In the recent safety competition, two players took only 21 minutes to break through a general-purpose POS machine, successfully stealing the cardholder's bank card account number and password, and copying the fake card for consumption.
1, attack props
The props used by the attacker are very simple, two laptops, two pos machines, one for attack, one for verification; two cards, one black card magnetic strip card that can be used normally, and the other one Duplicate waste card.
2, the attack process
The on-site process is also very simple: the cardholder first writes the black card's account number and password, which is not allowed to be seen by others, and is used to check the result of the last attacker's crack. Then the attacker pretends to be a consumer, and in the process of losing the password, the POS is hand-footed and pretends to complete the consumption. When the latter consumer swipes a black card on the POS that is moving, the attacker steals information about the black card.
3. Attack methods and results
After analysis, the attacker may have exploited the vulnerability in the POS device and replaced the key application software in the device to successfully crack the bank card account and password, and copy the fake card to successfully consume!
The above case is a wonderful demonstration. To this end, combine the case analysis to analyze its possible causes and give suggestions.
1. POS machine security permissions
From the attack process analysis, the attacker uses the Bluetooth download attack program and successfully installs, replacing the key applications in the POS machine. At the same time, the attacker is likely to obtain the root privileges of the POS machine system. The smart terminal is similar to an Android mobile phone. According to the industry terminal security requirements, the operating system of the terminal device only needs to contain the necessary components and services. The operating system must be securely configured and run with minimum privileges. According to this requirement, the operator or attacker should not have the right to download programs and security applications. According to this analysis, there may be two situations in the POS machine: First, the minimum security configuration is not performed in the POS machine; second, the attacker uses a certain vulnerability to obtain the root authority of the POS machine, and opens the USB data transmission setting and installs. The attack program. For the second case, the industry specification also requires that the device scan and evaluate vulnerabilities for each protocol and interface to ensure that no vulnerabilities or vulnerabilities have been removed.
2. POS machine application installation certification problem
Analysis of the case in which the attacker could steal the cardholder's bank card account and password sensitive information by replacing the POS device critical application. According to the industry terminal security requirements, the POS application must be authenticated by the POS device firmware before being downloaded to the POS device. The device cannot install unverified applications. In the actual attack process, an attack program is successfully installed, indicating that the POS machine may lack the authentication function for installing a new application, or the authentication function is not strong enough to be shielded and thus has no effect.
3. The application obtains the plaintext password
During the attack, the attacker steals the bank card track data and password, indicating that the track data is obtained in plain text during transmission or processing. The password is not encrypted immediately when input, or the plaintext data storage security module has insufficient protection level and is applied. The program reads, causing the attacker to successfully acquire the plaintext track data and password, copy the card, and complete the transaction in another POS machine. According to the industry terminal security requirements, the transaction password should be encrypted immediately after input from the keyboard, and cannot be transmitted directly in plaintext. At the same time, the plaintext data is required to be protected by the relevant protection mechanism from input to encryption into ciphertext, and all applications cannot access the plaintext.
In this attack, the attacker used one or two minutes to operate the POS machine and replaced the critical application with the attack program. However, when actually swiping the card, the counter operator only allowed the password input to the POS machine. When the password is used, the operator should avoid it, but it can be completed in a few dozen seconds. If the time is too long, it will definitely cause the operator's suspicion, so it is unrealistic to complete the installation of an attack program in such a short time, unless the operator is the same. Doing a crime together, but if the operator is a management problem, it has nothing to do with the technology. Therefore, the attack is difficult to succeed in the actual consumption process. Even so, it still needs to be taken seriously by all of us. The suggestions are as follows:
Advice to the majority of cardholders
The bank card used in this case is a magnetic stripe card, similar to all previous bank card theft cases. Relative to the IC card, the magnetic stripe card itself is less protected, and the track data is more likely to leak and be copied into a pseudo card. In recent years, the country has vigorously promoted bank IC cards, because IC cards are more difficult to copy than magnetic strip cards, and even if the data in the chip cards leaks, it is difficult to directly use them to make fake cards. In order to reduce the uncontrollable fraud, it is recommended that you change the bank magnetic stripe card into a bank IC card.
Advice to acquirers and merchants
With the development of China's payment industry, the increasing number of payment service providers, and the continuous deployment of POS machines, it is easier for merchants to apply for POS machines, but the risk of POS machines being transferred, tampering, and attacking is increasing. The higher it is. In this attack, the attacker only used one or two minutes to attack the POS machine to achieve the goal. The People's Bank of China and UnionPay have clear safety management requirements for the use of POS machines. The acquiring institutions and merchants should strictly follow the safety regulations of POS machines, and must not illegally modify and attack POS machines. At the same time, the equipment used for procurement should be subject to safety review and maintenance.
Advice to terminal manufacturers
POS terminal manufacturers should carry out timely upgrade management and security maintenance of the sold POS machines, and timely upgrade and repair the vulnerabilities in accordance with industry standards, strictly in accordance with industry certification management requirements for production and sales, to ensure the safety of the majority of users. .
Phone Holders,Flexible Phone Holder,Mobile Phone Holder,Magnetic Phone Holder
Chic Products (China) Co., Ltd. , https://www.chic-gifts.com