Industry News

German Card PINs Exposed Through Vulnerable Magnetic Stripe Terminal

Card data and PIN numbers might be at risk when using Germany’s Hypercom Artema Hybrid card terminal. A critical security hole can easily be exploited via a TCP/IP connection by means of a buffer overflow attack that can take control of the device.

Without requiring hardware tampering, the security hole circumvents the Hardware Security Module, as demonstrated by Thomas Roth from Berlin-based Security Research Labs. Victims are unaware of the fraud, making the vulnerability all the more interesting as attackers can work their way to subsidiaries after hotels or supermarkets are compromised.

Attackers can log PIN numbers as customers swipe the magnetic stripe, leaving no trace of their activity as the payment transaction is issued. The vulnerability was reported to manufacturer VeriFone, which said it had trouble reproducing the hole “during a payment transaction.”

Because all German cards contain an anti-counterfeiting measure known as “machine-readable modulated,” duplicating and using them within the country is impossible.

The German banking industry association said  duplicate cards with magnetic stripes cannot be used at cash points around the country but stolen data can be used abroad to cash out bank accounts.

Although both the manufacturer and the German banking industry association promised a timely fix, SRLabs CEO Karsten Nohl found that the processor’s Joint Test Action Group (JTAG) debug interface is also vulnerable.

About the author

Liviu ARSENE

Liviu Arsene is the proud owner of the secret to the fountain of never-ending energy. That's what's been helping him work his everything off as a passionate tech news editor for the past couple of years. He is the youngest and most restless member of the Bitdefender writer team and he covers mobile malware and security topics with fervor and a twist. His passions revolve around gadgets and technology, and he's always ready to write about what's hot and trendy out there in geek universe.

1 Comment

Click here to post a comment
  • If that happened to one of our clients, it would pose no problem at all. They can steal your card, PIN code, online banking User ID and password, and still can’t access your account.
    Please see the ATM demo at the above website.