1 / 26

Typical Attack Techniques for Compromising Point of Sale PIN Entry Devices

Typical Attack Techniques for Compromising Point of Sale PIN Entry Devices. Physical Security Testing Workshop Steven Bowles, Project Manager Payment Assurance Electronic Warfare Associates - Canada 27 September 2005. Who Are We?. Payment Assurance Lab Interac Device Certification Agent

eemily
Download Presentation

Typical Attack Techniques for Compromising Point of Sale PIN Entry Devices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Typical Attack Techniques for Compromising Point of Sale PIN Entry Devices Physical Security Testing Workshop Steven Bowles, Project Manager Payment Assurance Electronic Warfare Associates - Canada 27 September 2005

  2. Who Are We? • Payment Assurance Lab • Interac Device Certification Agent • PCI Test Lab (in process of accreditation) • ITSET Lab • Common Criteria • FIPS 140 • FIPS 201 • Other Computer Security Consulting Services

  3. Overview • Introduction • Threat Agent Goals • Typical Vulnerabilities in PoS PEDs • Identifying & Exploiting Weaknesses • Tools & Techniques • Design Considerations to Mitigate the Risk

  4. Introduction • Visa’s annual fraud costs have reached $2.77B USD worldwide • Only 0.06% of Visa’s annual revenue • Potential cost of lost confidence is much higher • Two classes of payment cards • Magnetic Stripe (Magstripe) • Integrated Circuit Cards (Smartcards) • Vast majority of payment card fraud is focused on Magstripe cards

  5. Threat Agent Goals

  6. Threat Agent Goals (cont.) • Gather sets of magstripe data and the associated PINs, used to complete fraudulent financial transactions • Skim the card • Record the PIN • Electronically • Shoulder surfing (video or human) • Determine Secret Key values

  7. Typical Vulnerabilities • Ineffective tamper-evident seals

  8. Typical Vulnerabilities (cont.) • Easily accessible security relevant components (i.e. RAM chips, switches, inter-PCB connectors)

  9. Typical Vulnerabilities (cont.) • Openings that can be used to conceal penetration attempts or malicious circuitry

  10. Typical Vulnerabilities (cont.) • Surface mounted display covers attached with weak glues or epoxies

  11. Typical Vulnerabilities (cont.) • Easily accessible traces from the PIN Pad

  12. Typical Vulnerabilities (cont.) • Security relevant circuitry covered by weak epoxies

  13. Identifying & Exploiting Weaknesses • Conduct an attack by: • Defeat passive tamper response mechanisms • Disable or bypass any relevant active tamper response mechanisms • Intercept key entry information from PIN Pad • Determine cryptographic keys (if necessary)

  14. Identifying & Exploiting Weaknesses (cont.) • PED Attack Methodology • Enumeration of a PEDs sensitive components and physical safeguards to aid in planning an attack; • Gaining Access allows for the proving, refinement, and packaging of a theoretical attack; • Exploiting a PED with the developed attack vector to record sensitive data; and • Covering Tracks by effectively hiding the malicious modifications.

  15. Identifying & Exploiting Weaknesses (cont.) • Enumeration • Identify components and PCB traces that could provide access to sensitive information; • Determine where the active tamper detection sensors are, what they protect, and how they trigger; • Determine if tamper detection mechanisms can be disabled or bypassed from openings in the device; • Find any areas that can be cut into and covered up; • make sure that the cuts won’t trigger a tamper response. • evaluate whether or not it is possible to disable any or all tamper response mechanisms from these cuts; and • Determine if any cuts or openings allow access to security relevant traces or components (i.e. PIN Pad traces).

  16. Identifying & Exploiting Weaknesses (cont.) • Gaining Access • a procedure must be developed and refined such that the exploit can be executed economically and efficiently • (according to PCI; $25k USD and 10 hrs.). • also include the development of any specialized tools or circuitry required to gain access to the sensitive data once exposed.

  17. Identifying & Exploiting Weaknesses (cont.) • Exploiting • It must be possible to insert the required malicious hardware and/or software needed to monitor or record the targeted sensitive data • Depending on the complexity of the attack, a Threat Agent may require a significant amount of practice to refine the technique • Retries of this nature can be frustrated if the PED enters into a severe non-operational state once the tamper response mechanisms have been triggered. • won’t remain powered-up without the entry of authenticated keys or a password)

  18. Identifying & Exploiting Weaknesses (cont.) • Covering Tracks • Acquisition of cardholder data requires the participation of a non-colluding user • It must be possible to reassemble a compromised PED with original or replacement parts such that the exploit is not noticeable to the casual observer. • if an exploit is making use of an opening under a removable cover, where the opening needs to be widened, care should be taken to ensure that a edge is left that can be used for reattaching the display cover once the exploit has been implemented.

  19. Tools & Techniques • Hand-held Rotary Tool • access internal areas by cutting the case • removing internal case material in order to access security relevant components • for the removal of large/hard epoxies • Adhesives • hold switches shut • hold other pieces in place • Magnet Wire • Can be sharpened and inserted into small conductive vias on a PCB

  20. Tools & Techniques (cont.) • Dental Pick • scraping epoxies from components or conductive vias • applying adhesives to keep tamper response switches closed • with a small amount of epoxy, can be used to place malicious wires and components into tight spaces. • Conductive Epoxy • short out component contacts • act as a ‘cold weld’ for heat sensitive applications and tight areas. • easy method of attaching wires to traces that have been revealed by scrapping off the PCB’s conformal coating.

  21. Design Considerations to Mitigate the Risk

  22. Design Considerations to Mitigate the Risk (cont.) • Run keypad/active tamper response mechanism traces on the middle layer(s) of a PCB; • Place keypad/active tamper response mechanism vias in inaccessible areas; • Keep active tamper response mechanisms independent of each other as long as possible; • Try to place active tamper response traces and chip pins away from traces and chip pins that carry a signal similar to the ‘NO TAMPER DETECTED’ signals;

  23. Design Considerations to Mitigate the Risk (cont.) • Ensure that items on, or in the device, that are not meant to be removed, cannot be removed without triggering a tamper response mechanism; • Do not rely only on passive mechanisms such as epoxy or tamper evident seals/labels; • Avoid placing removable covers on the device; • Design the device so that every aspect of the device increases the security of the device; • Do not allow physical access to the internals of the device for any reason.

  24. Design Considerations to Mitigate the Risk (cont.) • Do not allow the device to be reset and/or reused after a physical attack has been attempted. • Design active tamper response mechanisms that use conductive pucks to require a constant pressure applied to them to be effective; and • Use tamper detection switches that are small and require a fair amount of pressure to keep the switch closed.

  25. In Closing Physical Security alone will never guarantee the security of our Systems.

  26. Questions Mahalo! Steven Bowles Project Manager Payment Assurance EWA-Canada (613)230-6067 x1221 sbowles@ewa-canada.com http://www.ewa-canada.com

More Related