VeriFone’s Artema Hybrid point of sale (POS) devices – which are highly popular in Germany – have been found to contain a buffer overflow vulnerability that allows an attacker to execute malicious code and steal payment card details, including their PINs.
Experts from Security Research Labs (SRLabs) have identified
the problem back in March and reported it to US-based VeriFone almost immediately. However, the patching process didn’t go as the researchers expected so they decided to make their findings public, hoping that it would accelerate things, The H reports
The issue is critical because it doesn’t require any physical tampering, and the attacks launched by leveraging the security hole are almost impossible to detect.
The researchers demonstrated their discovery in a video and to show just how vulnerable the device is, they even installed a version of the popular PONG game on it. They also performed a demonstration on the German ARD TV channel.
After hearing the news, Deutsche Kreditwirtschaft – the German banking association that regulates such issues – released a statement
saying that the attack is difficult to reproduce outside a laboratory environment.
The organization also stated that even if an attacker manages to obtain the PINs, the cloned cards can’t be used in Germany because of the MM code
However, while in Germany the chances for misuse are slim, fraudsters could easily use the cloned cards to withdraw money from other countries where such measures haven’t been implemented.
Finally, Deutsche Kreditwirtschaft representatives claim that VeriFone promised to roll out software updates for all the affected terminals.
In the meantime, the same team of researchers uncovered another issue with the devices that can’t be fixed as easily. It appears that the Joint Test Action Group (JTAG
) debugging interface of the devices is easily accessible, allowing attackers to easily connect to it.