Purchases are often made using a secure transaction device called a point of sale terminal. The point of sale terminal is typically coupled to a financial institution via an electronic communication link. A customer in a store may, for example, present a debit card, credit card, cash card or smart card to the store's cashier for payment.
Consider an example of a transaction with a debit card. The customer presents the debit card to the cashier of the store. The cashier swipes the magnetic stripe on the card through a magnetic card reader on the point of sale terminal. The magnetic card reader reads an account number encoded in the magnetic stripe of the card. The customer then, for identification purposes, typically enters a personal identification number (PIN) into a keypad device coupled to the point of sale terminal. The customer may also enter other identification information. The customer may, for example, provide a signature on a signature capture device coupled to the point of sale terminal.
The point of sale terminal then uses an encryption key stored in the point of sale terminal to encrypt the account number (from the swiped debit card), the identification number (for example, the PIN number), and other information about the transaction such as the amount of the transaction and the date of the transaction. The encrypted information is sent from the point of sale terminal to the financial institution via a modem or other electronic communication link.
The financial institution receives the encrypted information and uses an encryption key to decrypt the information and recover the account number, identification information, and information about the transaction. In the case where the transaction is a debit transaction, the bank account of the customer is debited. A confirmation of the transaction is then encrypted using the encryption key and the encrypted confirmation is communicated from the financial institution back to the point of sale terminal. The point of sale terminal uses the encryption key stored in the point of sale terminal to decrypt the confirmation. Typically, the confirmation is printed out as part of a transaction receipt and a copy of the receipt is provided to the customer. The point of sale terminal may include a printer for the purpose of printing the receipt.
Although a debit card having a magnetic stripe is described here as the mechanism by which the account number is entered into the point of sale terminal, there are many other mechanisms that can be used for accomplishing the function of entering an account number into a point of sale terminal. Although the entry of a PIN into a PIN entry keypad is described above as the mechanism by which identification information is entered into the point of sale terminal, there are many other ways of entering identification information into a point of sale terminal. Although a debit card transaction is described above, credit card and other types of transactions may be accomplished using point of sale terminals. Regardless of the details of the point of sale terminal and the type of transaction, in each case sensitive financial and identification information is entered into the point of sale terminal. Encryption keys are typically stored in the point of sale terminal so that the point of sale terminal can communicate with the financial institution in a secure manner.
In one example, the point of sale terminal is a processor-based device having a processor, an amount of secure memory, an amount of FLASH program memory, and an amount of read only memory (ROM). A boot loader program is stored in the ROM. After the manufacture of the hardware of the point of sale terminal, there is no program in the FLASH program memory. Upon power up, then processor checks the status of a predetermined terminal (pin) or jumper. If reading the predetermined terminal or jumper returns a first digital value, then the processor executes the boot loader program stored in the ROM. The boot loader program causes a program to be loaded into the FLASH. The processor may, for example, receive the program from a serial port of the point of sale terminal and write the program into the FLASH program memory. This procedure is utilized to load software into the point of sale terminal at manufacture. The encryption keys are also loaded into the point of sale terminal by this process. The keys are, however, written into the secure memory.
After the program and the encryption keys are loaded, a hardware change is made to the predetermined terminal (pin) or jumper such that subsequent reading of the predetermined terminal (pin) or jumper by the processor will return a second digital value. The processor of the point of sale terminal is then reset. In coming out of reset, the processor reads the status of the predetermined terminal or jumper as it did in the above described example. In this case, however, the processor reads the second digital value. This causes the processor to skip the boot loader program and to execute the program present in FLASH.
Unfortunately, this mechanism for loading programs into point of sale terminals can be used by thieves and criminals to hack into point of sale terminals and to read out sensitive financial information stored in the terminals such as PIN numbers, account numbers, and encryption keys. In one example, a thief steals a point of sale terminal, puts the point of sale terminal into its boot loader mode by changing the voltage on the predetermined terminal, pin or jumper. The thief then uses the boot loader to load a rogue program into FLASH program memory. The thief then resets the terminal. In coming out of reset, the processor of the point of sale terminal executes the rogue program. The rogue program causes the processor to read the contents of the rest of memory on the point of sale terminal and to output that information in some fashion to the thief. In this manner, the thief reads account information, PIN numbers, and encryption keys out of the point of sale terminal. Alternatively, the thief can load a monitor program into the point of sale terminal of an unsuspecting merchant. The monitor program can then record and output sensitive information to the thief over the long term as the point of sale is used.
A boot loader facility need not be provided in a point of sale terminal. There are other ways by which a program can be provided. All program memory from which the processor can execute instructions may, for example, be read only memory (ROM) such that no boot loader program need be provided. Because no boot loader functionality is provided, boot loader functionality cannot be used by a thief for illicit purposes. Unfortunately, however, doing away with the boot loader functionality renders the point of sale terminal less flexible and more difficult to program and update. A solution to the security problem is desired that does not do away with the advantages and desirable aspects of having boot loader functionality.
Not only does the boot loader provide a mechanism by which a thief can hack into a point of sale terminal, but a debugger on the processor can also be used to hack into a point of sale terminal. Many microcontrollers provide on-board debuggers that are usable to monitor and debug processor operation. Such a debugger typically allows the execution of instructions by the processor to be stopped, and the contents of various registers and memory locations to be read and/or written. Instructions can be injected such that the processor can be made to execute the injected instruction. The injected instruction can cause the processor to jump to a desired location and to start executing code from the new location. The injected instruction can cause the processor to output the contents of a memory location or register. The debugger facility therefore provides a way for a thief to read out the contents of memory and to extract the sensitive financial information stored in the memory.
Although a processor that does not have a debugger could be used in a point of sale terminal, having such a debugger is a valuable and useful tool in developing and maintaining point of sale terminals. A solution is desired that prevents unwanted access to the contents of memory of a point of sale terminal, but that allows the point of sale electronics to include useful boot loader and debugger facilities.