
32c3 "payment hack": Outdated payment protocols expose customers and merchants - orless
https://srlabs.de/pos-vulns/
======
orless
Payment systems are old and have – unlike card protocols – seen little
scrutiny so far. This talk enumerates design and implementation flaws in
payment processing systems, which can defraud consumers and merchants.

Like most embedded devices, payment system elements are potentially vulnerable
to a range of attacks. This has not changed in years. What did change, though,
is the exposure of these vulnerabilities: Serial interfaces are now exposed
via ethernet; proprietary backend protocols are reachable over the Internet
TCP, and flaws in real time operating systems are widely known.

This talk provides an overview of design issues and implementation
vulnerabilities in current payment processing systems, including un-
authenticated protocols and insecure hardware implementations, which enable
fraud vectors against merchants who operate payment terminals and consumers
who use them.

[https://events.ccc.de/congress/2015/Fahrplan/events/7368.htm...](https://events.ccc.de/congress/2015/Fahrplan/events/7368.html)

