Security experts claim that most of the payment terminals, also known as PoS Payment Systems, used in Germany, contain old vulnerable protocols, but also use bad practices when it comes to encrypting data.
According to researchers, το πρόβλημα υπάρχει και στις δύο διαδικασίες επικοινωνίας, δηλαδή στο protocol used to communicate the PoS Payment device of the cashier with the store station, and the protocol that sends the data from the payment terminal to the bank for data processing.
Vulnerable inside…
On the local communication side, the researchers found that a high percentage of German payment processors use the ZVT protocol, which is known to be susceptible to simple eavesdropping attacks and which allows hacker intercept credit card information.
What makes things worse is that this protocol is also responsible for reading the PIN of the card via PoS and sending it back to the central station to allow the transaction.
Although this communication is encrypted, researchers found that PoS (Point of Sale) manufacturers store the encryption key on the device, and often use the same key.
… Vulnerable abroad
Between the PoS terminal and the bank, things are not so rosy. The protocol used to exchange data between these two, a variant of the ISO 8583 standard, known as Poseidon, has an authentication flaw.
By repeating the same error, PoS manufacturers also store the encryption key used to exchange encrypted data with third parties. This key is stored on the device itself and rarely changes, most of the time is the same for whole lots of PoS terminals.
Researchers are scheduled to make an extensive presentation on this topic on Sunday at 27 December in Hamburg at the 32 Chaos Communications Conference (32C3).