Researchers have shown off a way to hack into commonly used UK Point of Sale POS terminals and use a chip-and-pin card crafted with malicious code that enabled them to install a racing game and play it, using the machine’s pin pad and screen.
With that same hack the researchers demonstrated a much worse reason to hack the terminals. They can inject a Trojan virus in the terminal that could record card and PIN numbers, which could then be extracted later by inserting another rogue card.
The researchers then used the same method to fool the terminal into thinking a transaction was bank-approved. Allowing them to go to a store and load up whatever they may want and walk out without paying for anything and the store workers along with the POS terminal don’t know anything has happened.
Finally, the security researchers took a device that is popular in the US, and used non-encrypted ethernet communication between the terminal and other peripherals to hack into the payment device and take root control of the stores system.