‘Doom’ hack reveals more weak security in retail POS readers

A security researcher recently figured out how to install and play the classic first-person shooter video game Doom on point-of-sale credit card readers, the ubiquitous devices at store registers around the world that complete purchases when you swipe, tap, or insert your credit card.

While Nolan Ray’s hack isn’t going to blow up the POS world, it helps demonstrate the potential insecurities of our retail transactions.

At the annual hacker conference DefCon in July, Ray demonstrated his hack on the Verifone MX 925, a credit card reader still in use and receiving manufacturer updates. You can buy it on Amazon.com for less than $600. He began by unlocking the device with its default personal identification number, or PIN, which Ray says retailers—like consumers, with other Internet-connected devices—rarely change, due to laziness or a lack of guidance. More than 90 percent of POS readers rely on their default PIN for security, according to a 2015 study.

Once the terminal has been unlocked, any malicious hacker could access and steal data stored on the reader—or install a 25-year-old video game like Doom—wirelessly through a Wi-Fi or Bluetooth connection, or directly through its smart-card reader, or its USB or COM ports.

While you might not expect a store clerk to allow a malicious hacker to fiddle with a POS reader long enough to unlock or steal data from it, unmanned registers, especially at big chain stores, make for tantalizing targets. And as retailers increasingly rely on payment devices to process customer purchases and protect customer data, they need to become more vigilant than ever about the security at the register, Ray told The Parallax after his presentation.

“A lot of the classic breaches were actually going after the point-of-sale system, and now [retailers are] trying to move all of that card data off of those systems,” he says. A POS reader is “oftentimes a ‘black box’ to the retail chain,” he adds. Retailers are “just kind of taking vendor guarantees” about device security without verifying them.

Ray says Verifone “generally” has “excellent security,” and was “quick and responsive” when he told the company about his Doom hack, in accordance with responsible disclosure practices. But POS devices from various manufacturers have a long history of hacker exploitation. And although a number of high-profile retailers and financial institutions, including Equifax, Target, Home Depot, and J.P. Morgan, have acknowledged breaches over the past several years, he and other experts worry that manufacturers of POS readers aren’t sufficiently motivated to improve their devices’ security.

How much should we worry about hackers stealing our credit card information through a POS reader? The odds are low, says Ben Knieff, a financial-crimes consultant.

“When you consider the fact that there are millions of payments terminals, the chance of you getting hacked through any given one of them is very small,” he says. But that doesn’t make the threat less real.

The cost of credit card fraud, which includes hacked POS reader transactions, has been rising, Knieff says. Researchers for LexisNexis’ 2016 True Cost of Fraud Report found that every dollar lost to fraud cost merchants $2.40, 17 cents more than it did the prior year. Likewise, the monthly average of fraudulent transactions has increased, from 156 to 206 successful fraudulent purchases.

Charles Henderson, who leads IBM’s X-Force Red security testing team, presented an in-depth study on POS security in 2015 at the RSA Conference in San Francisco. His investigations at the time revealed much of what Ray was able to re-confirm at DefCon this year: POS readers are typically shipped with default PINs. They typically lack strong data encryption technology. And retailers’ typically lax security policies enable hackers to install malware on POS devices with relative ease.

“It’s amazing how many point-of-sale vendors don’t care about security. They view it as a magic box,” he says. “Many retailers spend more time picking out the color palette of their POS terminals than security-testing it. The retailers think the security testing has already been done.”

Retailers can take various steps to protect their POS readers and, by extension, their customers. The first step, Ray says, is to change the default PIN.

Knieff adds that before sliding their credit cards in POS readers, consumers should attempt to wiggle them. A loose or wobbly reader connection might indicate that a credit card skimmer was placed over the device. And Henderson stresses the importance of big-box retailers performing security tests on installed POS readers.

“I walk up to a point-of-sale reader and use my credit card every day. I do not carry cash. But that’s because I have faith in the credit card issuer, not the POS environment,” Henderson says. “A point-of-sale penetration test is a lot cheaper than a breach.”