German Card PINs Exposed Through Vulnerable Magnetic Stripe Terminal

Card data and PIN numbers might be at risk when using Germany`s Hypercom Artema Hybrid card terminal. A critical security hole can easily be exploited via a TCP/IP connection by means of a buffer overflow attack that can take control of the device.

Without requiring hardware tampering, the security hole circumvents the Hardware Security Module, as demonstrated by Thomas Roth from Berlin-based Security Research Labs. Victims are unaware of the fraud, making the vulnerability all the more interesting as attackers can work their way to subsidiaries after hotels or supermarkets are compromised.

Attackers can log PIN numbers as customers swipe the magnetic stripe, leaving no trace of their activity as the payment transaction is issued. The vulnerability was reported to manufacturer VeriFone, which said it had trouble reproducing the hole “during a payment transaction.”

Because all German cards contain an anti-counterfeiting measure known as “machine-readable modulated,” duplicating and using them within the country is impossible.

The German banking industry association said duplicate cards with magnetic stripes cannot be used at cash points around the country but stolen data can be used abroad to cash out bank accounts.

Although both the manufacturer and the German banking industry association promised a timely fix, SRLabs CEO Karsten Nohl found that the processor’s Joint Test Action Group (JTAG) debug interface is also vulnerable.