Slashdot Mirror

← Back to Stories (view on slashdot.org)

European Payment Card Protocols Wide Open To Fraud

Posted by timothy on from the faster-route-to-a-cashless-society dept.

Trailrunner7 writes: Researchers have discovered serious security vulnerabilities in a pair of protocols used by software in some point-of-sale terminals, bugs that could lead to easy theft of money from customers or retailers. The vulnerabilities lie in two separate protocols that are used in PoS systems, mainly in Germany, but also in some other European countries. Karsten Nohl, a prominent security researcher, and two colleagues, discovered that ZVT, an older protocol, contains a weakness that enables an attacker to read data from credit and debit cards under some circumstances. In order to exploit the vulnerability, an attacker would need to have a man-in-the-middle position on the target network, which isn't usually a terribly high barrier for experienced attackers.

38 comments

  1. Not a shocker. by Anonymous Coward · · Score: 1, Insightful

    In order to exploit the vulnerability, an attacker would need to have a man-in-the-middle position on the target network

    If an attacker already has a MITM presence on the network, you have larger problems. At least 75% of these "push the panic button" vulnerability reports assume the target has already been compromised in some way.

    1. Re:Not a shocker. by Anonymous Coward · · Score: 0

      In the comments on the Ars Technica article about this issue, the point was made that anybody with a tool pouch and a confident stride can walk into a retail location and gain access to the POS terminals with the store manager's blessing within a few minutes.

      And then the network is compromised to a MITM sitting on the network with the POS terminals.

    2. Re:Not a shocker. by Lennie · · Score: 1

      There are a lot of payment terminals that use existing DSL-connections which are also used to provided to Internet access. The traffic is separated by IP-address handled by the DSL-router on the subscriber side. I assume the payment terminal uses TLS (similar to HTTPS) to make a connection over the separate network. Hopefully they give each terminal it's own SSL client certificate or similar.

      So I wouldn't be surprised that some access to the network might be possible.

      --
      New things are always on the horizon
  2. No. They Said They Were Completely Secure. by Anonymous Coward · · Score: -1

    The Eurotrash have been lambasting the U.S. for not adopting their 'totally secure' chip and pin system for years now. And now you're implying that it isn;t secure? You obviously mistaken. They said it was secure.

    1. Re:No. They Said They Were Completely Secure. by Anonymous Coward · · Score: 2, Insightful

      Researcher have found a way to abuse the system. When it comes to the American payment cards everyone knows someone who has been the victim of actual fraud.

    2. Re:No. They Said They Were Completely Secure. by Lennie · · Score: 2

      When the banks in the UK implemented chip&pin they messed up in many ways:
      https://www.youtube.com/watch?...

      They made architectural mistakes. In theory chip&pin could be more secure.

      To me the most important difference between the US and Europe is that the new rules in the US from a couple of years ago is that the shop can be made responsible for fraud with payment terminals.

      At least in Europe as far was I know this isn't the case, so this is a problem for the banks to solve and shouldn't impact the shops or customers as much.

      --
      New things are always on the horizon
    3. Re:No. They Said They Were Completely Secure. by Anonymous Coward · · Score: 0

      You seem like a hate-fueled loser. Why should anyone care what you think?

    4. Re:No. They Said They Were Completely Secure. by Anonymous Coward · · Score: -1

      America - Fuck Yeah!

      Signatures - Fuck Yeah!

      Fuck your sister - Fuck Yeah!

    5. Re:No. They Said They Were Completely Secure. by Lennie · · Score: 2

      If you watch the presentation, they broke 2 protocols.

      One applies to at least both mag-strape and chip&pin systems. That protocol is the protocol used between the terminal the cashier uses and the payment terminal, supposedly newer models use a standard network connection (can be wireless) instead of the old serial protocols.

      The presentation:
      https://media.ccc.de/v/32c3-73...

      On the download tab you can download the english-only video of the talk.

      --
      New things are always on the horizon
    6. Re:No. They Said They Were Completely Secure. by Anonymous Coward · · Score: 0

      When it comes to the American payment cards everyone knows someone who has been the victim of actual fraud.

      If by this you mean "my bank", then you're right. But I suspect you meant someone that I (as an American) know personally, which makes your assumption wrong.

      The laws in the US are structured very differently to what you're used to. In most instances of credit card fraud, the issuer (the bank, usually) is on the hook for it. If they can prove a case against the cardholder, then they can take it to court and get paid back. If they merely suspect the cardholder, they're free to cancel the account. But otherwise, that money comes out of their hide, not the cardholder's.

      On the other side of the transaction, there are the processor (Visa, MC, et al) and the merchant. They have roughly the same relationship to each other as the issuer and cardholder have, and things work similarly. The merchant has a slight disadvantage in that they're a bigger target for investigation, and their aggregated transaction data may reveal fraud or negligence more quickly.

      In the middle, there's the issuer and the processor, which have contractual obligations to each other, and most of the grievances between these parties are handled via contract law.

      Of these four entities, cardholder, issuer, processor, and merchant, the cardholder is the least touchable under US law. Europe has a hodgepodge of laws that may or may not follow this model, and vary in degree. Thus, something more concrete is needed to nail down these interactions and liabilities in Europe. And on top of that, the laws around invoices date back to the 1100's, which the US doesn't have the burden of dealing with. Lines of credit here are billed via a monthly statement with no need to track exact invoicing dates due to centuries-old legal cruft.

      TL;DR: Shut up, Eurotrash, we don't care what you think because you're not relevant to our situation.

    7. Re:No. They Said They Were Completely Secure. by Anonymous Coward · · Score: 1

      Note that continental Europe are civil law countries, so laws are normally recent (whatever is voted by the Parliament when they update the codes). The 1100s are more connected to the birth of common law, which indeed carried its burden to our days in the UK (and the US). In continental Europe, old laws still in place are rare and mostly funny anecdotes. You have the Reinheitsgebot (German Beer Purity Law from 1516) and the Ordinance of Villers-Cotterêts (a justice reform in France from 1539). The laws defining payments are kept up to date in the Handelsgesetzbuch book in Germany and the Code de commerce in France.

    8. Re:No. They Said They Were Completely Secure. by Anonymous Coward · · Score: 0

      And these generous benefactors that we call banks of course completely eat the money and never pass any of those fees onto the consumer! That would be like saying retail establishments up the price on their merchandise to compensate for shoplifting, would never happen!

    9. Re:No. They Said They Were Completely Secure. by Anonymous Coward · · Score: 0

      Europe has a hodgepodge of laws that may or may not follow this model, and vary in degree.

      But that's not stopping you from throwing insults. Great.

      FWIW, a friend whose American accounts had fraudulent charges seemed a lot more stressed about the situation than I'm used to in the UK or Germany.

    10. Re:No. They Said They Were Completely Secure. by Anonymous Coward · · Score: 0

      Shut up, Eurotrash

      You keep using that word, but you don't seem to understand what it means. "Eurotrash" are American people of European decent whose ancesters were disposed of by their fellow Europeans for good reasons.

    11. Re: No. They Said They Were Completely Secure. by Anonymous Coward · · Score: 0

      Actually, it just means that you live in Europe and are trash.

      You're welcome. Please pour hot grits down your pants.

    12. Re:No. They Said They Were Completely Secure. by Anonymous Coward · · Score: 0

      It was Portugal (that's in Europe, idiot) who legalized marriage between close familiar members - I believe it was half-siblings and direct cousins. See Google for more information.

    13. Re:No. They Said They Were Completely Secure. by Anonymous Coward · · Score: 0

      That's not the American way of life. No true Murican settles for anything less than their full suibling.

  3. soo.... chip and pin.. by Anonymous Coward · · Score: 0

    not that great after all....

    shitty implementation makes even better, supposedly more secure cards, just as vulnerable as good ol' fashioned american cards.

    1. Re:soo.... chip and pin.. by NetNed · · Score: 0

      Always was just a farce. It is being pushed here because, I am certain, that the banks will push for what they got out of it in Europe. That the card holder is on the hook for the charges and to prove them fraudulent. So even if it was fraud, you have to pay on it till you can prove it is fraud. Matter of time before there is a push in the US for this same system.

  4. In Germany? by Anonymous Coward · · Score: 0

    But Germans don't use cards!

    1. Re:In Germany? by nospam007 · · Score: 1

      "But Germans don't use cards!"

      Don't mention the war!

    2. Re:In Germany? by hvdh · · Score: 1

      In Germany, EC [Electronic Cash] debit cards are used heavily. Credit cards are used rarely.

  5. I stick with cash... by fustakrakich · · Score: 1

    What? I can't? They're going cashless? Oh well, can I offer my goat as payment?

    --
    “He’s not deformed, he’s just drunk!”
    1. Re:I stick with cash... by Anonymous Coward · · Score: 0

      Yes, because no-one has ever used false bills.

    2. Re:I stick with cash... by Anonymous Coward · · Score: 0

      False bills are of no risk for the regular consumer who gets their bills from a cash machine. Fake money is a risk only for the merchant who receives cash payments. At most, a consumer can get fake small change, which is not even likely to happen because fraudsters produce preferentially the larger face values.

  6. That's one reason I always pay cash. by ffkom · · Score: 1
    The other reason is that I don't want corporations to track every tiny aspect of my life by evaluating what I bought when, where.

    And I know lots of people who do the same.

  7. Could be worse, could be the US voter database by WillAffleckUW · · Score: 1

    That was left open and 230 million Americans had all their private details exposed, available for wholesale tax fraud.

    Last week.

    --
    -- Tigger warning: This post may contain tiggers! --
    1. Re:Could be worse, could be the US voter database by Anonymous Coward · · Score: 0

      There is very little in the voter database that could be used for tax fraud. And voter records have always been public. A nation-wide aggregated database hasn't been available until now, but it was always possible with enough effort.

    2. Re:Could be worse, could be the US voter database by Anonymous Coward · · Score: 0

      "A nation-wide aggregated database hasn't been available until now,"

      VoterListsOnline.com has been up for almost 20 years. 2.5 cents per name after you check a couple boxes saying you will use the data legally.

    3. Re:Could be worse, could be the US voter database by campuscodi · · Score: 1

      230 million today. Funny, yesterday it was only 191 million.

  8. White flag by liqu1d · · Score: 2

    Apple pays marketing department is in full swing.

  9. Target by bhcompy · · Score: 2

    Wasn't the Target hack a man in the middle attack effectively done the same way?

    1. Re:Target by phorm · · Score: 1

      I was going to make a crack about "Targeted attacks", but you beat me to it. There have been some other high-profile hacks as well, e.g. Home Depot etc

    2. Re:Target by NetNed · · Score: 1

      Yeah, that's what the media seems to skip all the time, that it was those retailers systems that cause the data leaks. Then the media calls for different readers and chip and pin cards. Makes you wonder who is feed the media such bullshit.

  10. Open or closed by Anonymous Coward · · Score: 0

    Open or closed, pick one :)

    Best way to encourage secure protocols, publish the protocol. Wait for hacks and exploits to tear it appart, then back to the drawing board.

  11. Shut Up And Kiss Me, You Fool by Anonymous Coward · · Score: 0

    Shut up and kiss me, you fool.

    Why must you pretend, as you do?

  12. Chip & PIn FTW!!! by NetNed · · Score: 0

    Hey!!! I thought chip & pin was going to save the world? I am sure the chip & pin fanboys (odd that a person is a fanboy of it) will have excuses. "Well if the software was impla....blah blah blah".

    1. Re:Chip & PIn FTW!!! by Anonymous Coward · · Score: 0

      It's still much more difficult to compromise a chip and pin transaction as it is to compromise a simple swipe operation. As security is never 100%, chip and pin has been serving its purpose very well in improving security of transactions.