Sergey Nivens - Fotolia

How do man-in-the-middle attacks on PIN pads expose credit card data?

Passive man-in-the-middle attacks on PIN pads can lead to attackers stealing credit card details. Expert Nick Lewis explains how companies can mitigate these attacks.

NCR Corp. researchers demonstrated how credit card chip-and-PIN protections could be bypassed with a passive man-in-the-middle...

attack on point-of-sale terminals and PIN pads, allowing card data to be used and modified elsewhere. How does this type of attack work, and what can be done to prevent PIN pads from exposing card data?

Nir Valtman and Patrick Watson, security researchers from payment technology firm NCR Corp., presented their findings on vulnerabilities in payment environments, like PIN pads, at Black Hat USA 2016. Their research showed that legacy systems and modern systems with legacy functionality are insecure and can be exploited by monitoring the network connections where credit card data passes unencrypted.

The specific details they presented are new, but this exploit is a variant of a well-known problem. An attacker that gets into a man-in-the-middle position can capture this data or make changes in the transaction flow to make the transaction look like it occurred offline.

The researchers' mitigation recommendations for these vulnerabilities include using strong encryption, using signed firmware and encrypting offline transaction data for PIN pads. While these are very good recommendations, it is unlikely legacy systems will be able to take advantage of them. The best case would be for businesses to upgrade their technology to take advantage of point-to-point encryption, but, given the cost, some businesses may choose to accept the risk of a security incident.

The risks are significant, but enterprises can take some steps to minimize them, such as not storing payment card numbers past transaction settlement, purging primary account numbers that are stored when operating offline after transactions are settled and implementing tokenization if the data is stored.

The Payment Card Industry (PCI) Standards Council has best practices for preventing card skimming that enterprises can put in place to protect their point-of-sale terminals. Enterprises should also be cautious of unusual prompts during payment entry and when using PIN pads in their security awareness training programs.

Next Steps

Find out how your company can benefit from using PCI Data Security Standard

Read about out-of-band security controls for credit card data protection in your enterprise

Learn if chip-and-PIN technology is effective for preventing credit card hacking

This was last published in January 2017

Dig Deeper on Data security and privacy