We must be able to trust payment systems: Payment terminals have conquered nearly every retail outlet and payment cards are as pervasive as cash.
Major parts of this critical payment infrastructure, however, rely on proprietary protocols from the 90’s with large security deficiencies. Payment terminals and the payment processors they connect to are once again the culprit.
Stealing customer credentials.
Fraudsters can gain access to large numbers of card details and matching PIN numbers over computer networks.
The main communication protocol between payment terminals and cash registers, ZVT in Germany, allows a fraudster to simply read payment cards – including credit and debit/EC cards – from the local network.
Worse yet, the protocol provides a mechanism for reading PIN numbers remotely. This mechanism is protected by a cryptographic signature (MAC). The symmetric signature key, however, is sometimes stored in Hardware Security Modules (HSMs), of which some are vulnerable to a simple timing attack, which discloses valid signatures. A signature extracted from one such HSM can be used to attack other, more secure models since the signature key is the same across many terminals, violating a base principle of security design.
Merchant account compromise.
Fraudsters can also transfer money from merchant accounts, anonymously over the Internet.
Details of this research were presented at 32C3.