
German security experts find major flaw in credit card terminals - cjfarivar
http://arstechnica.com/security/2012/07/german-security-experts-find-major-flaw-in-credit-card-terminals/
======
revelation
Apparently, the JTAG debugging interface is exposed to the outside. You know,
the one that should be turned off physically in the CPU itself through a blow
fuse on production processors. The one critical interface where you don't even
populate the headers and connectors on the finished boards.

As it stands, the only way to fix this is to exchange or repair all devices in
circulation.

~~~
Zenst
The fact that the JTAG is physicaly there in a usable form at all is shocking.
I don't design hardware, but even I know this.

Your spot on about the fix, though I bet you that come christmas, you could
still go into a shop and see these exact models in use. That would be truely
criminal, but we shall see. Though who audits/controls these things as if it
was a car and a safty flaw or any consumer product then you know it would be
forcebly recalled right away. Flaw in food packaging even gets recalled
instantly, yet I'm not aware of any such conrols that could get this device
pulled until fit for human consumption/use.

That all said I sadly feel the only way it will get changed is by active
expliotation and insurance companies rasing the premiums of those poor shops
using such a device.

I hope the right thing is done, but why do I have little faith in it being
addressed in a timely manor, maybe historicaly alot of flaws of such types of
devices are usualy patched by the manufacturer by using the denial patch, they
deny its an issue and then magicly version two fix's it down the line.

Shame you can't flag a article with a revisit reminder so in 6 months time we
can see how things have changed or not.

------
dazbradbury
Isn't the fact that Chip and Pin is susceptible to "Man in the Middle"
attacks, affecting all terminals, the bigger issue?

[http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.p...](http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf)

~~~
pgeorgi
Chip and Pin is secure on these devices (the HSM is safe). The attack vector
is simulating "there was an error processing your transaction, please retry",
where the first transaction went through and you only want to collect the PIN.
It seems these devices can route the keypad to _either_ software _or_ HSM,
with no way of routing the pin from software to HSM.

------
farmdawgnation
I find it amusing how the CC execs admit they couldn't reproduce the attack,
and he seems somewhat proud of that fact. Maybe my interpretation is just
colored with my impression of execs of large companies. -.-

------
eru
> “This is one lab that has reported (unsubstantiated) that they were able to
> do this,” she wrote. “No credit card users are at risk.”

And if they had released the attack, VeriFone would have cried even louder..

------
kylebrown
So its possible to remotely overwrite the Verifone software to capture PIN
numbers. The local attacks aren't as terrifying, since it was already possible
to replace them with modified devices to skim PINs. And what about all the HSM
PIN-recovery attacks, on which the details are already available? And where
are those <1mm thick ATM skimmers they warned us about?

Ultimately, stolen credit card numbers just aren't that monetizable (they're
sold for pennies on the dollar, $2-$3 per) and not enough people use their pin
numbers at POS terminals. It seems more fraudsters steal using Scareware/rogue
AV (its less likely to be charged back, since the victim actively entered
their details).

Well-funded organized crime seems more interested in targeting bank logins, or
Medicare (losses in the billions, mixed with bonafide doctor-fraud), or maybe
home loans and other forms of ID theft.

~~~
kevingadd
Sorry, suggesting that credit card fraud isn't a real threat to people is just
completely out of touch.

From the first hit for 'credit card fraud' on google (the wikipedia page):

'The cost of card fraud in 2006 were 7 cents per 100 dollars worth of
transactions (7 basis points).[2] Due to the high volume of transactions this
translates to billions of dollars. In 2006, fraud in the United Kingdom alone
was estimated at £535 million,[3] or US$750–830 million at prevailing 2006
exchange rates.[4]'

You can say what you like (the page does note that the incidence of fraud as
compared to other types of fraud has gone down), but credit card fraud is
extremely destructive and is here to stay for quite a while. Dealing with it
is not cheap, or easy, or fast.

Credit card fraud is also an enormous threat to merchants due to the fact that
chargebacks result in large fees and, eventually, merchant account
termination. Merchants have to compensate by being extremely zealous about
fraud and actively filtering out customers (legitimate or not) based on
heuristics and data to try and avoid processing fraudulent payments - so for
the 1% of your payments that are fraudulent, you probably have to throw out
2-5% of them, just to avoid processing the bad ones.

------
Sam_Odio
It's disappointing that these guys didn't work with VeriFone before
publicizing the attack.

This is FUD, just with different actors.

~~~
majormajor
Where did you get that from? From the article:

"Karsten Nohl and Thomas Roth, of Security Research Labs, say that they have
been in touch with VeriFone for six months and have provided technical aid to
the company and a German government agency. They are now coming forward to put
more pressure on the company—and to raise awareness, “preferably before any
criminal can reinvent these attacks.”"

