Two German security researchers have said that they can easily crack credit card readers made by VeriFone, one of the world’s top firms in payment infrastructure. Just this week, the company won a $35 million contract to provide payment terminals for all taxis in Washington, DC.
The accusation, which has yet to be confirmed by any independent groups (the technical details have not yet been released), could potentially affect approximately 300,000 such credit and bank card terminals across Germany, with a “handful in Austria.” The attack is specific to the Artema Hybrid Terminal, which is sold under various brand names by VeriFone.
Karsten Nohl and Thomas Roth, of Security Research Labs, say that they have been in touch with VeriFone for six months and have provided technical aid to the company and a German government agency. They are now coming forward to put more pressure on the company—and to raise awareness, “preferably before any criminal can reinvent these attacks.”
“Without some drastic publicity, I don’t think that shopkeepers will know about it,” Nohl added.
Nohl has a significant track record in the computer security world, having previously cracked the A5/1 encryption used on GSM phones, and also having developed software (Catcher Catcher) that can detect whether a phone is being tracked by an IMSI catcher, which in 2010 could be built for as little as $1,500.