In the UK, emptying your bank account may be as easy as picking up a used card reader on eBay, according to cyber security expert Karsten Nohl.
It sounds too simple to be true. With only the most nominal abilities, a willing individual could easily intercept your credit card information through the most ubiquitous form of payment in the world. It’s easy to assume that the commonplace nature of credit card transactions means that the foremost problems have all been solved. That assumption, according to one of cyber security’s top researchers, is dead wrong.
Nohl has observed and demonstrated multiple methods of credit card theft that are disturbing in their simplicity. All three samples target communication protocols — two very basic elements of every storefront’s credit transactions. The first is ZVT, essentially the means by which your card information is transferred from the swiping of your card to the cash register. The second is Poseidon, which handles delivering the purchase information from the register to the merchant’s bank.
If a hacker can put himself within the same network as a store’s POS, they can easily intercept any credit card information that passes through. There are no authentications once you’ve slipped into ZVT, so harvesting card numbers and PIN information is as simple as requesting it. Worse yet, the transaction processes so seamlessly that the retailer is left unaware that anything has happened. The only evidence remaining is a note on the customer’s receipt that no PIN was used.
Every message that displays on a credit card reader has to give a MAC address along with it to ensure it’s from somewhere secure. The problem is, valid MAC addresses are quite easily obtained through a simple trial and error process on the part of the potential thief. Simply entering a long list of these potential alphanumeric codes and looking for one that takes slightly longer to be verified is all that’s needed to figure out which one will let a virtual predator request your information.
The second method discussed is even simpler, if that’s possible. Using a system password — usually a fixed one, and easily obtainable online — the hacker can simply configure the card readers on a store’s point-of-sale system to funnel money and information to a different account. Outside of the static passwords in use by most card reading systems, there is little to no further security. Once an attacker is in the door, the remaining steps are elementary.
Finally, a hacker can simply purchase an old credit card reader from the web, configure it to the specifications of the business you’d like to swindle, and then start running transactions. It’s not difficult to find the information with which to do this. It’s all available online except for the port number, and once again that can be obtained simply by running a sequence of numbers until one is found that passes.
While these tactics were applied specifically to German technology, the implications have international significance. Many business function on these protocols, originally designed in the infancy of online transactions and data theft. The U.S. isn’t immune: protocols such as Poseidon are just local implementations of a global standard. Credit card readers all over the world could very well share similar — if not identical — security flaws.
When Nohl attempted to warn German institutions of his findings, he was summarily waved away. The problems are “nothing new” to the banks in question, and are supposedly only possible in theory. But, to the contrary, Nohl has demonstrated the reality of the threat numerous times, running such attacks in minuscule amounts through several different banks and terminals, hoping to illustrate the issue’s immediacy.
Meanwhile, Germany, Austria, and Switzerland rely on ZVT for roughly 80 per cent of transactions.
Follow Nate Church @Get2Church on Twitter for the latest news in gaming and technology, and snarky opinions on both.