Trustwave security consultant John Mocuta works at the company's "Hax" lab, where this week he examined the possible criminal uses of the radio-frequency identification modules that restaurants use to alert customers at a distance that their table is ready.
"If I can steal your sandwich by stealing your table reservation, I can eventually steal your money," Mocuta said. "We may find a common protocol in this device that can be used to hack into a card-swiping device."
It's an example of how the "ethical hackers" at Chicago-based Trustwave's hardware analysis and exploitation ("Hax") lab puzzle out data security weaknesses in card-acceptance hardware.
The hacking lab is filled with communication boards and modules, ATMs, PIN pads, computers, and various devices that hackers use to steal data from ATMs, gas pumps and other card-swiping hardware.
Device manufacturers and banks come to Trustwave for a glimpse at how criminals would exploit the technology they use. As various projects lend clues to others as the hackers multi-task their work, it leads to what Mocuta and fellow Trustwave security consultant Matthew Jakubowski call their "Eureka moments."
"It gives us a lot of insight, because old hacking tricks may not work on a new ATM, but in another three to six months, a new attack vector may exist," Jakubowski said. "It's a matter of dotting the I's and crossing the T's."
Depending on what the client is seeking from Trustwave's testing, the ethical hackers generally "go after the same things that real-world attackers would go after," Mocuta said.
That means finding the easiest path to collecting card data, as well as a way to thwart that method of attack, Mocuta said.
Despite an uptick in malware that targets payments systems, the physical planting of skimmers on ATMs or gas pumps remains the most common crime, Mocuta said. Fraudsters are wise enough to stay away from ATMs at busy bank branches and instead focus on ATMs at taverns, convenience stores or remote locations, he said.
"In this world of Bluetooth communication, the criminal can set up a skimmer and then just capture the card data remotely by driving by the machine on occasion and just collecting his data," Mocuta added.
Even though security has become a major concern for many companies in light of a barrage of highly publicized data breaches, requests for testing don't necessarily spike with each incident, Jakubowski said.
Trustwave has long conducted system and product penetration tests and the hacking efforts taking place in the expanded lab use that same mindset, Jakubowski said.
The company has performed forensics investigations after breaches for several years, but the hacking lab helps Trustwave become more proactive with law enforcement as well.
Currently, the lab is working on a project in which hackers planted a card skimmer device the size of a half stick of gum in gas pumps. In addition to helping law enforcement find the criminals, Trustwave wants to help device makers avoid those vulnerabilities by improving their product design.
Security remains best when it has layers of defense against hackers, Jakubowski said.
"If we can create certain barriers to entry, we can at least slow down the bad guys," Jakubowski said. "When they are slowed down, it forces them to redirect to something else."
The current trend to deploy tokenization on top of chip-based smart cards will help the payments industry keep its data safe, Jakubowski said. Tokenization replaces sensitive account data with a different string of characters that cannot be used to create counterfeit cards.
"Tokens might not be the end-all, do-all, but it's a nice step," he added. "Again, it takes a couple extra steps to get to the data, and it's a loss of a target for hackers."