Security Flaw Found In German Banks’ Retail Payment Systems


Cybersecurity researcher Karsten Nohl discovered a critical vulnerability in the retail payment systems of several German financial institutions.

As Reuters reported Tuesday (Dec. 22), the security flaws revealed by Nohl have the potential to compromise payment card PINs and enable fraudsters to steal funds from both merchant and customer accounts and create fake cards.

According to Nohl, there are two types of attacks the retail point-of-sale terminals in Germany are susceptible to: the first is crafted to steal PINs or fake transactions at checkout, and the second tactic deceives payment processors into transferring funds into fraudulent accounts.

“Not only are these vulnerabilities more general, they are also much harder to mitigate, because it is not a mistake, it is how these things are programmed to work,” Nohl said in an interview with Reuters.

However, German banks don’t seem to be very convinced about the severity of Nohl’s findings.

In a statement released by the German Association of Savings Banks on behalf of all German banks, the group said Nohl’s scenarios most likely won’t happen.

“This is nothing new to us,” German Association of Savings Banks spokesman Stefan Marotzke said. “Since 2012, the card system has been based entirely on chip-and-PIN. Attacks carried out on the magnetic stripe technology are not transferable to smart cards,” he explained, in reference to cards that are more secure and technologically advanced.

The majority of payment terminals in Germany accept magnetic stripe cards known as ZVT, which Nohl confirmed can interfere with contactless and chip-and-PIN payment card technologies. His suggestion to address the threat is to disable vulnerable payment systems before criminals are able to exploit their fraud techniques.