•  
  •  
 

Abstract

According to the Verizon 2018 Data Breach Investigations Report, 321 POS terminals (user devices) were involved in about 14% of the 2,216 data breaches in 2017 (Verizon, 2018). These data breaches involved standalone POS terminals as well as associated controller systems. This paper examines a standalone Point-of-Sale (POS) system which is ubiquitous in smaller retail stores and restaurants. An attempt to extract unencrypted data and identify possible violations of the Payment Card Industry Data Security Standard (PCI DSS) requirement to protect stored cardholder data were be made. Persistent storage (flash memory chips) were removed from the devices and their contents were successfully acquired. Information about the device and the code running on it was successfully extracted, although no PCI DSS data storage violations were identified. The confirmation that the POS systems examined keep our payment card information encrypted is welcome news as payment cards are still very much in use in our daily activities.

References

Amrichová, K., Mézešová, T. (2019) A Secure String Class Compliant with PCI DSS. CECC 2019: Proceedings of the Third Central European Cybersecurity Conference. November 2019 Article No.: 17 Pp 1–5. https://doi.org/10.1145/3360664.3360681

Binary Intelligence (2012). Chip Off Forensics for Almost Any Device. Retrieved on 12 June 2020 from http://www.binaryintel.com/chip-forensics-device/.

Binary Intelligence (2013). JTAG Forensics. Retrieved on 12 June 2020 from http://www.binaryintel.com/services/jtag-chip-off-forensics/jtag-forensics/.

Bodhani, A. (2014). Securing the sale. Engineering & Technology, 9(5), 36-40.

Cheney, J. (2010). Heartland Payment Systems: lessons learned from a data breach. FRB of Philadelphia-Payment Cards Center Discussion Paper, (10-1).

Cheney, J., Hunt, R., Jacob, K., Porter, R., & Summers, B. (2012). The efficiency and integrity of payment card systems: Industry views on the risks posed by data breaches. Economic Perspectives, 36(4).

Clapper, D., Richmond, W. (2016) Small Business Compliance with PCI DSS. Journal of Management Information and Decision Sciences; Weaverville 19(1), 54-67.

Frisby, W., Moench, B., Recht, B., and Ristenpart, T. (2012) Security Analysis of Smartphone Point-of-Sale Systems. 6th USENIX Workshop on Offensive Technologies. Aug 6-7, 2012, Bellevue, WA.

Golden Crystal (date unknown). Motorola 68000 CPU Opcodes. Retrieved 12 June 2020 from http://goldencrystal.free.fr/M68kOpcodes-v2.3.pdf.

Gomzin, S. (2014) Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions. John Wiley & Sons, February 2014.

Guo, H., Jin, B. (2010) Forensic analysis of skimming devices for credit fraud detection. 2010 2nd IEEE International Conference on Information and Financial Engineering. 17-19 Sept. 2010. Chongqing, China. DOI: 10.1109/ICIFE.2010.5609418

Hizver, J., & Chiueh, T. C. (2011, February). An introspection-based memory scraper attack against virtualized point of sale systems. In International Conference on Financial Cryptography and Data Security, pp. 55-69. Springer, Berlin, Heidelberg.

Kidd, R. (2008) Counting the cost of non-compliance with PCI DSS. Computer Fraud & Security, 2008(11), 13-14.

Lueck, S. G. (2014). Point of Sale terminal security. Doctoral Dissertation, Utica College. ProQuest Dissertations Publishing, 2014.

Manworren, N., Letwat, J., & Daily, O. (2016). Why you should care about the Target data breach. Business Horizons, 59(3), 257-266.

Morse, E., Raval, V. (2008) PCI DSS: Payment card industry data security standards in context. Computer Law & Security Review, 24(6), 540-554.

PCI Security Standards Council (2018). PCI DSS Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard version 3.2.1. Retrieved 12 June 2020 from https://www.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf?agreement=true&time=1545342055082.

Plachkinova, M., & Maurer, C. (2018). Teaching case: Security breach at Target. Journal of Information Systems Education, 29(1), 11.

Rees, J. (2010) The challenges of PCI DSS compliance. Computer Fraud & Security, 2010(12), 14-16.

Rodríguez, R. J. (2017). Evolution and characterization of point-of-sale RAM scraping malware. Journal of Computer Virology and Hacking Techniques, 13(3), 179-192.

Rogers, M. (2017) Technology and Digital Forensics. The Routledge Handbook of Technology, Crime and Justice. edited by M. R. McGuire, Thomas J. Holt. Taylor & Francis, Feb 24, 2017.

Sarrafpour, B. A., Choque, R., Mitchell, B., Mehdipour, F. (2019) Commercial Security Scanning: Point-on-Sale (POS) Vulnerability and Mitigation Techniques. 2019 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech), Fukuoka, Japan, 2019, pp. 493-498, doi: 10.1109/DASC/PiCom/CBDCom/CyberSciTech.2019.00099.

Seaman, J. (2020) PCI DSS An Integrated Data Security Standard Guide. Apress, Berkeley, CA DOI https://doi.org/10.1007.

SECONS (2008). JTAG Pinouts. Retrieved 22 June 2020 from http://www.jtagtest.com/pinouts/.

Sherstobitoff, R. (2008). Anatomy of a data breach. Information Security Journal: A Global Perspective, 17(5-6), 247-252.

Smith, D. (2014) Preventing Point-of-Sale System Intrusions. Master's thesis. Naval Postgraduate School. Monterey, CA. Retrieved 12 June 2020 from https://apps.dtic.mil/dtic/tr/fulltext/u2/a607543.pdf.

Souvignet, T., Frinkenc, J. (2013) Differential Power Analysis as a digital forensic tool. Forensic Science International, 230(1–3), 127-136.

Swauger, J. (2012). Chip-off Forensics. Retrieved 12 June 2020 from http://www.binaryintel.com/wp-content/uploads/2012/05/Chip-Off_Forensics_Article.pdf.

Verifone (2012). Verifone Vx610 Download Instructions. Retrieved 11 June 2019 from

https://hippocharging.zendesk.com/hc/en-us/article_attachments/200367705/07.30.12_-_Vx_Download_Instructions.pdf

Verizon 2018 Data Breach Investigation Report. Retrieved 11 June 2019 https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf.

Share

COinS
 
 

To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.