back to article You can play Flappy Bird on a POINT OF SALE TERMINAL

Mobile Point of Sale (MPOS) devices can be easily hacked and leave banks and retailers wide open to fraud, warn infosec researchers. Security researchers from MWR InfoSecurity, the same security firm that researched serious vulnerabilities in chip-and-PIN devices back in 2012, demonstrated at last week's SyScan security …

COMMENTS

This topic is closed for new posts.
  1. A Non e-mouse Silver badge

    Customers continue to claim they've been subject to charges/transactions they never made. Security researchers continue to find major flaws in the Chip & Pin security mechanism.

    All the while, the payment card industry refuse to acknowledge that the problems are real (and even try to silence the researches)

    Chip & Pin is better than the magnetic strip/signature method, but it's not perfect, and the payment industry needs to own up to this.

    1. Anonymous Coward
      Anonymous Coward

      "Chip & Pin is better than the magnetic strip/signature method, but it's not perfect, and the payment industry needs to own up to this."

      This is a biggie. They can't really own up to the insecurity of payment methods because trust is an inherent part of financial transactions. If you don't trust the retailer (or the retail method) you are paying for something with card, you are more likely not to use the card, which pushes you to use more cash, which starts to hurt the card business. If, as a retailer, you are worried that any purchases are fraudulently made which results in you losing out (usually the card companies will cover this even though I doubt many firms would actually meet PPI requirements).

      Cash is still safest, but there is no way for any other firm to get in on that transaction and make a small amount, millions of times a day.

      Until there is a fundamental change in how the world views electronic security, there will never, ever be an IT industry that is based on a solid foundation of security first. There will always be a catch up with the, ahem, researchers always ahead of the game. There will always be new industry initiatives that will state they will aim to combat fraud, and there will always be winners and losers. And lies. Lots of lies. Lies that will be willingly bought into because to not publicly believe the lie will bring the whole house of cards down.

      Lets face it, as has been said before, Money is the biggest religion in the world today. It is all about belief.

    2. SumDood

      "Chip & Pin is better than the magnetic strip/signature method"

      Really?

      The only evidence I've ever seen says it's different.

      Granted, the pre-C&P-equipment-selling publicity /said/ it was better, but I always took that to be expected propaganda. (If there was solid evidence it would have served the proponents better than the unsubstantiated claims that they made do with).

      1. Anonymous Coward
        Anonymous Coward

        "The only evidence I've ever seen says it's different."

        The cloning difficulty goes up I believe. Plus modifying a terminal to steal card info inline during a real transaction is far harder with chips than magnetic strips. But otherwise it's not any more secure - the card info still needs to go to the bank for processing.

  2. The BigYin

    Like they care

    If there's chip&pin fraud they just say "Chip&pin was used, you must have told someone your pin, feck orf". They have no incentive to fix anything - and they won't (fixes cost money and that hits this quarters bonuses).

    1. Kaltern

      Re: Like they care

      This is the crux of the matter.

      Chip & Pin was introduced mainly to shift responsibility to the consumer - banks are pretty much free from any responsibility for card fraud, which, if you think about it, is grossly unfair.

      Because the UK adopted the cheaper, less secure version of the tech, it's trivially easy for these cards to be used fraudulently. The PIN, stored on the card, is just not going to be as secure as a PIN stored in a central server, which is how I would have expected things to be.

      Sure, it makes certain transactions more difficult, and the utterly pointless security card readers employed by banks such as Natwest would be useless, but Id trade that for much higher security.

      Personally, I can't think of a better, easy to implement security tech that doesn't involve a secondary physical item, but I imagine one exists in the mind of someone, one that puts the onus of customer security firmly back in the hands of the banks.

      1. Anonymous Coward
        Anonymous Coward

        Re: Like they care

        The business of the PIN being stored in the card has always puzzled me. In order to be completely trustworthy, it must be the case that you, and only you, know the PIN number.

        It make complete sense until you get a new card which responds to the old PIN, thus indicating that the card issuer knows your PIN.

        I suppose that it could be that the bank knows whether you have changed the PIN (you need to put it into an ATM to do it). If you have, they need to send you a new PIN with a new card. If you have never changed the PIN, then they have recorded what the original PIN was and tell you that you can keep using it.

        Perhaps I should change the PIN on my cards more often! Perhapse they should be more clear about how it works.

        Perhaps I would like a glass of whisky. Yes, that seems more likely.

        1. Mike 16 Silver badge

          Re: Like they care

          "The business of the PIN being stored in the card has always puzzled me. In order to be completely trustworthy, it must be the case that you, and only you, know the PIN number."

          I know very little about the mag-stripe cards, and less about chip-and-pin (other than that various vulnerabilities have been found over the years), but IIRC, the "PIN" stored on a mag-stripe card is actually an "offset", to be added to the number you type in, which is then hashed and transmitted to the central server. So it's more like salt than the password itself. OTOH, PINs are typically only used for ATM cards and the like, not "credit" cards or even the "yeah, you'll get your money back, eventually" debit cards.

          1. Peter Gathercole Silver badge

            Re: Like they care

            Yes, I was rather lose in my description of the PIN being stored on the card. It's a complicated issue where the PIN is not actually stored, but a hash of the PIN and some information unique to the card is stored, so that the PIN you type in is hashed with the card-specific information, and is then compared with the stored hash to determine whether the PIN was correct. It's a one-way hashing process, so even if the information on the card could be read, the PIN cannot easily be determined.

            But the point is that it is completely on the card (as is the cryptographic processor that computes the hash - I'll bet you did not know that your bank card had a processor on-board). This is how the calculator-type authentication devices can work in isolation from any data connection, as all the authentication device is doing is providing the PIN to the card, and initiating the hash/compare.

            It should not be the case that the card-issuing authority should know the PIN, because that breaks the personal secret that the bank claims tie a transaction down to you, and as a result absolves them of any responsibility for card-fraud.

            In the UK, all bank issued cards, whether credit, debit or charge cards use the same mechanism for chip-and-pin, although it is different from other countries. Your point about the magnetic stripe is interesting, because UK cards do actually still have mag-stripes, so that they can be used abroad.

            That does suggest that the card issuer does have to know the PIN.

            1. Peter Gathercole Silver badge
              Headmaster

              Re: Like they care @Me

              Grrrr. Pedantic Grammar NAZI against myself! Did not spot lose/loose mistake until after the edit period had expired!

  3. stucs201
    WTF?

    play a simplified version of the popular game Flappy Bird

    How on earth do you simplify a game which only has one control?

  4. G_R

    Flappy Bird

    @ stucs201 - surely a critical point is that there is only one key used, the Enter key. That is not a security critical key. Unless I'm missing something (please jump in...) there is no compromise of the rest of the keypad. So there is no way to capture PINs - at least not from the keypad. Being able to play Flappy Bird is very nice and fun and I'm sure the MWR guys had a blast doing it, but a real security vulnerability, I can't see one here...?

    1. muddysteve

      Re: Flappy Bird

      Surely the point is that they were able to load software onto the device, and if they can, so can someone else. This point is only valid if they used a method that the bad guys can also use.

  5. Lucy F

    It's back

    Looks like this app has showed up in Google Play as well for Android users! So exciting to have this game back finally! https://play.google.com/store/apps/details?id=com.JakedUp.FloppyBird

  6. JCitizen
    Coffee/keyboard

    Yeah, and everyone criticises..

    the Yanks for not having Chip-N-Pin!! Hows that bazillion dollar investment panning out for ya!? Mean while the poor card holder gets left holding the bag!(empty bag - BTW)

  7. Anonymous Coward
    Anonymous Coward

    I'm shocked! A device that has software can be hacked!?!?!

    In other news, tight-arse shop owners are still using WinXP on their POS PCs. Some of these have EFT terminals attached, and send card data over their network. More at 6pm.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019