A pair of researchers demonstrated vulnerabilities in German banks and their retail payment systems that could allow cybercriminals to steal payment card information and more at the Chaos Communication Congress in Hamburg, Germany on Dec. 27.
Researchers Karsten Nohl and Fabian Bräunlein of Security Research Labs in Berlin showed what they called “shopshifting” attacks that exploited the lack of authentication factors in the ZVT and Poseidon communication protocols used by the card readers that could allow an attacker to perform man-in-the-middle (MitM) style attacks through a retailer's network via WI-FI or Ethernet connection.
The vulnerabilities in the ZVT protocol, used between the readers and the point of sale, could allow an attacker to harvest card data including personal identification numbers (PIN) while remaining undetected by placing themselves between the point of sale (POS) system and the reader.
The vulnerabilities in the Poseidon protocol, used between the reader and the merchant's bank, could allow an attacker to reprogram the payment processors to transfer funds into the account of the attackers choice or even process false transactions by re-configuring their own card reader to act as if it belongs to retailer by placing themselves between the card terminal and the Internet.
"Not only are these vulnerabilities more general, they are also much harder to mitigate, because it is not a mistake, it is how these things are programmed to work," Nohl told Reuters.
The Federal Association of Electronic Cash Processors (BECN) told Reuters that it recommends that payment terminal manufacturers begin to push software updates with new safety measures or replace older payment terminals in order prevent the attacks, and the German Association of Savings Banks told the wire service the attack scenarios are only theoretically possible.
Nohl said that it could take months for all of the vendors to push the updates that would patch the vulnerabilities but banking experts said there is little evidence to suggest that the vulnerabilities have been exploited in the wild, according to Reuters.