Proof of concept: Turning a legititmate

electronic voucher distribution terminal

into a client-server based POS terminal
skimming device
Johnny Bengtsson, Swedish National Forensic Centre – NFC
EAFS 2015, Praha, Czech Republic

1
Agenda

•What defines a skimmer?

•Point-of-sale (POS) terminal skimmers
•From a potential idea…
•…to a proof-of-concept
•Summary
•Live demonstration

2
What defines a skimmer?

NFC:s general definition

”Technical solution for concealed registration of
magnetic stripe data and – where applicable – also
personal identification number (PIN)”

Synonyms: magnetic stripe skimmer,

skimmer device, skimming device
Not be be mixed up with a shimmer1,2!
1Thomas Prüfer, Bundeskriminalamt, Germany, (2013)
2e.g. http://krebsonsecurity.com/2015/08/chip-card-atm-shimmer-found-in-mexico/

3
 Photo: Marcus Andræ, NFC

POS TERMINAL SKIMMERS

4
Three identified categories

•Old-school POS terminal skimmers

•Ghost POS terminal skimmers*
•Client-server based POS terminal skimmers (this
presentation)

*) Europol, 23 April 2015,

https://www.europol.europa.eu/content/criminal-skimming-gang-using-
%E2%80%98ghost%E2%80%99-payment-terminals-dismantled-france

5
Old-school POS terminal skimmers*

•Breaching/bypassing of tamper switches

•Magnetic stripe data wiretapping
– Magnetic head (same or additional)
– F/2F decoder circuit signals
•PIN entry device (PED) attacks
– Overlay PIN pad, keypad membrane, PCB attack
•Additional electronics
– Wires, power supply, RF components, memory cards

*) First examinations in 2006, case numbers: 2006007262, 2006007436, 2006009812, 2006011343, 200614406
6
Regular system vs old-school

Regular procedure

Financial card POS terminal Acquiring bank

Old-school POS terminal skimmer

Skimmer equipped
Financial card POS terminal Acquiring bank
Fraudster

7
Ghost POS terminal skimmers*

• Minor or no physical modifications

– Improvements of housing, no dead space
– Better physical and electronic tamper switches
• Dedicated POS terminal software
– Magnetic stripe data, PIN
– Hidden and/or password protected menus
– Encryption of data
• Fraudulent faked receipt printouts
• The term ghost
– No financial data exchange → unaffected account balance

*) First examination in 2010, case number: 2010015839

8
Regular system vs ghost

Regular procedure

Financial card POS terminal Acquiring bank

Ghost POS terminal skimmer

Ghost POS
Financial terminal
card Acquiring bank
Fraudster

9
Client-server based POS terminal skimmer

FROM A POTENTIAL IDEA…

10
Regular system vs client-server based

Regular procedure

Financial card POS terminal Acquiring bank

Client-server based POS terminal skimmer

Client POS Acquiring bank
Financial card terminal
Fraudulent
POS server
11
 Why have we not (yet) observed the
client-server based POS terminal skimmer
concept in Sweden (or elsewhere)?

12
Some possible reasons…

Requires
– physical access to network infrastructure
– application server
Optionally also*
– server programming skills and server hosting service
– model specific POS terminal programming knowledge
– analysing network traffic skills
– additional network equipment

*) Hiring corporate services on Darknet, freelancer.com etcetera

might be a solution…
13
Case background

•Police case1, Nov 2013 → NFC (prev. SKL2,3), May 2014

•CREON4 by Spectra Technologies Holding Co. Ltd.
•Not used as EMV payment terminal in Sweden
•No documentations
•Firmware: Creon 2.81
•Ethernet communication (RJ45)

Photo: Marcus Andræ, NFC

1Case number 1302-K26354-13, 2Case number 2014006856, 3Thomas Adolfsson (THOK), case co-analyser
4http://www.spectratech.com/home.aspx/348

14
Analysis steps

1. Creon [LAN, DHCP] → [anonymous Internet connection] → host

2. Creon ←[data traffic recording]→ host
3. Invalid Terminal Id
4. Emulation of Creon data
1. Altered POST data → WAN host
2. Recording of host response
5. Validation of host response

15
Validation of host response

Mimicking a server
•Closed local-area network (LAN)
•Web server1
•DHCP server2
•Network traffic monitoring3

1Initially:
Slackware Linux 14.1, Apache HTTP Server 2.4
2Alt.1: WiFi router | Alt. 2: Linux (isc-dhcpd-4.3)
3Ethernet hub, Wireshark version 12+

16
The development of a working client-server based POS terminal skimmer

…TO A PROOF-OF-CONCEPT

17
Mastering the Creon POS terminal LCD contents

Dissecting and functionality mapping the instructions

• <meta tags> similar to <HTML> tags
• Dedicated menu structure
• Some important <meta tag> functions
– input from magnetic stripe reader (track 2)
– controlling the receipt printer contents
– alphanumeric input or number-only input
• Mandatory HTML POST data sent to server

18
 Validated net topographies

Web server (Wireless)

Web server
DCHP server web server
Network
hub Network switch Wireless router
or hub DHCP server
POS DHCP
terminal server
POS terminal POS terminal

19
Development prerequisities

Web server environment

• Linux OS1, HTTP Server2, SQL database4, PHP3 (a.k.a. LAMP)
DHCP server5a,5b
Programming and debugging tools
• Text editor6, SQL database admin tool7
– Back-end engine: main functions, database storage
– Front-end web interface
• Network traffic monitoring6,7

1Slackware Linux 14.1, 2Apache HTTP Server 2.4, 3MariaDB 10.0, 4PHP 5.6, 5aAlt. 1: WiFi router (D-Link DI-524,
Dovado 4GR) | 5bAlt. 2: Linux (isc-dhcpd-4.3), 6kwrite 4.14 7phpMyAdmin 4.0, 8Netgear Ethernet Hub EN108TP,
9Wireshark 1.12| Software beta testing credits: Thomas Adolfsson (THOK)
20
Some features

• Track 2 data • Receipt printouts

• Year/Month validity – POS terminal printer and web interface
– Card type2: Visa/MasterCard/AMEX
• Luhn checksum1 calculation
– Mimic EMV 4 terminal chip response
• VAT calculation codes3
• Web interface (concealed)
• Discard non-banking cards
1 Checkdigit, ISO/IEC 7812-1
2 Majorindustry identifier (MII), ISO/IEC 7812-1, Application identifier (AID), ISO/IEC 7816-4
3 EMV 4.3 Book 3, Annex C

21
Flaws – due to no development
documentations

• Long time to boot the software (if successful)

• Slow server connection
• Creon only supports HTTP/1.0
• Cannot hide PIN (****)
• Cannot get input from track 1
• Sometimes unpredictable output results

1 Checkdigit, ISO/IEC 7812-1

2 Majorindustry identifier (MII), ISO/IEC 7812-1, Application identifier (AID), ISO/IEC 7816-4
3 EMV 4.3 Book 3, Annex C

22
SUMMARY

23
Client-server based POS terminal skimmer
Pros
• Leaves almost no traces
• No revealing software
• No card data is found
• Server can be located far away
• Remote controlled contents
• Web servers → mobile devices
• False receipt printouts → tax
deduction frauds
Cons
• Need of network access/control
• Requires a server
• Does not read chip
• Is less convicing in countries
where EMV 4 is fully implemented
24
Moreover

• The client-server concept has not yet been observed in Sweden

– nor reported within the Europol co-operation
• The concept is still valid in countries who has not (fully)
implemented the EMV* standard
• Forcing a magnetic stripe fallback is possible

*) Current version EMV 4.3, see http://emvco.com

25
johnny.bengtsson@polisen.se Photo: Marcus Andræ, NFC

LIVE DEMONSTRATION

26