In Shopshifting: The potential for payment system abuse, Karsten Nohl and Fabian Bräunlein showed attendees at Hamburg’s Chaos Communications Congress just how poor the security in payment terminals is, and demonstrated several attacks that would let them harvest card numbers and PINs, make undetectable phantom charges and refunds to merchant accounts, and commit other mischief.
The underlying problem is the lack of authentication and good crypto in the basic protocols of payment processing. These protocols are creaking, elderly messes, grown atop earlier systems that had no security by design.
The researchers suggest that there’s no way to fix this except for starting over, due to the fundamental problems in the protocols. Even more recent protocols, such as 2003’s Open Payment Initiative, inherit many of the weaknesses of their predecessors.
In the short term, payment processors could make things a little more secure through the use of random passwords and terminal IDs. That would at least make the Poseidon attack less straightforward. However, a real fix is going to be much harder to deploy, as both protocols need to be altered to require strong authentication.
Nohl reported his findings to payment processors, but they have so far done little in response. Reuters writes that the German Association of Savings Banks, issued a statement on behalf of all German banks, saying the attack scenarios presented by Nohl were only theoretically possible. Nohl demonstrated this “theoretical” attack on stage at CCC, and says that he has made dozens of test transfers proving that the flaw is real.
Fortunately, however, criminals have not yet taken advantage of these weaknesses.
Common payment processing protocols found to be full of flaws
[Peter Bright/Ars Technica]
(Image: card reader segfault, Secretlondon123, CC-BY-SA)