Sunday, November 25, 2012

Point of Sale (POS) and Card Reader Tampering

In the field of consumer retail the most important piece of equipment is the cash register; better known by those in the trade as the Point of Sale (POS) terminal. In essence, if the retailer can’t complete a sale by successfully taking the money from the customer, then there is no business. Which means it’s a critical component of the business and needs to be treated as such.

Over the last two decades POS technology has evolved considerably. Today’s systems are predominantly networked computers capable of not only processing a sale, but also querying inventory, managing customer loyalty programs and even delivering news and mandatory training materials directly to the store employee.

At their heart, these modern POS terminals are often a standard desktop PC adorned with a number of card readers, money drawers and barcode scanners and, as such, are all too often vulnerable to the same threats that affect any other PC around the world. Some all-in-one POS systems incorporate a number of physical safeguards to protect against the everyday insertion or removal of attached peripherals, and to also prevent theft of the equipment – which you rarely see on corporate desktop systems.

In many stores you go to you’ll also encounter a separate card reader (often with a touch-screen and numeric keypad) that’s designed to allow the customer to swipe and complete a credit or debit card transaction by themselves. These card readers are typically owned and managed by the merchant bank that processes the financial transfers for the retailer and, while there are many different types, a handful are more popular than others.

These merchant-supplied card readers typically include any number of logical and physical anti-tampering technologies – most of which are designed to elevate the retailers trust in the reader, and to help protect against semi-sophisticated criminals. There are entire books and engineering courses in anti-tampering technology, but an interesting paper I came across a few years ago will likely be a good primer for hinting at the sophistication of the anti-tampering technologies found in the POS card readers, and the techniques available to organized criminals for defeating them.

Check out “Thinking inside the box: system-level failures of tamper proofing” by the University of Cambridge from 2008. It has a few pretty pictures too.

It should be no surprise that the criminals have access to many of the tools and techniques to alter even the most sophisticated anti-tampering technology. It’s interesting to note that there are online tutorials and walkthroughs on many hacking sites and (more importantly) carding forums. Here is just one example:
A carder forum at

If you’re a retailer, what should you be doing to protect yourself from POS (and card reader) tampering? I’m sure there are a number of audit points within the PCI standards that cover this topic but, frankly, it’s so difficult to locate those points and distil them into something immediately actionable I’d recommend the following as a bare minimum:
  • Maintaining a list of the POS terminals and card readers within the store – that includes the type, make, model and serial number. This list and terminals should be checked on a daily basis.
  • Checking that serial numbers on the terminals match the serial numbers displayed on the terminal screen.
  • Checking for signs of terminal and component tampering; and making sure that staff are trained in identifying evidence of physical tampering.
  • Checking that stickers and other visual identifiers are unchanged.
  • Prohibiting unauthorised people from accessing terminals and any CCTV equipment.
At the end of the day, modifying the card reader and defeating the anti-tampering technologies within them is not a trivial task for the uninitiated… unlike installing a piece of malware, keylogger or battery-powered card skimmer on the POS computer. However, as we’ve already seen with the growing sophistication and almost commoditization of ATM card skimmers (see Brian Krebs excellent series of blogs on the topic: “All about skimmers“), this has become a business and the sophisticated fraud can be achieved with a relatively low investment by the criminal.

1 comment:

  1. It is pretty ineresting that POS and card readers that they have a good benifits for the business .Well thanks for sharing this you gave an idea to us.