On a recent visit to a local supermarket I noticed something new being displayed on the keypad before the transaction starts:
(“Did you know that you can remove the PIN pad to enter your PIN?”)
Picking up the keypad will allow the cardholder to align it such that bystanders, or the merchant, cannot observe the PIN as it is entered. On the one hand, this seems sensible (if we assume that the only way to get the PIN is by observation, no cameras are present, and that even more cardholder liability is the solution for card fraud). On the other hand, it also makes some attacks easier. For example, the relay attack we demonstrated earlier this year, where the crook inserts a modified card into the terminal, hoping that the merchant does not ask to examine it. Allowing the cardholder to move the keypad separates the merchant, who could detect the attack, from the transaction. Can I now hide the terminal under my jacket while the transaction is processed? Can I turn my back to the merchant? What if I found a way to tamper with the terminal? Clearly, this would make the process easier for me. We’ve been doing some more work on payment terminals and will hopefully have some more to say about it soon.
Handling the terminal is also good for helping cardholders detect a cleverly mounted tampered terminal, if they know what to look for (on occasion I examine terminals at shops but try not to seem too eager as I’m never sure if “it’s OK, I’m a researcher” would get me out of trouble). According to APACS‘ “Retailer advice“, terminal tampering is recognized as a very real threat (unfortunately, it assumes that merchants are universally honest). It is interesting to read that they actually recommend that merchants place a CCTV to cover the till area, but only such that the cardholder’s PIN cannot be observed. I wonder how that is reconciled with encouraging the cardholder to move the pad.
In this context I should mention that earlier this year we’ve seen Ingenico attempt at protecting against PIN observation by using “ViewSafe“, a magnifying glass mounted on top of the keypad such that the keys can only be viewed from the cardholder’s vantage point. The design has two main flaws, though. Firstly, the magnifying contraption is retractable when it should be fixed, and secondly, it provides a convenient setting for mounting a camera. The first trial was in our local Cambridge Boots store, so I had a few opportunities to see that none of the terminals had the magnifying glass in its “operational” state. I couldn’t find references to how successful the trials were and if these magnifying glasses are now more widely used.