Security analysis of Croatia´s receipt registration and verification system

Beginning with 2013. a law in Croatia come into the force that requires owners of restaurants, café bars, and similar types of businesses that work with cash to register every receipt with a Tax Administration servers before issuing it to a customer. For the purpose of implementing the law APIS-IT, a Croatian IT company, developed a protocol based on XML, SOAP, and public key cryptography. They also implemented the server side system. It is a well known fact that developing protocols in general, and security protocols in particular, is a very tricky endeavor in which even the security professionals make mistakes. In this paper a security analysis of the protocol for receipt registration, the components of the system, and implementations is presented. Note that this is only a partial analysis, based on publicly available information, which doesn´t include testings on live systems due to being illegal by the new Criminal law in Croatia. We identified two weaknesses of the current system. But the main problem of the system is the fact that many business owners are now open to different attacks and nothing has been done to remedy that situation. This is actually a broader problem since, with ever increasing number of on line services nothing is done to increase security awareness of people.