Simple vulnerability in cashless payment poses risk to one of Europe's largest music festivals
Sziget's case underlines the importance of secure implementation of NFC-based payment systems.
Budapest, Hungary (October 30, 2012) – Sziget Festival, a 6-day event attracting around 400,000 music fans from all over the world, could have easily been crashed by an organizational security flaw in the festival's NFC-based payment system. Real exploits and financial losses to organizers were avoided thanks to the joint handling of the problem by its discoverer, Hungary-based SEARCH-LAB Ltd and the payment provider Meta-MPI.
Sziget ['see-get'] is the world's 9th largest music event on CNBC's toplist that orders festivals by their attendance. In its 20th year, the festival is organized in the Hungarian capital, on an island in the Danube river. It is visited by around 65,000 music fans every day, bringing the festival's total attendance over its 6 days to nearly 400,000. UK-based music event portal eFestivals estimates that half of those visitors come from outside Hungary. In 2011, Sziget won the Best European Festival Award. Along with three other festivals in Hungary, Sziget was switched to a cashless payment solution last year which was made mandatory all over its site.
Metapay Festival Card is an NFC-based payment system developed by Hungary's Meta-MPI Financial Information Technology Ltd. In 2011, the company's solution was introduced at Hungary's OTP Klub Gourmet, VOLT, Heineken Balaton Sound and Sziget festivals. This year, the four events generated a total of over 3.3 million payment transactions. Two thirds of those, i.e. 2.2 million transactions came from the 1.200 terminals operated at Sziget.
SEARCH-LAB, a Budapest-based IT security company, discovered a simple, non-technical trick that allowed to maliciously obtain the balance of a card that was not registered by its owner. Exploiting the security glitch didn't require the least knowledge of technology. It was enough to obtain a card number to abuse the possibility. (This was simple since, despite industry standard recommendations, the ID number was also printed on receipts and appeared in easily legible font size on the cards themselves.) If the card, as in some cases, had not been registered, a perpetrator just needed to do the registration instead of the legitimate owner then block the card as if it had been lost. Having done this, the perpetrator could walk to a festival helpdesk and reclaim the amount left on the "lost" card onto a new card. Then they could just return the new card and claim the stolen money in cash.
SEARCH-LAB made the discovery several weeks before this year's Sziget, and immediately notified Meta-MPI's developers about the issue, recommending security improvements. Though Meta-MPI rushed to plug the hole in the system, as is often the case with rushed fixes, the security hole remained partly open. In order to raise the attention of the public to similar flaws in emerging payment systems, SEARCH-LAB contacted Index.hu, one of Hungary's leading news portals, but asked them to hold back the publication of the vulnerability until end of the festival.
Index.hu, which is visited by around 2 million users each month, decided to perform a real-life test. The portal's journalists easily managed to demonstrate the trick at Sziget. They shot a video (see below with subtitles) and wrote an extensive article about exploiting the flaw. In order to avoid panic and exploits in the wild, however, SEARCH-LAB and Index.hu agreed to make the news public only the day after Sziget had been closed, when the card cash reclaim period had also been over and the vulnerability could not be exploited in the current festival season any more.
"It is easy to imagine the consequences of publishing such information before one of the world's biggest music events. If the trick had become known before Sziget, some festival-goers would probably have tried to exploit it. This, in turn, could have led to a loss of trust among guests, terminal operators and event organizers, which may have caused long queues or even more serious organizational problems", said Kristóf Kerényi, SEARCH-LAB's security specialist.
"The attitude towards cashless payment systems at Hungarian festivals will never be the same again. Now that they have heard about this glitch, even ordinary festival-goers have become security flaw hunters. We have heard from many friends that they would look for similar flaws in the Metapay Festival Card system at next year's festivals", he added. "The case again highlights how much cheaper it is to take care of security in the development phase of a product or service than trying to plug a hole in it when it is already in the market. The flaw in Metapay Festival Card was, in part, due to typical mistakes that are clearly addressed in Payment Card Industry standards like PCI DSS."
SEARCH-LAB Ltd. (www.search-lab.hu) is a renowned player in the Hungarian and international IT security arena. The company offers a wide range of IT security related services, including consulting, audit and testing, contract R&D, and secure coding trainings to software developers. SEARCH-LAB was founded by experts of the Budapest University of Technology and Economics (BME) aiming to convert their results in research and education into a successful business. In its 10 years in the market, the company has established partnerships with a number of multinational IT and telecom corporations, as well as important universities and research institutions worldwide, and has been involved in several EU research programs.
Press contact:
Katalin Toldi
Director of Marketing and Business Development, SEARCH-LAB Ltd.
+36-1-205-3098; +36-30-429-1455
This email address is being protected from spambots. You need JavaScript enabled to view it.
