Not logged in » Login
Dec 23 2015

Perfect Timing: Experts Reveal Weakness in Payment Protocols

What do hackers and film directors have in common? At first sight, not a lot. But dig a little deeper and you'll likely find a similarly keen sense for dramatic effects. The latest release from Berlin-based Security Research Labs (or SR Labs for short) serves as a valid proof of that assertion.

With Christmas just a couple of days away and everybody in a shopping craze, what better way is there to grab attention than to disclose a bug or two in payment protocols that could cost card holders, retailers and service providers some real money? If your answer is "none" and you have a talent for identifying weak spots in networking protocols where security should be paramount, you may want to think about joining Berlin's SR Labs, an outfit founded by German crypto expert and discoverer of the "BadUSB" vulnerability Karsten Nohl, in 2010. This time around, Nohl and his team unveiled weaknesses in ZVT and Poseidon, two communications protocols that connect payment terminals (essentially, card readers) with cash registers and online payment processors, respectively. According to SR Labs, these protocols basically pave the way for criminals to commit near-effortless fraud if they can get access to local networks. Since Poseidon and ZVT in particular are especially popular in German-speaking countries and the European Union, this may for now be a regional problem – but there's no guarantee it won't seep into other areas. With regard to the technical aspects, we couldn't think of a better explanation than the one provided by Nohl et al., so here we go with a full quote:

"Payment terminals have conquered nearly every retail outlet and payment cards are as pervasive as cash.

Major parts of this critical payment infrastructure, however, rely on proprietary protocols from the 90's with large security deficiencies. Payment terminals and the payment processors they connect to are once again the culprit.

Stealing customer credentials
Fraudsters can gain access to large numbers of card details and matching PIN numbers over computer networks.

The main communication protocol between payment terminals and cash registers, ZVT in Germany, allows a fraudster to simply read payment cards–including credit and debit/EC cards – from the local network.

Worse yet, the protocol provides a mechanism for reading PIN numbers remotely. This mechanism is protected by a cryptographic signature (MAC). The symmetric signature key, however, is sometimes stored in Hardware Security Modules (HSMs), of which some are vulnerable to a simple timing attack, which discloses valid signatures. A signature extracted from one such HSM can be used to attack other, more secure models since the signature key is the same across many terminals, violating a base principle of security design.

Merchant account compromise
Fraudsters can also transfer money from merchant accounts, anonymously over the Internet.

Payment terminals communicate with a payment processor (who in turn talks to the banks) over the Internet using the ISO 8583 standard. One ISO 8583 dialect popular in Germany and other countries, Poseidon, is implemented with a major authentication flaw:

A terminal uses a secret key to execute a cryptographic authentication protocol. So far, so good. A large number of terminals – repeating the mistake made in ZVT – contain the exact same authentication key. Therefore, after changing a single number (Terminal ID) in any one terminal, that terminal provides access to the merchant account that Terminal ID belongs to. To make matters worse, Terminal IDs are printed on every payment receipt, allowing for simple fraud.

Fraudsters can, among other things, refund money, or print SIM card top-up vouchers – all at the cost of the victim merchant."

As may be easily imagined, that's not the end of SR Labs' release – the researchers also call for adequate defenses and suggest deactivating "abusable functionality such as refunds and SIM top-ups" for immediate protection, provided this is possible at all. In the long run, however, there appears to be no way around a much more complicated solution, namely deploying individual secret keys to each and every terminal that uses Poseidon and/or ZVT. The company will hold a more detailed lecture on electronic shoplifting at this year's 32. Chaos Communication Congress (32C3) in Hamburg on Sunday, December 27, at 9:45 PM CET.


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now