Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Crime Encryption Privacy Security The Almighty Buck

European Payment Card Protocols Wide Open To Fraud 38

Trailrunner7 writes: Researchers have discovered serious security vulnerabilities in a pair of protocols used by software in some point-of-sale terminals, bugs that could lead to easy theft of money from customers or retailers. The vulnerabilities lie in two separate protocols that are used in PoS systems, mainly in Germany, but also in some other European countries. Karsten Nohl, a prominent security researcher, and two colleagues, discovered that ZVT, an older protocol, contains a weakness that enables an attacker to read data from credit and debit cards under some circumstances. In order to exploit the vulnerability, an attacker would need to have a man-in-the-middle position on the target network, which isn't usually a terribly high barrier for experienced attackers.
This discussion has been archived. No new comments can be posted.

European Payment Card Protocols Wide Open To Fraud

Comments Filter:
  • Not a shocker. (Score:1, Insightful)

    by Anonymous Coward

    In order to exploit the vulnerability, an attacker would need to have a man-in-the-middle position on the target network

    If an attacker already has a MITM presence on the network, you have larger problems. At least 75% of these "push the panic button" vulnerability reports assume the target has already been compromised in some way.

    • by Lennie ( 16154 )

      There are a lot of payment terminals that use existing DSL-connections which are also used to provided to Internet access. The traffic is separated by IP-address handled by the DSL-router on the subscriber side. I assume the payment terminal uses TLS (similar to HTTPS) to make a connection over the separate network. Hopefully they give each terminal it's own SSL client certificate or similar.

      So I wouldn't be surprised that some access to the network might be possible.

  • What? I can't? They're going cashless? Oh well, can I offer my goat as payment?

  • The other reason is that I don't want corporations to track every tiny aspect of my life by evaluating what I bought when, where.

    And I know lots of people who do the same.

  • That was left open and 230 million Americans had all their private details exposed, available for wholesale tax fraud.

    Last week.

  • Apple pays marketing department is in full swing.
  • by bhcompy ( 1877290 ) on Tuesday December 29, 2015 @01:55PM (#51203153)
    Wasn't the Target hack a man in the middle attack effectively done the same way?
    • by phorm ( 591458 )

      I was going to make a crack about "Targeted attacks", but you beat me to it. There have been some other high-profile hacks as well, e.g. Home Depot etc

    • by NetNed ( 955141 )
      Yeah, that's what the media seems to skip all the time, that it was those retailers systems that cause the data leaks. Then the media calls for different readers and chip and pin cards. Makes you wonder who is feed the media such bullshit.
  • Hey!!! I thought chip & pin was going to save the world? I am sure the chip & pin fanboys (odd that a person is a fanboy of it) will have excuses. "Well if the software was impla....blah blah blah".

All Finagle Laws may be bypassed by learning the simple art of doing without thinking.