Embed Size (px)
Citation preview
Ingenico Inc. – 3025 Windward Plaza, Suite 600, Alpharetta, GA 30005 Tel: (678) 456-‐1200 – Fax: (678) 456-‐1201 -‐ [email protected]
POS Terminal Case Overlay Attacks
Ingenico Security Brief
Ingenico Regional Security Organization
05/16/2016
CONFIDENTIAL / POS Terminal Case Overlay Attacks • 2/13
Copyright © Ingenico Inc., 2016
All rights reserved
Without limiting the rights under copyright reserved above, no part of this
publication may be reproduced, stored in or introduced into a retrieval
system, or transmitted, in any form or by any means (electronic,
mechanical, photocopying, recording or otherwise), without the prior
written permission of the copyright owner.
The scanning, uploading, and distribution of this work via the Internet or
via any other means without the permission of the publisher is illegal and
punishable by law.
CONFIDENTIAL / POS Terminal Case Overlay Attacks • 3/13
Table of Contents
Table of Contents
1. Abstract _____________________________________________________ 4
2. Overlay Attack Characteristics ___________________________________ 5
2.1. Size Discrepancies ____________________________________________________ 5
2.2. Design Discrepancies – Overlapping Seam _________________________________ 6
2.3. Design Discrepancies – Backlit Keypad Obfuscation _________________________ 7
2.4. Design Discrepancies – Contactless LED Obfuscation ________________________ 7
2.5. Design Discrepancies – Increased MSR read failures _________________________ 8
2.6. Design Discrepancies – Stylus Mount Impedance ___________________________ 8
3. Attack Methodology ___________________________________________ 9
4. Steps to Detection ___________________________________________ 10
5. Prevention __________________________________________________ 12
6. Reporting ___________________________________________________ 13
CONFIDENTIAL / POS Terminal Case Overlay Attacks • 4/13
1. Abstract
The objective of this document is to provide reference information regarding the recent
discovery of new attacks at the point of sale that are targeting card-‐accepting POS terminals by
means of applying a case overlay. The overlay contains electronic capture components for
gathering MSR swipe and key entered data. These apparatus are very similar in appearance to
the actual production casing of the POS terminal, and therefore can be challenging for someone
to detect who is not intimately familiar with the product. These overlays are also applied very
quickly, requiring only minor distractions to the cashier associate, and can even be installed
during a normal transaction checkout process.
Although these implements look very similar to the target POS terminal, there are some distinct
differences to help you identify them in the field and we recommend (as does the PCI council:
See here for Skimming Prevention – Best Practices for Merchants) a plan to analyze your POS
terminals for the presence of skimming devices including this “overlay” variety.
CONFIDENTIAL / POS Terminal Case Overlay Attacks • 5/13
2. Overlay Attack Characteristics
2.1. Size Discrepancies
In order for the case overlay to fit atop the POS terminal, it must be longer and wider than the
target device. For this reason, the case overlay will appear noticeably larger than the actual POS
terminal. This is the primary identifying characteristic of the skimming device. A skimmer overlay
of the iSC250 is over 6 inches wide and 7 inches tall while the iSC250 itself is 5 9/16 inch wide and
6 ½ inches tall.
The red calipers in the image above show the size differences in various noticeable areas of the case overlay on the left compared
to the actual iSC250 on the right.
CONFIDENTIAL / POS Terminal Case Overlay Attacks • 6/13
2.2. Design Discrepancies – Overlapping Seam
The top portion of the plastic on the skimmer overlay stops above the connector ports rather
than extending the full depth of the casing. This creates a visible edge that is easily distinguished
from the original terminal.
The red arrows show the seam-‐line created by the skimmer overlay casing. Also, note the protruding overhang of the larger
skimmer case compared to the actual device.
The side portion of the plastic on the overlay stops above the Kensington lock connector rather
than going the full height. This creates a visible edge that is easily distinguished from the original
terminal.
CONFIDENTIAL / POS Terminal Case Overlay Attacks • 7/13
2.3. Design Discrepancies – Backlit Keypad Obfuscation
The overlays obscure the original keypad with its own in such a way that it is capable of capturing
key-‐presses. The backlight on the Ingenico keypad is not visible through the overlay keypad. It
is best to observe the backlight while shielding the keypad from room lights with your hand or
other obscuring mechanism.
The backlight can be seen best while shading the keypad from room lights. The image on the Left is a power-‐on legitimate iSC250
viewed with the keypad shaded. The backlight can be seen in comparison to a power-‐off iSC250 in the Right image.
2.4. Design Discrepancies – Contactless LED Obfuscation
The green LED that is illuminated during contactless reads is obscured by the overlay.
The green LED is illuminated when the contactless reader is active.
CONFIDENTIAL / POS Terminal Case Overlay Attacks • 8/13
2.5. Design Discrepancies – Increased MSR read failures
Small read-‐heads are inserted in the overlay plastic that covers the start of the magnetic stripe
track enabling the overlay to capture data when magnetic cards are swiped through the overlay.
The overlay design appears to occasionally interfere with the magnetic stripe reads, leading to
greater numbers of read failures.
2.6. Design Discrepancies – Stylus Mount Impedance
The overlays appear to prevent the ordinary placement of the stylus due to the obtrusive
overhang of the skimmer overlay. If in your examination process, you see stylus hanging by their
cables or simply not installed in the holder, this could be a sign that an overlay has been attached.
The overlay skimmer on the left blocks the stylus tray. The picture on the right is a device that’s not been attacked. Note the wide
tray opening.
CONFIDENTIAL / POS Terminal Case Overlay Attacks • 9/13
3. Attack Methodology
The attackers place a plastic overlay that appears to be the same as the terminal top plastic over
the terminal in unattended lanes without a vigilant clerk or in attended lanes where the clerk is
either distracted or unable to see the attacker due to large items moving through the lane.
CONFIDENTIAL / POS Terminal Case Overlay Attacks • 10/13
4. Steps to Detection
Merchants can observe the physical differences between a terminal with an illicit overlay and a
legitimate iSC250 as a means to detect an overlay attack.
• Regularly check the width of the iSC250s in the lane. A simple template of a ruler with
a highly visible mark or piece of tape at 5.5 inches can be used for a very fast visual check.
An overlay would cause the width to visibly extend beyond the mark or start of the tape.
The same can be done for length of the terminal with a 6.5 inch template.
The length of the iSC250 stylus from the tip to the end of the strain relief is 5 7/8 inches
long. This is roughly a quarter inch wider than the iSC250 but not as long as the overlays
that have been seen in the field. This allows the stylus to be used as a rough template to
determine if the terminal has had an overlay inserted. If the stylus is laid across the
terminal, the main body of the stylus should cover the terminal but the strain relief should
stick over the end.
CONFIDENTIAL / POS Terminal Case Overlay Attacks • 11/13
• Regularly check the width of the plastic to the outside of the magnetic stripe card track.
The stylus can be used as a template here as the width in this zone of a legitimate terminal
is nearly identical to the width of the stylus. The width of this zone on the illicit overlays is
roughly ¼ inch larger than the stylus.
• Verify that the stylus fits completely in the stylus holder on the left side of the terminal.
• Look at or feel the top of the terminal. If an edge is seen or felt, an overlay is likely
present. The top edge of the terminal should be a continuous flat surface from the height
and width of the design.
• Visually observe and then feel the sides of the terminal. If a raised edge is seen or felt, an
overlay is likely present. The sides of the terminal should be a continuous flat surface from
the height and width of the design.
• Verify that the keypad is backlit while shielding the keypad from the room light.
• Verify the green LED is visible during card read transactions when contactless is enabled.
• Use the Health Stats command in RBA or UIA to monitor bad Track2 reads. The command
in RBA is 08.0. A detailed examination of the terminal should occur if the number of bad
Track2 reads increases significantly.
CONFIDENTIAL / POS Terminal Case Overlay Attacks • 12/13
5. Prevention
The Ingenico North America product and security teams are actively working on different ideas
that can be used with already deployed terminals to prevent the overlay attacks. Below are some
early ideas on ways to prevent these types of attacks.
• The use of stands with obtrusive features on the top or side of the terminal would
prevent the overlay from being inserted.
• Be vigilant and report any suspicious activity to the store manager and refer to this
bulletin.
• If possible, secure POS terminals in lanes when they are unmanned or unattended.
• If you have security cameras in your establishment, review the layout so that if an
attack occurs, you may provide video evidence of the perpetrators to authorities.
CONFIDENTIAL / POS Terminal Case Overlay Attacks • 13/13
6. Reporting
If an illicit overlay is found, please send notification to Rob Martin, the Ingenico North America
Security Officer, at [email protected].
