Hacking Point of Sale
Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions is essential reading for security providers, software architects, consultants, and other professionals charged with addressing this serious problem.
Hacking Point of Sale
Processing Payment Transactions
Because people have no thoughts to deal in, they deal cards, and try and win one another's money. Idiots!
- Arthur Schopenhauer
In order to understand the vulnerability points of point-of-sale and payment applications, it is necessary to know the basics - how, when, and why sensitive cardholder data moves between different peers during the payment transaction cycle:
Why (the reason): Is it really necessary to hold, store, and transmit this data throughout the entire process?
How (the location and the routes): What are the areas with a concentration of sensitive records?
When (the timing): How long is this information available in those areas? Payment Cards
The use of payment cards is obviously one of the main subjects of this book. There are several main types of payment cards commonly used for payments:
The credit card was the first payment card and it is still very common. By paying with a credit card, customers use their available credit and pay the bill afterwards. Credit cards are not usually protected by a Personal Identification Number (PIN), which allows them to be used for online purchases. The debit (ATM, Cash) card is a relatively new method of payment. It is different from a credit card because the debit cardholder pays with the money available in their bank account, which is debited immediately in real time. A debit card seems to be more dangerous compared to a credit card because the debit card is directly linked to the bank checking account and usually allows ATM cash withdrawals. On the other hand, it is more protected by the required two-factor authentication (PIN number plus card itself). The real dangerous element of many branded debit cards is that they can be processed as credit cards, without entering the PIN. The gift card is similar to a debit card but usually does not have the protection provided by a PIN. The gift card is not linked to a bank account and normally "contains" fixed amounts of funds. The card itself does not hold any financial information - the point-of-sale (POS) terminal communicates with the gift card provider during payment transactions in order to get authorization. Gift cards are less dangerous than credit and debit cards because only fixed, often very limited, amounts of money can be stolen. The fleet (or proprietary) card is similar to a credit card but can be used only at particular locations (usually gas stations and convenience stores) and for purchasing only limited types of merchandise (such as fuel and other automobile items). Fleet cards, even though often issued by major card brands, are less interesting to "bad guys" because they cannot be used for ATM withdrawal, online shopping, or purchases in department or grocery stores.
Table 1.1 shows a list of major payment card types and their main features.
Table 1.1 Payment Card Types
Card Entry Methods
There are two main methods used to enter the card data into the POS in order to start a payment transaction: swipe and manual entry .
The first method uses a Magnetic Stripe Reader , or MSR, which is a device that reads the magnetic stripe on payment cards. Modern MSR devices have encryption capabilities and can be used in point-to-point encryption (P2PE) solutions (see Chapter 8 for more details). The easiest way to enter the card data into the POS is to just swipe the card in the MSR so it can read the magnetic stripe and automatically enter all the necessary information. However, if the magnetic stripe is damaged, the customer or cashier can manually enter the account number and expiration date embossed on the front of the card.
Some MSR devi