In an upcoming talk at CCC, researchers will describe a slew of attacks, and highlight how the payment infrastructure is broken from the ground up.
As the United States prepares to move to a chip-and-pin model for credit card transactions, Europe has been happily using the generally more secure method of in-person transactions for years. But it was only a matter of time before some really serious issues were discovered in the European approach.
As shown today on German news program Tagesschau, researchers in an upcoming talk at the Chaos Communication Congress later this month will detail an array of vulnerabilities and shoddy design choices with payment terminals (the devices consumers insert their cards into before typing a four-digit PIN) used in Europe. These allow a hacker to steal a victim's PIN code and magnetic strip from their card, and even pose as any terminal and send funds to any bank account in Germany. There are also concerns that the vulnerabilities could affect systems in other European countries.
A motivated team of criminals could probably reproduce the attacks "within a couple of months," Karsten Nohl, one of the researchers, told Motherboard in a phone interview.
"Basically anything with a magnet strip and a PIN number is vulnerable to this," Nohl said.
"This is the first time we've come across such a large deployment, with such serious issues, and don't have an obvious fix."
The team, including Nohl, Fabian Bräunlein and Philipp Maier, tested payment terminals from five different payment processors. Payment processors are the large companies which provide terminals to merchants, and which may also maintain the infrastructure needed for routing transactions.
The terminals tested used two different networks, both of which used the same back-end software. "This is the only software used in Germany for this purpose, so everybody should be equally affected," Nohl said.
Nohl and Bräunlein will lay out several different attacks, and they hinge on problems with two protocols that payment terminals use: ZVT and Poseidon. Protocols are essentially different languages that devices use to communicate.
The first attack relies on problems with ZVT, and allows a hacker to grab a victim's entered PIN number, as well as the data stored on the magnetic strip of their card. This is done by the hacker sending a legitimate-looking and cryptographically-signed message to the terminal, asking the victim to enter their PIN. The hacker has to wait for the target to start a legitimate transaction, and then sends their own malicious commands. The original transaction will fail, but the hacker will end up with the magnetic stripe data and PIN number.
The researchers were able to do this by extracting the key used for signing messages from their test terminals. But it turns out every single terminal provided by a payment processor uses the same key.
"The key wasn't particularly easy to find: this was a couple of week's work. But since the key is a system-wide key, you only go through that effort once," Nohl said. In other words, a hacker only has to get the key the one time, and then they can launch attacks on any other terminal from that payment processor they might come across.
In order to send the message asking for someone to enter their PIN, a hacker doesn't "actually have to have physical contact with the terminal," Nohl said. Instead, they just need to be connected to the same network, in order to communicate with the terminal.
"In a hotel, often those terminals are accessible through the hotel wifi because the hotel only has one network," Nohl added. On top of this, a small number of terminals can be hacked in this way remotely: around 200 have their interfaces exposed to the open web.
"Almost all terminals use ZVT," Nohl said, estimating that around 90 percent of German terminals would be vulnerable.
The second and potentially more serious hack "puts into question the entire design of the system," Nohl said.
"This is the first time we've come across such a large deployment, with such serious issues, and don't have an obvious fix"
Every terminal has a unique terminal ID. "Since all terminals have the same key, any terminal can masquerade as any other terminal," Nohl said. All an attacker needs to know is the terminal ID of the machine they wish to target, and some easily obtainable details about the back-end of the payment system.
But, astonishingly, that ID is stamped on every payment slip produced by a terminal, and the IDs are very easy to guess anyway, as they just increase incrementally.
"That seems like a very weird design choice," Nohl pointed out.
According to Nohl, TeleCash, one of the main payment processors in Germany, "has a couple hundred thousand terminals connected to their system right now."
"We can impersonate every single one of them, remotely over the internet, through Tor." From there, "we can send money from hundreds of thousands of places, basically at the same time, to any bank account in Germany."
TeleCash did not respond to a request for comment from Motherboard. Nohl said that "all payment processors use Poseidon," the second problematic protocol.
Nohl said that these problems may also affect terminals outside of Germany, because they use similar protocols to communicate.
In 2012, Nohl and other researchers disclosed different problems with European payment terminals. Those issues were partly addressed, but when it comes to fixing these latest revelations, "we don't know" how, said Nohl.
Nohl doesn't think that these findings are necessarily any worse than others they've uncovered in the past. "But this is the first time we've come across such a large deployment, with such serious issues, and don't have an obvious fix," he said.
The researchers have informed German banks of the issues, and Nohl said "we're still in the process of responsible disclosure."
Regardless, if adopted by professional criminals, exploiting these vulnerabilities on a wide scale could easily be more profitable than more traditional card skimming. At the moment, "People are physically modifying ATM machines one at a time, and it seems profitable enough," Nohl said. "This is a very determined criminal industry."
Update: According to Tagesschau, German banking organisation Deutsche Kreditwirtschaft said it had checked the research and is confident the system is secure. It claimed that the attack proposed by the Berlin researchers only worked under lab conditions and wouldn't come at the cost of card owners. Electronic commerce organisation BECN also emphasised that they were taking the research seriously, referring to regular software updates from individual operators.