Common payment processing protocols found to be full of flaws

Credit card users could have their PINs stolen, and merchants could have their bank accounts pillaged, in a set of attacks demonstrated by researchers Karsten Nohl and Fabian Bräunlein at the Chaos Computing Club security conference.

Much research has been done into the chips found on credit cards and the readers and number pads used with these cards, but Nohl decided to take a different approach, looking instead at the communications protocols used by those card readers. There are two that are significant; the first, ZVT, is used between point of sale systems and the card readers. The second, Poseidon, is used between the card reader and the merchant's bank. Nohl found that both had important flaws.

The ZVT protocol was originally designed for serial port connections, but nowadays is used over Ethernet, both wired and wireless. The protocol has no authentication, meaning that if an attacker can put themselves on the same network, they can act as a man-in-the-middle between the point-of-sale system and the card reader. The attacker can then read the magnetic stripe data from the card, and can also request a PIN.

Read 22 remaining paragraphs | Comments

Adobe Releases Security Updates for Flash Player

Original release date: December 28, 2015

Adobe has released security updates to address multiple vulnerabilities in Flash Player. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.

Users and administrators are encouraged to review Adobe Security Bulletin APSB16-01 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

IRS Releases Sixth Tax Security Tip

Original release date: December 28, 2015

The Internal Revenue Service (IRS) has released the sixth in a series of tips intended to help the public protect personal and financial data online and at home. A new tip will be available each Monday through the start of the tax season in January. This tip describes the types of fraud alerts provided by the three major credit bureaus that may help protect financial information from identity theft.

US-CERT encourages users and administrators to review the IRS Security Awareness Tax Tip Number 6 and the US-CERT Tip Preventing and Responding to Identity Theft for additional information.

This product is provided subject to this Notification and this Privacy & Use policy.