top | item 44152059

(no title)

csinode | 9 months ago

I'd be more worried about someone compromising a card reader in the field and reading cached/stored real CC details, or installing some kind of intercepting malware. (That does seem to be difficult/impossible in this specific case, but it means research in this area is relevant.)

discuss

rockbruno|9 months ago

Aren't credit cards nowadays basically physical private keys? IIRC transactions are one-time payloads signed specifically for that operations, so intercepting that won't help you if I'm not mistaken about how cards work nowadays.

literalAardvark|9 months ago

Kind of, but if you control the card reader you could charge more for the transaction without showing the amount, for instance. And maybe even send the money to a different account.

weaksauce|9 months ago

unless it's changed recently that only applies to tap and chip payments (which you should always prefer to avoid card skimmers) and not the old slide the ~~barcode~~ magnetic strip kinda payment.

nine_k|9 months ago

Someone with a root access to a card reader could just make it collect CC details with every transaction, no caches needed. It could also make certain transactions "temporarily fail", while siphoning a certain amount of funds to another, legit-looking, merchant under the hood.

jhugo|9 months ago

> could just make it collect CC details with every transaction

Only if the card is swiped (magnetic stripe) rather than tapped or inserted. EMV doesn't expose the full card details to the merchant; the card signs a payload with its internal private key and transmits it.

And the OP's root access wouldn't give card details in any case, because they didn't get root on the part of the reader that processes the transactions.

reaperducer|9 months ago

I'd be more worried about someone compromising a card reader in the field and reading cached/stored real CC details, or installing some kind of intercepting malware.

That's happened at least several times already.

I believe breached PoS terminals were what happened in the big Target hack.

lelanthran|9 months ago

> I believe breached PoS terminals were what happened in the big Target hack.

The problem is that PoS terminals are not EMV terminals. EMV terminals have been through a certification process, and the hardware part of that certification ensures that the vendor only runs signed-binaries.

Honestly, even if you could write and sideload (or even replace) the applications on the EMV terminal, I do not see a way to get them to a) run, and then b) send money elsewhere.

adolph|9 months ago

This story about a physical card reader checker to detect skimmer devices was interesting and posted here a couple years back.

https://tech.target.com/blog/cybersecurity-easysweep

https://news.ycombinator.com/item?id=36788831

christina97|9 months ago

There are much easier ways to skim cards than hacking the terminal.

account42|9 months ago

Not without leaving physical evidence.