Cyber security experts at the Fraunhofer Institute have highlighted potential financial transaction vulnerabilities when paying for EV charging station use.
The infrastructure for charging electric vehicles is growing tremendously. By 2025, German car manufacturers want at least 15 percent of their sales to be electric vehicles. Security vulnerabilities, however, plague the charging process. Mathias Dalheimer, an expert at the Fraunhofer Institute for Industrial Mathematics ITWM, warns that nearly anybody could debit charging costs to the user-friendly but insecure charge card of an unsuspecting user.
Drivers of conventional vehicles refuel at petrol stations. By contrast, owners of electric vehicles use charging stations, which supply the required charging capacity. With regard to public spaces, many operators of charging stations debit costs to a user’s charge card. A number stored on this card enables the charging station to identify the user. Charging costs are then deducted from the bank account linked to the card.
Unfortunately, it is easy to access and copy the ID numbers stored on charging cards. As Mathias Dalheimer explains: “It is pretty easy to clone a charge card. Many manufacturers of charging stations have failed to implement basic safety mechanisms. And because these manufacturers sell their charging stations in a number of countries, Germany is not the only one affected by this.”
Charge card vulnerability
Dalheimer adds that “there are insufficient safeguards for communication between charging stations and the billing back-end. Card numbers are transmitted directly to operators – often without any encryption at all. Somebody can use simple equipment to intercept these transmissions and obtain customers’ card numbers. This makes it possible for criminals to forge charge cards or, what is arguably easier in practice, simply simulate charging transactions.”
It would probably be very difficult for customers to prove unauthorised use of their charge cards. This is especially true of a roaming charge, when a different operator debits a customer long after charging costs are incurred. It might be weeks before anybody notices the unauthorised use of a charge-card number.
“Several operators of charging stations have acknowledged vulnerabilities; thanks to widespread media coverage, some have taken the initial necessary steps to remedy the situation,” says Dalheimer. “Some large companies have already contacted Fraunhofer ITWM about making charging stations more secure. We also want to set up a consortium of experts that will systematically tackle such matters.”