Momentarily unencrypted Payment cards

Question

Momentarily unencrypted Payment cards

I read about the cyber-attacks related to the momentarily unencrypted payment processing data at the point of sales devices. Technically, how is it possible?

Is it when the cardholder enters an EMV (CHIP-and-PIN) payment card to make a payment, during the entry of PIN, the data remains unencrypted and it is skimmed? If not what else could happen in an ‘end to end encryption’ environment? Or this at all doesn’t occur to the EMV cards and applicable to the cards with magnetic strip only?

Either way I believe the usefulness of that data is limited for online transactions only, as for cash withdrawal or to use the cloned card the hacker would need PIN as well.

Answer 1

Without a reference it is hard to answer how the attack is possible vis-à-vis the article that you read. However I have seen several similar attacks involving the magnetic strips and the terminals.

The credit card data on the magnetic strip is not encrypted. The encryption is applied by the POS when communicating with the bank. The data within the POS, which includes the track data and the pin for debit cards, is often not encrypted. Therefor if you compromise the POS terminal you can extract the credit card swipe data and even the pin number from debit cards.

The interception could occur with compromised firmware, software or physical devices (skimmers and friends) For example breaches see http://krebsonsecurity.com/2015/04/pos-providers-feel-brunt-of-poseidon-malware/. Krebs has a LOT of other breaches on record.

However these attack do not work (theoretically) on EMV cards. These cards have card to bank encryption, IE end to end. The authentication goes through the chip (see Why are chips safer than magnetic stripes?). All the attacker gets from compromising the terminal is the pin.