Month: December 2015

We must be able to trust payment systems: Payment terminals have conquered nearly every retail outlet and payment cards are as pervasive as cash.

Major parts of this critical payment infrastructure, however, rely on proprietary protocols from the 90’s with large security deficiencies. Payment terminals and the payment processors they connect to are once again the culprit.

Stealing customer credentials. Fraudsters can gain access to large numbers of card details and matching PIN numbers over computer networks.

The main communication protocol between payment terminals and cash registers, ZVT in Germany, allows a fraudster to simply read payment cards – including credit and debit/EC cards – from the local network.

Worse yet, the protocol provides a mechanism for reading PIN numbers remotely. This mechanism is protected by a cryptographic signature (MAC). The symmetric signature key, however, is sometimes stored in Hardware Security Modules (HSMs), of which some are vulnerable to a simple timing attack, which discloses valid signatures. A signature extracted from one such HSM can be used to attack other, more secure models since the signature key is the same across many terminals, violating a base principle of security design.

Merchant account compromise. Fraudsters can also transfer money from merchant accounts, anonymously over the Internet.

Payment terminals communicate with a payment processor (who in turn talks to the banks) over the Internet using the ISO 8583 standard. One ISO 8583 dialect popular in Germany and other countries, Poseidon, is implemented with a major authentication flaw:

A terminal uses a secret key to execute a cryptographic authentication protocol. So far, so good. A large number of terminals – repeating the mistake made in ZVT – contain the exact same authentication key. Therefore, after changing a single number (Terminal ID) in any one terminal, that terminal provides access to the merchant account that Terminal ID belongs to. To make matters worse, Terminal IDs are printed on every payment receipt, allowing for simple fraud.

Fraudsters can, among other things, refund money, or print SIM card top-up vouchers – all at the cost of the victim merchant.

Defense need. In the short term, abusable functionality such as refunds and SIM top-ups should be deactivated wherever possible. To introduce widely acknowledged security principles into our critical payment infrastructure, more drastic system updates are necessary:

The two main payment protocols in Germany, ZVT and Poseidon, are both insecure for the same reason: They share secret keys among a large number of devices. Deploying an individual key to each terminal is paramount to make payment systems more fraud-resistant.

Details of this research were presented at 32C3.