Two German security researchers have said that they can easily crack credit card readers made by VeriFone, one of the world’s top firms in payment infrastructure. Just this week, the company won a $35 million contract to provide payment terminals for all taxis in Washington, DC.

The accusation, which has yet to be confirmed by any independent groups (the technical details have not yet been released), could potentially affect approximately 300,000 such credit and bank card terminals across Germany, with a "handful in Austria." The attack is specific to the Artema Hybrid Terminal, which is sold under various brand names by VeriFone.

Karsten Nohl and Thomas Roth, of Security Research Labs, say that they have been in touch with VeriFone for six months and have provided technical aid to the company and a German government agency. They are now coming forward to put more pressure on the company—and to raise awareness, “preferably before any criminal can reinvent these attacks.”

“Without some drastic publicity, I don't think that shopkeepers will know about it,” Nohl added.

Nohl has a significant track record in the computer security world, having previously cracked the A5/1 encryption used on GSM phones, and also having developed software (Catcher Catcher) that can detect whether a phone is being tracked by an IMSI catcher, which in 2010 could be built for as little as $1,500.

In a e-mail to Ars, Dani Siemon, a VeriFone spokesperson, said that there have been no such real-world attacks so far. “This is one lab that has reported (unsubstantiated) that they were able to do this,” she wrote. “No credit card users are at risk.”

From playing pong to spoofing ATM cards

Nohl told Ars on Friday, without disclosing specific details, that by exploiting a buffer overflow in the terminal, a “crucial memory region” of the device could then be overwritten with executable code.

The hacks, Nohl and Roth say, could potentially allow an attacker to gain full control of the banking terminal, which would allow a change in transactions in value or for potentially spoofing transactions. They even demoed how to play Pong directly on the card terminal.

“The worst case scenario is somebody breaks into a network of a large retailer chain and then installs this malware on 10,000 payment stations,” Nohl said. “Within a two-month period, it would see a million different cards. Of those million, the malware has copies and PIN numbers and can use [cloned cards] for payment and to get cash from ATMs, and at that point it would be impossible to get them. What are you going to do, replace them all?”

The German public television network ARD ran a prime time story nationwide (German) profiling Nohl and Roth and their work on Thursday evening. In that story, VeriFone only provided a written statement, and in response to questions submitted by Ars on Friday, has only responded in a similar fashion.

VeriFone wants more details, is continuing investigation

A statement written by Dave Farco, a company vice president for payment security, said that VeriFone was aware of the vulnerability.

“Despite several requests by us for them to provide information needed to duplicate an attack scenario, the security firm instead chose to publicize its efforts, which has led to dissemination of misleading and speculative information,” he wrote.

“At no point was the security module or encrypted PIN compromised in this reported attack scenario; neither was the integrity of the EMV transaction violated. As the security module is not affected by the attack scenario, it is not possible using an amended application program to modify the security module's PIN processing of a successful card payment transaction.”

He cast further doubt on the immediate claim, saying that the company was working with a German Banking Association (DK)-approved security lab to test Nohl and Roth’s claims.

“Since the first indication, we have been working closely with an approved DK lab to investigate the reported breach scenario but have not been able to replicate the attack scenario,” he continued. “Subsequently, VeriFone retained additional independent expert penetration testing firms with expertise in payment security compliance, to assess the breach scenarios and potential ramifications.”

But the company remains committed, he said, “to fully investigate this situation, communicate with local authorities, and report back to you on our findings.”

UPDATE: Dani Siemon wrote to Ars on Friday evening to say: "To be specific, they are sold in Germany with a handful in Austria. Without a doubt, VeriFone does not sell them in the U.S. We do not have EMV yet and it is a style that would not be effective in the U.S. market." We have changed our subhed accordingly.

UPDATE 2: Karsten Nohl also wrote to Ars on Friday, responding to VeriFone's assessment.

"None of the statements regarding card cloning actually mean that PIN intercept and mag stripe cloning are prevented. All the vendor is saying is that a fraudster needs to be a little smart about how to trick the user into entering the PIN number. Take, for instance, SDA EMV cards—these cards require the PIN number to be send unencrypted through the processor that we hacked. And that's just one of at least four possibilities to steal the PIN.

I disagree that EMV is not affected. Inputs into an EMV transaction can be altered by the terminal. In addition: More than one EMV transaction can be generated while the card is in the device. A hacked payment terminal breaks one of the security assumptions of EMV."