Hacking Book | Free Online Hacking Learning


your bank card, my money

Posted by chiappelli at 2020-04-02


In modern society, swiping card is not popular, so the application of POS system is very common. It can be seen in shopping malls, restaurants, hotels, hospitals and other places.

Under the mobile payment system, the new POS machine is generally connected to the third-party payment agency to use bank card for quick payment. In technology, Bluetooth / WiFi / audio (for communication between POS card reader and POS terminal host), Android / IOS (system supported by POS terminal host APP) are introduced, which is more convenient and introduces more security issues at the same time.

We have conducted security tests on several brands of POS machines, but the results are frightening: after swiping the card on the POS machine controlled by the hacker, the bank card is still in your hand, but the hacker can continue swiping the card and swipe the money inside (your card, my money).

[scene demonstration]

We analyzed several famous POS machines in China, and found that there are similar security holes in their system design. After data tampering, we can deduct any fees from the swifters.

No picture, no truth. Look at the picture below.

The principle of vulnerability is simple, but the impact is frightening. We follow the responsible security vulnerability reporting process, and the vulnerability details have been reported to the relevant manufacturers for repair.

[technical analysis]

Now it's time for technical analysis.

We find that the POS machine contains a random number to prevent replay attack when sending instructions to the server, but the server does not verify the random number. As a result, the packets sent by the POS machine to the server can replay attack. At the same time, the instruction package sent by POS terminal has no digital signature and can be modified at will.

So the vulnerability arises. After the attacker obtains some information of the victim's bank card through normal swiping, he can generate a payment instruction to the server by himself, so that the victim's bank card will be deducted.

The general vulnerability diagram is as follows (specific details will be omitted):

The repair method is also relatively simple. The server can verify the random number. In this way, even if it is replayed, since the random number has already appeared, the attack will fail. But the problem is coming again. If hackers directly intercept packets instead of sniffing, how to protect them? Add a digital signature.

The essence of this vulnerability is that the insecure it system after informatization penetrates the identity authentication system based on "own" (bank card) and "know" (password). Imagine that in the future, biometrics (fingerprints, voiceprints, irises, etc.) authentication methods are also information-based. Will there be such a hidden danger?

[extended knowledge]

Developed capitalist countries have encountered the security problem of POS machine for a long time.

In 2013, arbor networks, a foreign security company, found malware infecting POS terminals and servers. The following figure shows the geographical distribution of the infected software. From the figure, we can see that mainland China is almost unaffected. It seems that the POS system in China is not a technical framework with that in foreign countries, so it is not affected by foreign worms.

In January 2014, US-CERT issued an early warning against POS malware and gave the best security practice of POS system:

[prevent malicious POS machine]

As can be seen from the above, the security risks of POS machine are still large. Now when our research team members go out to swipe their cards, they are very nervous when they see POS machine.

So, how to prevent it?

Financial security is of great importance, especially with the rise and development of Internet finance, the security problems will only be more and more, so regulators, manufacturers and ordinary users should pay enough attention to it.

For regulators, the safety and quality of financial products released by manufacturers should be guaranteed by practical rules and regulations.

For manufacturers, hardware devices should follow the SDL process and eliminate most security risks before release - after all, the upgrade cost of terminals will be much higher than online services, and with the development of Internet finance, the hidden security risks of traditional financial industry will be more discovered.

For ordinary users, in order to prevent malicious POS machines, it's better to prepare two cards, one for saving and the other for swiping cards and online banking, so that the loss can be controlled even if it's stolen and swiped; at the same time, the bank's single consumption notice (both wechat and SMS) can be opened, if there is abnormal consumption, it can be found and handled in the first time.


With the development of the Internet, there are still many security problems of intelligent devices under the combination of hardware, software and communication architecture. With the passage of time and the attention of the industry, these problems will gradually break out (such as the recent DDoS attack on some provinces' Telecom DNS servers by worms infected with cameras).

Tencent security emergency response center will continue to share more information, please pay attention to us, and we will see you later.