Cloned Boy
Professional
- Messages
- 1,219
- Reaction score
- 966
- Points
- 113
Below is the most detailed, in-depth and educational analysis of POS (Point of Sale) vulnerabilities, aimed at carders. The material covers technical, physical, architectural and process aspects, including real-life examples, testing methods and protection strategies.
POS systems are a bridge between the physical and digital worlds, and their security requires a multi-layered approach. Understanding vulnerabilities allows you to:
If you want, I can:
Write in what direction you are interested in going deeper.
Deep analysis of POS (Point of Sale) system vulnerabilities
Educational Guide to Payment Terminal Cybersecurity
1. What is a POS system? Classification and architecture
1.1 Definition
POS (Point of Sale) is a system designed to process financial transactions in retail, restaurants, transport and other areas. It includes hardware, software and network support that interacts with banking payment systems.1.2. Types of POS systems
| TYPE | DESCRIPTION | EXAMPLES |
|---|---|---|
| Terminal (Standalone) | Standalone devices (Ingenico, Verifone) | Move 5000, Vx690 |
| Hybrid (POS + PC) | Windows PC + external terminal | Restaurants, supermarkets |
| Mobile (mPOS) | Smartphone/tablet + dock reader | SumUp, iZettle |
| Cloud (Cloud POS) | Data is stored in the cloud | Shopify POS, Lightspeed |
Hybrid and mPOS systems are the most vulnerable, as they use common operating systems (Windows, Android), which are susceptible to malware.
2. Architecture of a typical POS system
Code:
[Card] β [Chip/Magnetic Stripe]
β
[POS Terminal/Cash Register Software]
β
[Encryption (DUKPT, TLS)]
β
[Processing Center (Acquirer)]
β
[Issuing Bank]Key components:
| COMPOTENT | FUNCTION | THREATS |
|---|---|---|
| Secure Element (SE) | Storing keys, performing cryptography | Physical access, side-channel attacks |
| HSM (Hardware Security Module) | Generating and protecting keys | Compromise due to improper use |
| EMV reader | Data exchange with the chip | Skimming, MITM at the bus level |
| Terminal OS | Process management | Vulnerabilities, malware |
| Net | Data transfer | Interception, MITM, DoS |
3. Why are POS systems a high priority target?
3.1. What do criminals steal?
- PAN (Primary Account Number) β card number.
- Track Data β data from the magnetic stripe (Track 1, Track 2).
- Expiry date, holder's name.
- In rare cases - partially encrypted PIN.
This data is sold on the darknet for $5β$50 per card and is used to:
- Cloning (magnetic stripe only).
- Fraudulent online purchases (CNP - Card Not Present).
3.2. Economic motivation
- One successful attack can give access to thousands of cards.
- Example: Target attack (2013) - 40 million cards leaked, damage > $200 million.
4. Vulnerability classification (according to OWASP and NIST)
| LEVEL | VULNERABILITY | DESCRIPTION |
|---|---|---|
| Physical | Skimming, Tampering | Direct access to the device |
| Program | Malware, RCE, backdoors | Malware, exploits |
| Network | MITM, Sniffing, Open Ports | Traffic interception |
| Configuration | Weak passwords, encryption disabled | Administrator errors |
| Process | No updates, third party access | Organizational miscalculations |
| Architectural | No segmentation, hybrid systems | Systemic weaknesses |
Part 1: Physical Vulnerabilities
4.1. Skimming (Reading data)
How it works:
- The attacker installs an external device on the card reader.
- When you insert a card, the data from the magnetic stripe is copied.
- A fake keypad or mini camera is often used to collect the PIN.
Types of skimmers:
| TYPE | DESCRIPTION |
|---|---|
| External | Fits over the original reader |
| Interior | Installed inside the case |
| Deep Insert | Inserts deep into the slot - almost invisible |
Protection: regular inspection, anti-tamper sensors, RFID tags.
4.2. Tampering (Physical Intervention)
Objectives:
- Access to data buses (UART, SPI, I2C).
- Connecting to JTAG for memory dump.
- Extracting Secure Element.
Example of attack:
- Opening the case.
- Connecting to UART port.
- Reading logs or RAM dump.
- Search for keys or PAN.
Protection:
- Anti-tamper sensors (when opened, keys are erased).
- Tamper-evident chips.
- Physical blocking of connectors.
Part 2: Software Vulnerabilities
5.1. POS-Malware: how it works
Attack stages:
- Infection:
- Via USB flash drive.
- Via network (eg RDP, SMB).
- Through software update.
- Searching for data in memory (RAM Scrapping):
- Malware scans RAM for PAN.
- PAN may be in memory in clear text for milliseconds during processing.
- Extraction and transfer:
- The data is packaged and sent to the C&C server.
Known examples:
| MALWARE | PECULIARITIES |
|---|---|
| BlackPOS | Attack on Target, used RAM-scraping |
| Night | Traffic encryption, stealth |
| NewPosThings | Active in Asia, uses DLL injections |
PAN is not stored on disk, but is temporarily stored in RAM - this is enough.
5.2. Vulnerabilities in software and firmware
Common problems:
- Hardcode keys in firmware.
- Unsecured APIs for integration.
- Weak encryption (DES instead of AES).
- No updates (EOL devices).
CVE examples:
- CVE-2020-14528 β RCE in Verifone terminals.
- CVE-2019-3560 - vulnerability in Ingenico Telium.
- CVE-2018-10873 - Buffer overflow in POS software.
Part 3: Network Vulnerabilities
6.1. Traffic interception (Sniffing)
Conditions:
- POS uses Wi-Fi without encryption.
- TLS is missing or a self-signed certificate is used.
Tools:
- Wireshark.
- tcpdump.
- Ettercap (for MITM).
6.2. MITM attacks
Scenario:
- The attacker replaces the gateway.
- Intercepts requests for processing.
- May modify the amount or redirect data.
Protection: HSTS, Certificate Pinning, DANE (DNSSEC + TLSA).
6.3. Open ports and services
| PORT | SERVICE | RISK |
|---|---|---|
| 21 | FTP | Transferring data without encryption |
| 23 | Telnet | Login in clear text |
| 139/445 | SMB | EternalBlue Vulnerabilities |
| 3389 | RDP | Brute-force, BlueKeep |
Part 4: Configuration and Process Vulnerabilities
7.1 Weak Passwords and Accounts
- Standard logins: admin:admin, service:1234.
- No MFA to access settings.
7.2. Manual updates
- The devices have not been updated for years.
- EOL (End of Life) models are used.
7.3. Third Party Access
- Service engineers can:
- Install malware.
- Copy configurations.
- Connect to the terminal via USB.
Part 5: Architectural Vulnerabilities
8.1. Hybrid systems (POS + PC)
Problem:
- Card β terminal β data is transferred to PC β sent to processing.
- If the PC is infected, the data is intercepted before encryption.
8.2 No network segmentation
Risks:
- Compromise of office PC β access to POS network.
- Distribution of ransomware.
- VLAN for POS.
- Separate firewall.
- Prohibition of access from POS to the Internet (only via proxy).
Part 6: Standards and Regulations
9.1. PCI DSS v4.0 (2022)
12 requirements including:- Req 3: Data storage protection (no PAN).
- Req 4: Data transmission encryption.
- Req 6: Software update.
- Req 11: Vulnerability Scanning.
- Req 12: Security Policies.
9.2. PCI PTS (PIN Transaction Security)
Requirements for hardware terminals:- Protection from physical access.
- Secure boot.
- Cryptographic isolation.
- Certification of cryptomodules.
Part 7: POS Security Testing Methodology
Pentest stages:
1. Intelligence
- Definition of terminal models.
- Analysis of documentation (datasheets, firmware).
2. Network scanning
Bash:
nmap -sV -p- 192.168.1.0/243. Firmware analysis
- Extracting an image (via UART, JTAG, SD card).
- Parsing with Binwalk:
Bash:
binwalk firmware.ist- Search for strings, keys, backdoors:
Bash:
strings firmware.bin | grep -i "password\|key"4. Reverse engineering
- Using Ghidra or IDA Pro to analyze code.
- Vulnerability detection: buffer overflow, insecure crypto.
5. Memory analysis
- RAM dump during transaction.
- Finding PAN using regular expressions:
Code:
^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})$6. Physical test
- Tampering check.
- Connecting to UART to read logs.
Part 8: Defense Strategies
| LEVEL | MEASURE |
|---|---|
| Physical | Anti-tamper sensors, cameras, regular audit |
| Network | VLAN, firewall, TLS, internet ban |
| Program | EDR, antivirus, regular updates |
| Data | P2PE, tokenization, no PAN storage |
| Processes | Training, policies, access audit |
| Monitoring | SIEM, anomaly detection (e.g. many transactions per second) |
Part 9: Useful Resources
Documentation:
Tools:
- Wireshark, Nmap, Metasploit
- Volatility - Memory Dump Analysis
- Proxmark3 - RFID Research (Training)
- Ghidra - Reverse Engineering by NSA
Conclusion
POS systems are a bridge between the physical and digital worlds, and their security requires a multi-layered approach. Understanding vulnerabilities allows you to:- Conduct high-quality pentests.
- Develop secure architectures.
- Train staff.
- Comply with standards (PCI DSS).
If you want, I can:
- Prepare a lab work on the analysis of Ingenico firmware.
- Create a POS audit checklist.
- Show real CVE parsing.
- Explain how P2PE and DUKPT work at the cryptographic level.
Write in what direction you are interested in going deeper.
