Professional Documents
Culture Documents
Proof of Concept: Turning A Legititmate Electronic Voucher Distribution Terminal Into A Client-Server Based POS Terminal Skimming Device
Proof of Concept: Turning A Legititmate Electronic Voucher Distribution Terminal Into A Client-Server Based POS Terminal Skimming Device
1
Agenda
2
What defines a skimmer?
3
Photo: Marcus Andræ, NFC
4
Three identified categories
5
Old-school POS terminal skimmers*
*) First examinations in 2006, case numbers: 2006007262, 2006007436, 2006009812, 2006011343, 200614406
6
Regular system vs old-school
Regular procedure
7
Ghost POS terminal skimmers*
Regular procedure
9
Client-server based POS terminal skimmer
10
Regular system vs client-server based
Regular procedure
12
Some possible reasons…
Requires
– physical access to network infrastructure
– application server
Optionally also*
– server programming skills and server hosting service
– model specific POS terminal programming knowledge
– analysing network traffic skills
– additional network equipment
14
Analysis steps
15
Validation of host response
Mimicking a server
•Closed local-area network (LAN)
•Web server1
•DHCP server2
•Network traffic monitoring3
1Initially:
Slackware Linux 14.1, Apache HTTP Server 2.4
2Alt.1: WiFi router | Alt. 2: Linux (isc-dhcpd-4.3)
3Ethernet hub, Wireshark version 12+
16
The development of a working client-server based POS terminal skimmer
…TO A PROOF-OF-CONCEPT
17
Mastering the Creon POS terminal LCD contents
18
Validated net topographies
19
Development prerequisities
1Slackware Linux 14.1, 2Apache HTTP Server 2.4, 3MariaDB 10.0, 4PHP 5.6, 5aAlt. 1: WiFi router (D-Link DI-524,
Dovado 4GR) | 5bAlt. 2: Linux (isc-dhcpd-4.3), 6kwrite 4.14 7phpMyAdmin 4.0, 8Netgear Ethernet Hub EN108TP,
9Wireshark 1.12| Software beta testing credits: Thomas Adolfsson (THOK)
20
Some features
21
Flaws – due to no development
documentations
22
SUMMARY
23
Client-server based POS terminal skimmer
Pros Cons
• Leaves almost no traces • Need of network access/control
• No revealing software • Requires a server
• No card data is found • Does not read chip
• Server can be located far away • Is less convicing in countries
• Remote controlled contents where EMV 4 is fully implemented
• Web servers → mobile devices
• False receipt printouts → tax
deduction frauds
24
Moreover
LIVE DEMONSTRATION
26