European Payment Card Protocols Wide Open To Fraud

Trailrunner7 writes: Researchers have discovered serious security vulnerabilities in a pair of protocols used by software in some point-of-sale terminals, bugs that could lead to easy theft of money from customers or retailers. The vulnerabilities lie in two separate protocols that are used in PoS systems, mainly in Germany, but also in some other European countries. Karsten Nohl, a prominent security researcher, and two colleagues, discovered that ZVT, an older protocol, contains a weakness that enables an attacker to read data from credit and debit cards under some circumstances. In order to exploit the vulnerability, an attacker would need to have a man-in-the-middle position on the target network, which isn't usually a terribly high barrier for experienced attackers.

Not a shocker.

[Anonymous Coward]

In order to exploit the vulnerability, an attacker would need to have a man-in-the-middle position on the target network

If an attacker already has a MITM presence on the network, you have larger problems. At least 75% of these "push the panic button" vulnerability reports assume the target has already been compromised in some way.

Re:

[Lennie]

There are a lot of payment terminals that use existing DSL-connections which are also used to provided to Internet access. The traffic is separated by IP-address handled by the DSL-router on the subscriber side. I assume the payment terminal uses TLS (similar to HTTPS) to make a connection over the separate network. Hopefully they give each terminal it's own SSL client certificate or similar.

So I wouldn't be surprised that some access to the network might be possible.

Re:

[Anonymous Coward]

Researcher have found a way to abuse the system. When it comes to the American payment cards everyone knows someone who has been the victim of actual fraud.

Re:

[Anonymous Coward]

Note that continental Europe are civil law countries, so laws are normally recent (whatever is voted by the Parliament when they update the codes). The 1100s are more connected to the birth of common law, which indeed carried its burden to our days in the UK (and the US). In continental Europe, old laws still in place are rare and mostly funny anecdotes. You have the Reinheitsgebot (German Beer Purity Law from 1516) and the Ordinance of Villers-Cotterêts (a justice reform in France from 1539). The laws

Re:

[Lennie]

When the banks in the UK implemented chip&pin they messed up in many ways:
https://www.youtube.com/watch?... [youtube.com]

They made architectural mistakes. In theory chip&pin could be more secure.

To me the most important difference between the US and Europe is that the new rules in the US from a couple of years ago is that the shop can be made responsible for fraud with payment terminals.

At least in Europe as far was I know this isn't the case, so this is a problem for the banks to solve and shouldn't impact the s

Re:

[Lennie]

If you watch the presentation, they broke 2 protocols.

One applies to at least both mag-strape and chip&pin systems. That protocol is the protocol used between the terminal the cashier uses and the payment terminal, supposedly newer models use a standard network connection (can be wireless) instead of the old serial protocols.

The presentation:
https://media.ccc.de/v/32c3-73... [media.ccc.de]

On the download tab you can download the english-only video of the talk.

Re:

[NetNed]

Always was just a farce. It is being pushed here because, I am certain, that the banks will push for what they got out of it in Europe. That the card holder is on the hook for the charges and to prove them fraudulent. So even if it was fraud, you have to pay on it till you can prove it is fraud. Matter of time before there is a push in the US for this same system.

Re:

[nospam007]

"But Germans don't use cards!"

Don't mention the war!

Re:

[hvdh]

In Germany, EC [Electronic Cash] debit cards are used heavily. Credit cards are used rarely.

I stick with cash...

[fustakrakich]

What? I can't? They're going cashless? Oh well, can I offer my goat as payment?

That's one reason I always pay cash.

[ffkom]

The other reason is that I don't want corporations to track every tiny aspect of my life by evaluating what I bought when, where.

And I know lots of people who do the same.

Could be worse, could be the US voter database

[WillAffleckUW]

That was left open and 230 million Americans had all their private details exposed, available for wholesale tax fraud.

Last week.

Re:

[campuscodi]

230 million today. Funny, yesterday it was only 191 million.

White flag

[liqu1d]

Apple pays marketing department is in full swing.

Target

[bhcompy]

Wasn't the Target hack a man in the middle attack effectively done the same way?

Re:

[phorm]

I was going to make a crack about "Targeted attacks", but you beat me to it. There have been some other high-profile hacks as well, e.g. Home Depot etc

Re:

[NetNed]

Yeah, that's what the media seems to skip all the time, that it was those retailers systems that cause the data leaks. Then the media calls for different readers and chip and pin cards. Makes you wonder who is feed the media such bullshit.

Chip & PIn FTW!!!

[NetNed]

Hey!!! I thought chip & pin was going to save the world? I am sure the chip & pin fanboys (odd that a person is a fanboy of it) will have excuses. "Well if the software was impla....blah blah blah".