A vulnerability in smartcard readers made by vendor Kobil allows intruders to install specially crafted firmware without opening the sealed housing. Attackers could exploit this to read PINs such as those used for digital document signatures or to display forged data on-screen. To prevent such intrusions from happening, smartcard readers are usually subjected to a special security check before they are approved. Several leading institutions had tested the Kobil readers and confirmed that they complied with the strict German Signature Law (SigG) including the German Federal Office for Information Security (BSI). The German Central Credit Committee (Zentraler Kreditausschuss, ZKA) also approved the TriB@nk device for use with the “Geldkarte” application, and Secoder, the successor of HBCI, for home banking.
Read more on The H Security.