We must be able to trust payment systems: Payment terminals have conquered nearly every retail outlet and payment cards are as pervasive as cash.

Major parts of this critical payment infrastructure, however, rely on proprietary protocols from the 90’s with large security deficiencies. Payment terminals and the payment processors they connect to are once again the culprit.

Stealing customer credentials.

Fraudsters can gain access to large numbers of card details and matching PIN numbers over computer networks.

The main communication protocol between payment terminals and cash registers, ZVT in Germany, allows a fraudster to simply read payment cards – including credit and debit/EC cards – from the local network.

Worse yet, the protocol provides a mechanism for reading PIN numbers remotely. A cryptographic signature (MAC) protects this mechanism. However, some Hardware Security Modules (HSMs) store the symmetric signature key, which can be vulnerable to a simple timing attack. This attack discloses valid signatures. Attackers can exploit a signature extracted from one vulnerable HSM to target other, more secure models. This violates a base principle of security design where the signature key is the same across many terminals.

Merchant account compromise.

Fraudsters can also transfer money from merchant accounts, anonymously over the Internet.

Payment terminals communicate with a payment processor (who in turn talks to the banks) over the Internet using the ISO 8583 standard. One ISO 8583 dialect popular in Germany and other countries, Poseidon, is implemented with a major authentication flaw: A terminal uses a secret key to execute a cryptographic authentication protocol. So far, so good. A large number of terminals – repeating the mistake made in ZVT – contain the exact same authentication key.

Therefore, after changing a single number (Terminal ID) in any one terminal, that terminal provides access to the merchant account that Terminal ID belongs to. To exacerbate the situation, every payment receipt includes printed Terminal IDs, enabling simple fraud. Fraudsters can exploit this by refunding money or printing SIM card top-up vouchers, all at the expense of the victim merchant. Defense need. In the short term, abusable functionality such as refunds and SIM top-ups should be deactivated wherever possible. To introduce widely acknowledged security principles into our critical payment infrastructure, more drastic system updates are necessary: The two main payment protocols in Germany, ZVT and Poseidon, are both insecure for the same reason: They share secret keys among a large number of devices. Deploying an individual key to each terminal is paramount to make payment systems more fraud-resistant.

Details of this research were presented at 32C3.