Why not ask the l33t h4x0rs
They seem to be able to upgrade this kind of kit at will :/
The Payment Card Industry Security Standards Council (PCI Council) has floated a new standard it hopes will reduce credit card fraud that starts at the point of sale, in part by allowing easier upgrades. The new version 5.0 of the PCI PIN Transaction Security (PTS) Point-of-Interaction (POI) Modular Security Requirements …
Maybe they did? I'm guessing there's more money to be made via black hat work than white hat work.
As a side note, that "anti-tamper" part seems like it'll end up being an armored box which will cost a lot more than the plastic and sheet metal units around now. Retailers probably won't be lining up if they cost a lot more.
As for the US, most places I've visited have some duct tape (gaffer's) over the slot for the chipped card with a sign that says it's not working..... yet. I'm betting there's a cost for that they don't want to pay.
Not really, they have anti-tamper at the moment. It doesn't mean you have to armour them. All it means is that they must detect tampering and kill the machine and data.
It can be a PITA as they are quite sensitive, a smallish knock and they can go into tamper mode and you have to send the device back at a cost.
I can only think McDonald's drive-thru had special terminals made without the sensitive anti-tampering on them as they get knocked around a lot.
Maybe they have had a number of issues with the tamper alarm then?
I see that they now sometimes put them in a holder outside the window, although the weather seems to stop them using it very much. they also have and arm attached to the PDQ so that the operator can hold it while the card is used, possible due to customers dropping it. Just theorising, they just seem to be more robust than our units.
The tamper-resistance measures will both increase the manufacturing costs significantly, and make the devices more or less impossible to repair. It seems to me that a better solution would be to accelerate the move to NFC token-based payment methods (Apple Pay, etc.) where the amount of trust placed on the readers is substantially reduced or the NFC hardware can be integrated into the POS terminal and the reader eliminated completely. Most communication between POS terminal and card readers these days is *still* over RS232 serial (occasionally with USB emulation of RS232 serial), which is quite possibly the easiest standard on earth to intercept / tamper with.
Making the units tamper proof is a good move. Making them sealed units that are swappable seems to be the way to go. No in-situ firmware upgrades, just swap the old one out for a replacement and ship the old one back to the supplier who will refurb it and upgrade the firmware. An secure process to bring them online again is probably the missing link
There is technology available to make this secure but any thing that is done is still vunerable to Insiders.
The Hardware Security modules that are used to generate PINS etc are already designed to be tamper proof yet are able to have the keys updated if proper procedure is followed. These devices are kept in very secure places so tampering is generally not a problem.
" NFC hardware can be integrated into the POS terminal and the reader eliminated completely. Most communication between POS terminal and card readers these days is *still* over RS232 serial (occasionally with USB emulation of RS232 serial),"
The move with POS has been taking the card system payments out of the POS completely. POS is insecure (see past ElReg articles). The whole point o fa non-integrated reader is that it can be made very secure, running minimal software (attack vectors) to an ever evolving security standard and built by specialists.
POS is built by standard programmers who ar elooking to push more features into a dull product in a crowded marketplace and don't work to the highest security standards and many are inherently insecure.
Also, there aren't many C&P devices that communicate directly with the POS anymore. Legacy, non-compliant stuff might but almost everyone else runs the readers direct over IP (cabled, bluetooth or wireless). The communication is then done directly to the PSP, with the POS triggering the communication and receiving the payment status.
"The seals are tamper-evident and only held by the manufacturer"
No one would know if you used a different one. In many places the wording on the PDQ screen changes when rogue operators swap them out and no-one realises.
Restaurant staff have more important things to worry about (like being able to afford next month's rent) than checking for fraudulent seals.
"Restaurant staff have more important things to worry about (like being able to afford next month's rent) than checking for fraudulent seals."
Except if the hack is traced back to them and their seals are found to be wrong, THEY get the blame AND the bill. Forget next month's rent at that point...
You'd need an insider to have an identical seal.
You'd need a quick call to Taiwan* to have an identical seal.
There, fixed it for you. Thing is, things like seals and stuff - the fakers can have the fakes out before the genuine ones are in use if they have any incentive to do so.
* Or wherever the favoured "we make anything you want, no questions asked" places are these days.
We have already seen hackers talk their way into bank branches themselves and replace equipment under the noses of bank staff.
Anecdote concerning the Paying-In machines where you get a scanned copy of the lodged receipts:-
Once I got a receipt which showed it was issued by a branch other than the one printed on the receipt. The credit failed to appear on my balance the following day either. Complained to the bank who sorted it out, but let's face it:-
For every security measure put in place, there is a possible counter-measure available. It is a case of reducing the probability that such a vulnerability is exploited. No system is flaw-proof.
Although there is still a degree of counterfeiting of bank notes the amount of money generated from digital crimes is far greater, if everybody started using cash for most transactions again more fake bills would be produced as it would become more profitable again.
I do mainly use cash and will drive reasonable distances to use cash, if you have an account just for online purchases with only enough in it for the purchase in question you feel safer than giving out your current account information.
We've discussed a similar issue before and the use of a special card just for using online, if you could top it up anywhere ATM's, shops, garages etc like a gas or electricity card I'd use one.
The issue is, will this require re-certifying and by which organisations.
At the moment the terminal manufacturer makes a terminal, your PSP has to create software for that terminal, this then needs to be certified for use for every merchant services company that you may wish to use.
This all takes a long time (18months~2 years is quite normal) and restricts your choice quite a lot. If you had to recertify for every firmware update then it would be pointless. Hopefully the update would be to the core terminal firmware that doesn't interact with the PSP layer.
Many places won't take ephemeral cards because they know they can be easily associated with money laundering. Even gift cards are iffy, as online retailers like Amazon and PayPal have in the past rejected their use in online transactions. The retailers want to see REAL cards, with a real name, real mailing address, and usually something backing it up like a bank or an employer.
Ah, throwing technology at the wall to solve:
* Slow deployment of Chip&Pin due to resistance from retailers because of fees.
* "Securing" end terminals when all the recent major breaches have targeted insecure back offices of large companies non-compliant with even tenth of existing PCI standards.
* "Hardening" POS devices when the common way to skim the card at the restaurant is to snap a photo of it.
I'm not impressed. As much as I'd like to be a leet hax0r breaking into the shops at night with a drill bit to replace the firmware on the two dented card readers I'll stick to sending funny cat videos to corporate office beancounters staff. Actually enforcing PCI DSS and having consequences for ignoring it would be far far bigger result than preventing me to target a grocery store where customers have maybe $10 left on their accounts to nick.
"Actually enforcing PCI DSS and having consequences for ignoring it would be far far bigger result than preventing me to target a grocery store where customers have maybe $10 left on their accounts to nick."
As I understand it, there ARE consequences in place since the beginning of this year. If there's a hack traced to you and you're not EMV compliant, YOU get to foot the bill. Many that don't use it are either in the middle of the lengthy software certification process or are gambling: putting off the upfront costs in hopes they don't get stung.
> YOU get to foot the bill
At the moment, that doesn't seem to be a deterrent. It seems to me that most companies look at the costs and decide security isn't important enough to pay for. And I don't see any of them really getting fined or having any reputation issues, so they keep going.
"At the moment, that doesn't seem to be a deterrent. It seems to me that most companies look at the costs and decide security isn't important enough to pay for."
In other words, they're gambling they don't get hit and pay a LOT more than the compliance costs as a result. That kind of attitude makes the problem intractable. The only way to make them take notice is to make the threat existential. Only problem is that these companies keep tens of thousands of vulnerable, innocent people employed in a shrinking job market.
""Securing" end terminals when all the recent major breaches have targeted insecure back offices of large companies non-compliant with even tenth of existing PCI standards."
Part of the reason for the push to EMV is to defuse this problem. EMV transactions use one-time codes, meaning if the numbers are nicked, they're still useless.