Cyber security expert warns German banks of retail payments risks

OXFORD, England (Reuters) - A top cyber security researcher has warned German banks that their retail payment systems have security flaws that could allow fraudsters to steal payment card PIN codes, create fake cards or siphon funds from customer or merchant accounts.

Karsten Nohl, who is credited with revealing major security threats in mobile phones, automobiles, security cards and thumb-sized USB drives, told Reuters he has found critical weaknesses in software that runs retail point-of-sale terminals in Germany.

Nohl outlined two types of attacks. One to steal personal identification numbers (PIN) or spoof transactions when customers pay at checkout tills and a second method that tricks payment processors that act as intermediaries between banks and merchants to transfer funds into other, fraudulent accounts.

Nohl and fellow researchers Fabian Braeunlein and Philipp Maier at Security Research Labs in Berlin disclosed their findings to banks, card issuers, device makers and industry associations in recent weeks. SRLabs acts as a security consultant to Fortune 500 firms, including several big banks.

In 2012, SRLabs uncovered defects in the most popular retail payment terminal in Germany, the Artema Hybrid from U.S.-based VeriFone Systems. The latest findings go further to show that virtually all terminals in Germany are liable to having payments hijacked and paid into any bank account of a hacker’s choosing.

“Not only are these vulnerabilities more general, they are also much harder to mitigate, because it is not a mistake, it is how these things are programed to work,” Nohl said in an interview.

Some flaws stem from an obscure German payment standard for reading magnetic stripe cards known as ZVT, which can be used not just to steal security codes but also to interfere with newer “chip and PIN” and “tap and go” contactless payment cards, he said.

The Federal Association of Electronic Cash Processors (BECN), which represents electronic cash networks in Germany, said it takes the security threats set out by Nohl’s seriously.

The association recommends that payment terminal manufacturers take appropriate action to guard against such attacks by pushing out software updates with new safety measures or by replacing older payment terminals, it said in a statement.

Separately, a statement by the German Association of Savings Banks, issued on behalf of all German banks, said the attack scenarios presented by Nohl were only theoretically possible.

“This is nothing new to us,” said German Association of Savings Banks spokesman Stefan Marotzke. “Since 2012, the card system has been based entirely on chip and PIN. Attacks carried out on the magnetic stripe technology are not transferable to smart cards,” he said, referring to newer, more secure cards.

Nohl said the research found that security PIN codes can be revealed using these methods. Far from being theoretical, he has made scores of transfers in small amounts on different payment terminals and various banks to show these are active threats. He then refunds the money back from his corporate account, he said.

Two separate 1990s-era payment standards are at issue, Nohl said: ZVT, and a second, international standard known as ISO-8353, which sets how encrypted payment details are exchanged between merchants and payment processors over the Internet.

Attacks exploiting ZVT weaknesses require a thief to be in the building and have access to a merchant’s local area network. In a hotel, for example, a hacker could check in as a guest and steal as other customers pay at front-desk terminals. Or at a jewelery store, a thief could piggyback on a customer’s transaction.

ZVT is a feature in around 80 percent of payment terminals used in Germany and nearby Austria and Switzerland, Nohl said.

ISO 8583 could allow hackers to trigger remote refunds via the Internet to any bank account in Germany from merchants connected to the payment network. Systems in France, Luxembourg and Iceland are also affected, he said.

In the short term, vulnerable payment system features may need to be disabled by merchants, Nohl said. However, it may take months for vendors to push software upgrades to the estimated 500,000 merchant payment terminals to fit them with unique authentication numbers that could prevent such attacks, he said.

There is scant evidence that suggest criminals are exploiting these fraud techniques so far, banking experts said, but Nohl said such weaknesses in payment systems may explain PIN code thefts claimed by some German consumers.

Editing by Louise Heavens