Slashdot Mirror

← Back to Stories (view on slashdot.org)

European Payment Card Protocols Wide Open To Fraud

Posted by timothy on from the faster-route-to-a-cashless-society dept.

Trailrunner7 writes: Researchers have discovered serious security vulnerabilities in a pair of protocols used by software in some point-of-sale terminals, bugs that could lead to easy theft of money from customers or retailers. The vulnerabilities lie in two separate protocols that are used in PoS systems, mainly in Germany, but also in some other European countries. Karsten Nohl, a prominent security researcher, and two colleagues, discovered that ZVT, an older protocol, contains a weakness that enables an attacker to read data from credit and debit cards under some circumstances. In order to exploit the vulnerability, an attacker would need to have a man-in-the-middle position on the target network, which isn't usually a terribly high barrier for experienced attackers.

5 of 38 comments (clear)

  1. Re:No. They Said They Were Completely Secure. by Anonymous Coward · · Score: 2, Insightful

    Researcher have found a way to abuse the system. When it comes to the American payment cards everyone knows someone who has been the victim of actual fraud.

  2. Re:No. They Said They Were Completely Secure. by Lennie · · Score: 2

    When the banks in the UK implemented chip&pin they messed up in many ways:
    https://www.youtube.com/watch?...

    They made architectural mistakes. In theory chip&pin could be more secure.

    To me the most important difference between the US and Europe is that the new rules in the US from a couple of years ago is that the shop can be made responsible for fraud with payment terminals.

    At least in Europe as far was I know this isn't the case, so this is a problem for the banks to solve and shouldn't impact the shops or customers as much.

    --
    New things are always on the horizon
  3. White flag by liqu1d · · Score: 2

    Apple pays marketing department is in full swing.

  4. Target by bhcompy · · Score: 2

    Wasn't the Target hack a man in the middle attack effectively done the same way?

  5. Re:No. They Said They Were Completely Secure. by Lennie · · Score: 2

    If you watch the presentation, they broke 2 protocols.

    One applies to at least both mag-strape and chip&pin systems. That protocol is the protocol used between the terminal the cashier uses and the payment terminal, supposedly newer models use a standard network connection (can be wireless) instead of the old serial protocols.

    The presentation:
    https://media.ccc.de/v/32c3-73...

    On the download tab you can download the english-only video of the talk.

    --
    New things are always on the horizon