German security experts find major flaw in credit card terminals (opens in new tab)

(arstechnica.com)

49 pointscjfarivar13y ago11 comments

11 comments

11 comments · 6 top-level

revelation13y ago· 2 in thread

Apparently, the JTAG debugging interface is exposed to the outside. You know, the one that should be turned off physically in the CPU itself through a blow fuse on production processors. The one critical interface where you don't even populate the headers and connectors on the finished boards.

As it stands, the only way to fix this is to exchange or repair all devices in circulation.

Zenst13y ago

The fact that the JTAG is physicaly there in a usable form at all is shocking. I don't design hardware, but even I know this.

Your spot on about the fix, though I bet you that come christmas, you could still go into a shop and see these exact models in use. That would be truely criminal, but we shall see. Though who audits/controls these things as if it was a car and a safty flaw or any consumer product then you know it would be forcebly recalled right away. Flaw in food packaging even gets recalled instantly, yet I'm not aware of any such conrols that could get this device pulled until fit for human consumption/use.

That all said I sadly feel the only way it will get changed is by active expliotation and insurance companies rasing the premiums of those poor shops using such a device.

I hope the right thing is done, but why do I have little faith in it being addressed in a timely manor, maybe historicaly alot of flaws of such types of devices are usualy patched by the manufacturer by using the denial patch, they deny its an issue and then magicly version two fix's it down the line.

Shame you can't flag a article with a revisit reminder so in 6 months time we can see how things have changed or not.

sehugg13y ago

The fix will probably end up being a drop of superglue.

dazbradbury13y ago· 1 in thread

Isn't the fact that Chip and Pin is susceptible to "Man in the Middle" attacks, affecting all terminals, the bigger issue?

http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.p...

pgeorgi13y ago

Chip and Pin is secure on these devices (the HSM is safe). The attack vector is simulating "there was an error processing your transaction, please retry", where the first transaction went through and you only want to collect the PIN. It seems these devices can route the keypad to _either_ software _or_ HSM, with no way of routing the pin from software to HSM.

kylebrown13y ago· 1 in thread

So its possible to remotely overwrite the Verifone software to capture PIN numbers. The local attacks aren't as terrifying, since it was already possible to replace them with modified devices to skim PINs. And what about all the HSM PIN-recovery attacks, on which the details are already available? And where are those <1mm thick ATM skimmers they warned us about?

Ultimately, stolen credit card numbers just aren't that monetizable (they're sold for pennies on the dollar, $2-$3 per) and not enough people use their pin numbers at POS terminals. It seems more fraudsters steal using Scareware/rogue AV (its less likely to be charged back, since the victim actively entered their details).

Well-funded organized crime seems more interested in targeting bank logins, or Medicare (losses in the billions, mixed with bonafide doctor-fraud), or maybe home loans and other forms of ID theft.

kevingadd13y ago

Sorry, suggesting that credit card fraud isn't a real threat to people is just completely out of touch.

From the first hit for 'credit card fraud' on google (the wikipedia page):

'The cost of card fraud in 2006 were 7 cents per 100 dollars worth of transactions (7 basis points).[2] Due to the high volume of transactions this translates to billions of dollars. In 2006, fraud in the United Kingdom alone was estimated at £535 million,[3] or US$750–830 million at prevailing 2006 exchange rates.[4]'

You can say what you like (the page does note that the incidence of fraud as compared to other types of fraud has gone down), but credit card fraud is extremely destructive and is here to stay for quite a while. Dealing with it is not cheap, or easy, or fast.

Credit card fraud is also an enormous threat to merchants due to the fact that chargebacks result in large fees and, eventually, merchant account termination. Merchants have to compensate by being extremely zealous about fraud and actively filtering out customers (legitimate or not) based on heuristics and data to try and avoid processing fraudulent payments - so for the 1% of your payments that are fraudulent, you probably have to throw out 2-5% of them, just to avoid processing the bad ones.

Sam_Odio13y ago· 1 in thread

It's disappointing that these guys didn't work with VeriFone before publicizing the attack.

This is FUD, just with different actors.

majormajor13y ago

Where did you get that from? From the article:

"Karsten Nohl and Thomas Roth, of Security Research Labs, say that they have been in touch with VeriFone for six months and have provided technical aid to the company and a German government agency. They are now coming forward to put more pressure on the company—and to raise awareness, “preferably before any criminal can reinvent these attacks.”"

farmdawgnation13y ago

I find it amusing how the CC execs admit they couldn't reproduce the attack, and he seems somewhat proud of that fact. Maybe my interpretation is just colored with my impression of execs of large companies. -.-

eru13y ago

> “This is one lab that has reported (unsubstantiated) that they were able to do this,” she wrote. “No credit card users are at risk.”

And if they had released the attack, VeriFone would have cried even louder..

j / k navigate · click thread line to collapse