
Outdated payment protocols expose customers and merchants - max0563
https://srlabs.de/pos-vulns/
======
kalleboo
Well that article was completely devoid of information.

Here's the post by the researchers themselves: [https://srlabs.de/pos-
vulns/](https://srlabs.de/pos-vulns/)

tldr: POS card readers have poor security - their HSMs leak their keys, and
many of them don't have unique keys so you can impersonate them

~~~
nspassov
The guys have also done a presentation on this in Hamburg a couple of days
ago:
[https://events.ccc.de/congress/2015/Fahrplan/events/7368.htm...](https://events.ccc.de/congress/2015/Fahrplan/events/7368.html)

Cannot find a recording yet

~~~
kuschku
Recording is here:
[https://streaming.media.ccc.de/32c3/relive/7368/](https://streaming.media.ccc.de/32c3/relive/7368/)

But warning! This is pure stream dump, don’t expect high quality yet.

~~~
nspassov
Official recording is out now:
[https://media.ccc.de/v/32c3-7368-shopshifting#video](https://media.ccc.de/v/32c3-7368-shopshifting#video)

------
Nursie
It's not my job to defend the payments industry - I think it's full of
dinosaurs putting out bad code slowly - but I will say that the flaws here are
not universal.

I've worked on the security systems for some reader/terminal devices that
contain their own master keys in wipe-on-tamper memory, and use various key-
derivation techniques to derive (and then immediately discard) per-
transactions keys to protect transaction information, PINs etc.

So it's not all as bad as this. However things like ISO-8583, better described
as a protocol family or meta-specification than a single protocol, probably
are rife with poor implementation choices.

------
ScottyTM
The official release is out now:

[https://media.ccc.de/v/32c3-7368-shopshifting#video](https://media.ccc.de/v/32c3-7368-shopshifting#video)

------
mcpherrinm
The raw stream dump from the CCC talk is available at
[https://streaming.media.ccc.de/32c3/relive/7368/](https://streaming.media.ccc.de/32c3/relive/7368/)

You should jump to 17:45 in that video for the start of the talk.

