PIN Pad Pong: Is Verifone Playing Games With German POS Security?

Written by Frank Hayes
July 18th, 2012

The most popular PIN pad in Germany may have a major security hole—at least that’s what a German security lab says. Verifone insists it can’t reproduce the problem. In response, the researchers on July 12 went public with a demonstration on German TV in which a PIN pad was hacked to turn it into a Pong game. Yes, it looks like this started by being about security, and then about money—now, it’s personal.

The problem with this needle match is that what sticks in the minds of consumers is a PIN pad playing Pong—and with that image, who can take payment security seriously?

The PIN pad in question, the Artema Hybrid Terminal, is one that Verifone acquired when it bought all of Hypercom’s business outside the U.S. It handles both Chip-and-PIN and magstripe cards with a single slot, which explains both the Hybrid name and why it’s so popular in Germany—about 300,000 are in use by retailers in Germany and Austria. Naturally, the device has passed muster with the German equivalent of PCI.

But last week, Security Research Labs (SRL) in Berlin claimed the PIN device has both software and hardware vulnerabilities. SRL researchers say the device’s network stack is subject to buffer overflows, the serial-port interface also enables code execution through a buffer overflow and a diagnostic port is accessible from outside the device, making it possible to get full debugging control over the device without opening it.

“These attacks target the terminal’s application processor,” the two-man research team wrote. “The security of the cryptographic module (HSM) has not yet been investigated as far as key extraction attacks are concerned. However, a design or implementation shortcoming in the HSM enables control over display and PIN pad from the application processor.”

In other words, even if the security module is safe, what customers (and retailers) see can still be controlled by malware, which could enable PIN capture or other attacks.

At least, that’s what the researchers say. Verifone, for its part, insists the PIN pad is secure. “At no point was the security module or encrypted PIN compromised in this reported attack scenario; neither was the integrity of the EMV transaction violated,” responded Verifone payment security VP Dave Faoro. “As the security module is not affected by the attack scenario, it is not possible using an amended application program to modify the security module’s PIN processing of a successful card payment transaction.”

That is, transactions on the Artema Hybrid are safe—but no word on whether PINs or card data can be grabbed.

Faoro also said Verifone hired its own security lab, which couldn’t reproduce the attack scenario, and hired two more penetration testing firms to work on the problem. He complained that the German researchers haven’t given Verifone enough information to understand the attack. The researchers say they notified Verifone about the vulnerability more than six months ago, and Verifone’s inaction is why they went on TV.

This all sounds like some strange passive-aggressive security dance, with the researchers saying, “You have a security hole but we won’t tell you what it is,” and Verifone responding, “How can we know what’s wrong if you won’t tell us?”

What neither side is saying is that this is probably about money.


One Comment | Read PIN Pad Pong: Is Verifone Playing Games With German POS Security?

  1. A reader Says:

    Internally, PIN pads have two discrete processing components, an application processor and a security module. The security module contains the keys and does the encryption. The researchers have not claimed they broke into this module. The app processor displays the screens, and gathers user input, and this is where the attack was demonstrated.

    To prevent fraud by a dishonest retailer, applications and screens that display 10 key pads have to be reviewed and digitally signed by the manufacturer to ensure the app isn’t falsely requesting the customer’s PIN.

    However, the app’s security is enforced by the app processor’s OS. With JTAG access (USB JTAG communications modules can be bought online or built for about $20 in parts), or other network vulnerabilities that enable accessing system level code, the attacker could take over the OS, bypass the signature requirements and run their own code, enabling them to intercept PINs.

    The guys at Security Research Labs have done some serious work in the area of breaking ciphers, and have developed and released software that mathematically analyzes generic crypto algorithms, and used it to break the Crypto1 cipher used in the MiFare transit cards in under 40 seconds.

    They have the chops. If they claim to have hacked these PIN pads, and if they say a risk exists, I don’t doubt them.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.