Everyday security - Apparently anything can be a payment terminal.

May 13, 2014

The other day I bought something in an Apple store. They used an iPhone with a special case that included a barcode scanner as cash register. When I gave the cashier my PIN-and-chip debit card, she inserted it in the card reader slot of the case. She then handed the phone over to me to approve the transaction. For a moment I was afraid I had to enter my PIN code on the iPhone screen (that would have been totally insecure). But she turned the phone upside down, which revealed a PIN pad and small LCD display on the back of the case. I was surprised, suspicious even, and wondered: was this really any more secure?

Payment terminals like this must be certified. The certification ensures that the keyboard on which you enter your PIN is secure. In particular this ensures the PIN code cannot be eavesdropped or recovered and recorded in some other way. Certification also ensures that the information presented in the LCD display can be trusted.

Payment processors (to which such terminals connect in order to process a transaction) must ensure that only certified terminals are used in shops, because an ordinary user has no way to tell. Especially since anything can be a certified payment terminal apparently: if an iPhone with a special case can, then why not a parking meter, a ticket vending machine, etc.

It would seem that this creates a problem as it trains people that anything can be a payment terminal, that anything is safe to insert your debit (or credit) card in. Consider for example the following scenario. You are in a small restaurant, and the waiter brings a portable payment terminal to your table to settle the bill. You insert your card and enter your PIN, and then the terminal signals there has been some error. The friendly waiter smiles and says this happens from time to time, that he is terribly sorry, and that he will get another terminal to sort this out. Indeed, that terminal works flawlessly... In the meantime, the first terminal was a fake that recorded your PIN code.

Would the situation improve if all terminals look the same, and would bear a clear certification mark that every users could easily see? Probably not, because it would be trivial to make a exact lookalike, including the certification mark. So training people to insert their payment card in anything that remotely looks like a payment terminal does not introduce any new risks.

So is there a problem here?

Luckily, the risk associated with someone learning your PIN code is considerably lower with PIN-and-chip based payment cards compared to traditional magstripe cards. As chip cards cannot be easily cloned, the PIN code is only useful for an attacker if he manages to obtain the corresponding original payment card. So instead of checking whether the payment terminal is genuine, you should check that you get your own payment card back. And ensure you are not pickpocketed when leaving the restaurant...

In case you spot any errors on this page, please notify me!
Or, leave a comment.