Comments on: Chip & PIN terminal playing Tetris

By: Steven Thompson

Steven Thompson — Thu, 10 Feb 2011 09:56:59 +0000

This is brilliant! I didn't realise they were so easily manipulated? Pretty worrying that I'd have no clue if one had been compromised or not. Isn't there an electrical version of Tamper Evident Tape that would show unknowing customers whether something was up?

By: Tamper Evident Tape

Tamper Evident Tape — Wed, 09 Feb 2011 14:54:23 +0000

Haha this is a brilliant and very lighthearted way of showing the problems of our everyday technology that is trusted. I think this kind of thing is actually really important to alert people, although the tamper resistance would mean that your card couldn’t be used to directly go through to the bank – criminals could still get your card details and use them at a later date. Important lesson taught in a funny way – go these guys!

By: jandy

jandy — Sat, 03 Jul 2010 05:43:04 +0000

Very interesting site. Hope it will always be alive! Its really helped me a lot. credit card swipe machines

By: Billy

Billy — Mon, 23 Jun 2008 14:13:23 +0000

LOL Classis. Striping out the internals and replacing, the only problem it the merchant might get all the details but the transaction will not go through because its a fake.;)

The interceptor method is much better proof of concept because not only will the attacker recieve the details but also the transaction will go through aswell.

By: victor pedro

victor pedro — Sat, 31 May 2008 13:31:18 +0000

They have to insert another flea(chip)(sim) into a terminal of payment and have him(her,it) to connect it bluetooth on a portable pc and like that when a customer pay with that card, they receive all to give them of the card of credit and even the secret code!!!
Do you know the equipment which they were able to use?

By: victor pedro

victor pedro — Sat, 31 May 2008 13:20:44 +0000

Hello all, you know this technique?

http://www.zdnet.fr/actualites/internet/0,39020774,39363071,00.htm

And what material(equipment) and flea(chip) they are to use?

By: Rich

Rich — Mon, 14 Jan 2008 18:35:56 +0000

The bank ought to send a text message to my mobile whenever a transaction is made on my card.

That way, if I’m in say a restaurant I expect to get a text message shortly after paying the bill (or perhaps next day). If I don’t get the text message, I can be suspicious of the card reader.

And if I get a text message but wasn’t expecting one, I can call the bank about the transaction immediately.

By: Saar Drimer

Saar Drimer — Sun, 06 Jan 2008 14:40:24 +0000

Victor,

A POS terminal as many others, is just a small computer you can program to do anything you want with the hardware it has, Playing Tetris, for instance, so, there is nothing amazing on this.

Indeed, this technically un-amazing. It is amazing, however, that a device designed to protect our money fails in this way.

At the end, no matter the security, the cardholder should use an extra feature called “common sense”, to avoid fake terminals and suspicious sites.

Common sense should not play into this (your common sense is different than mine and anyone else’s, I am sure). In order to detect a fake terminal you need to be a trained professional and know exactly what to look for. Are you suggesting training all cardholders? Are you suggesting furthering the liability onto customers for the detection of tampering? This liability should be with the banks because only they can do something to improve the security.

I have personally seen several terminals glued with tape onto a mounting plate (one at Marks and Spencer; I’ve taken pictures), and others that are either old or have stickers and holes on them. Except me, I wonder how many people used the “common sense” you suggest and have refused to use those. But doing what I do, I notice these things though I can’t expect everyone else to.

By: Victor Barrantes

Victor Barrantes — Fri, 04 Jan 2008 17:42:44 +0000

A POS terminal as many others, is just a small computer you can program to do anything you want with the hardware it has, Playing Tetris, for instance, so, there is nothing amazing on this.
Of course, you can also make a more complex program to steal the card info and make whatever you like with the stolen data.
At the end, no matter the security, the cardholder should use an extra feature called “common sense”, to avoid fake terminals and suspicious sites.

By: Steven J. Murdoch

Steven J. Murdoch — Fri, 04 Jan 2008 17:25:58 +0000

@Phillip Yes, I've also been thinking about using a phone in Chip and PIN transactions. The key idea is to allow the cardholder to see the transaction they are about to authorize, on a device controlled by them – their phone. In the current EMV system the smartcard doesn't have a display and the terminal is potentially compromised. The open question is how to get transaction information from the bank to the phone, without harming usability. Since I work for them, I obviously like the Cronto system. As all standard phones come with cameras, the encrypted and authenticated transaction can be encoded in a 2D-barcode. This achieves both mutual authentication and transaction authorization. So far this has been targeted at online transactions, but should work at POS too. Another option is two-channel, such as sending the transaction in a SMS. This is also targeted at online transactions, but at POS the dependence on mobile phone signal and prompt SMS delivery could be a hindrance. Masabi have a good summary of various two-factor authentication systems, including their two-channel proposal. Once phones eventually come with NFC capability, this could be used for POS transactions too. It is currently being trialled.