated his hack on the Verifone MX 925, a credit card reader still in use and receiving manufacturer updates. You can buy it on Amazon.com for less than $600. He began by unlocking the device with its default personal identification number, or PIN, which Ray says retailers—like consumers, with other Internet-connected devices—rarely change, due to laziness or a lack of guidance. More than 90 percent of POS readers rely on their default PIN for security, according to a 2015 study.

Once the terminal has been unlocked, any malicious hacker could access and steal data stored on the reader—or install a 25-year-old video game like Doom—wirelessly through a Wi-Fi or Bluetooth connection, or directly through its smart-card reader, or its USB or COM ports.

While you might not expect a store clerk to allow a malicious hacker to fiddle with a POS reader long enough to unlock or steal data from it, unmanned registers, especially at big chain stores, make for tantalizing targets. And as retailers increasingly rely on payment devices to process customer purchases and protect customer data, they need to become more vigilant than ever about the security at the register, Ray told The Parallax after his presentation.

Retailers can take various steps to protect their POS readers and, by extension, their customers. The first step, Ray says, is to change the default PIN.

Despite the widespread warnings about payment card fraud, especially through some infamous security breaches, there still remain ways that determined fraudsters can steal card data and personal information at checkout counters. While e-commerce, card-not-present transactions seem to get most of the attention of security pros, basic credit/debit card POS terminals can be a target for hackers. Large and small merchants with unattended terminals remain vulnerable to tampering. Those that treat payment transaction security as a low priority will soon find out that this is not a game.

Overview by Raymond Pucci, Associate Director, Research Services at Mercator Advisory Group

Read the full story here