> the exposed root shell does not seem to be as big of a risk as initially feared. ... I could not find any evidence that sensitive data, such as card details, could become compromised this way
A good read for security designers, though.
In security, physical access and to a lesser extent root access are equivalent to a guaranteed hack.
That having been said, this isn't perfect security. While a chip/tap card is in contact with the reader, it can still be used for fraudulent purposes. And physical access can open the door to other exploits, like trying to break the card's own security or installing a camera to capture images of the card.
How can they verify the transaction details without those numbers?
Your thing in the shape of a credit card is a HSM that holds the private key of the "a certain credit card".
A public key (your bank) can verify if a given digital signature generated by a private key (yor card) is valid or not.
The "CC Terminal" is a device that given the inputs (timestamp+value_of_transaction+password), asks the "CC HSM" to generate the signature of said values. "CC HSM" is smart and will ON PURPOSE refuse to generate valid signatures if you're being funny and inputing wrong passwords. Bank can further check if the signature makes sense or not.
Merchant doesn't need to know the public key, the private key, or your password.
Which makes a hacked terminal problematic since it can display $1.00 as the amount and actually request the CC HSM to sign a $500 transaction.
Because as you rightly pointed out, who said the evil merchant or MitM thief are either MitM'ing the display system, or even have total control of the display system?
It does, it’s on the right side of the terminal.
https://worldline.com/content/dam/worldline/local/sl-si/docu...
Ideally, the use of these stripes should be completely eliminated, as they can't possibly be secured.
Refunds work with chip insertion or contactless.
I got impression that the chips used to contain the magstripe info, but I hope they removed that when rollout got going.
Already, merchants take on liability for magstripe transactions.
Someone gets their static data skimmed and the card misused? The issuer profits from the chargeback fees...
France was using chip cards since 1992, although with the previous standard.
In my case, the "outer" system was Android, so we could use ADB to control it however we liked--with relatively lax security. The "secure board" only took over for the part where it had to handle payment details. In order to test the payment flows we ended up revamping a bunch of 3D printers to hold a stylus instead because the inbuilt android tools couldn't see or touch anything that secure board was doing except for a relatively narrow set of actions like "start payment flow for $X" and "user canceled" and "payment for $X complete".
The secure firmware can be updated, but it is signed as well.
I'm essentially skeptical that if you have the ability to control the linux root filesystem for a very old linux distro that any other security measures for the linux binaries themselves matter.
However, I am assuming that there is a way to gain write access to the hardware registers from Linux. After all, the manufacturer has the ability to "un-tamper" devices and there is this nor_update tool in Linux that might be able to do it. But my guess would be that first a key has to be loaded through some authenticated interface in order to unlock that functionality.
Generally, these devices will use the mp1 to do all of the cryptographic operations around the devices.
The biggest part of this is the keys defined between the terminal and the acceptance gateway (something like CyberSource or Authorize.net).
When the temper protection is tripped the keys that are used are immediately dropped from RAM and you can't recover them, they have to manually be input into the device again to reset the tamper protection.
(Side Note: keys are specific to a merchant. If you're able to extract them, it limits the blowback.)
That's sounds like an overcomplicatedengineer solution.
The 10x engineer uses a hammer to deny service.
Aside: I'm an artist-engineer. I like the performance art of using an oversized hammer to solve a problem that isn't obviously solved using a hammer - and I love the discovery process when my aims fail.
"Recent incidents in the U.S. include criminals committing fraud through processing fraudulent return transactions. As part of the fraud scheme, criminals obtain Point-of-Sale (POS) devices—either from an acquirer or agent while posing as a merchant, from online resellers or auctions, or through theft—and program the POS devices with the credentials of a legitimate merchant, thus effectively cloning the unsuspecting merchant’s actual POS device. Criminals use the cloned POS devices to..."
The attack would only work on terminals where every payment option but the magnetic card reader is broken, but those should give off skimmer alert alarm bells before you ever see a PIN prompt.
So the applications in between, that would be accessible in an attack like this, can't view the PIN.
As far as I understand, the whole system is designed to make replay attacks useless. PIN on its own doesn't allow you to make a transaction, neither does it in combination with a recorded conversation between the reader and the card during a successful transaction. There's some asymmetric cryptography involved with the private key stored in the chip on your card and every signed payload containing a random nonce.
If there are sufficiently few legitimate terminal types in circulation and the user is aware of it, anyone presenting a different terminal would be looked at with suspicion. With the status quo, I as the cardholder essentially have to assume that anything presented to me is likely legit, even if it looks like someone's homemade skimmer.
However, this still leaves the merchant. If they (the person handing me the terminal) aren't in on the scam, any tampering has to be non-obvious to them. AFAIK some places go as far as weighing the devices and regularly checking seals and serial numbers. VISA recommends checking twice daily https://busfin.colostate.edu/Forms/Merchant_Svcs/Visa_Securi...
Trying to tamper with a terminal with physical buttons would almost certainly require rewiring it physically, triggering tamper detection and rendering the terminal useless. So it would have to be swapped with a unit that looks identical despite being tampered, and functions well enough to not raise suspicion. I guess an attacker could hollow out a case and insert completely custom electronics, in theory, but that's quite a high bar (especially if it requires forging serialized seals).
On the touch-screen-with-insecure-Android, a software-only change on the insecure side (never actually initiating PIN entry mode, or only initiating it after the first attempt and "pin incorrect" message) should be enough to get the PIN, and an added NFC skimmer not connected to the other electronics could do the rest.
The devices also look cheaply made, distributed in small numbers, and I have my doubts about them having as many anti-tamper features as the most common terminals, although I might be wrong. If they have strong physical anti-tamper measures, and the software is hardened against software-based tampering, I think that they could, in theory, be comparably secure.
In Russia, where I'm from, I haven't swiped my card for at least a decade. Lately many places also started getting those square Android-based Sberbank terminals that don't even have the magstripe reader, only NFC and chip. Granted, our banking system has been effectively disconnected from most of the world since 2022, but I would be surprised if these aren't designed to accommodate MasterCard and Visa requirements for when they return. And skimmers are simply not a thing here any more. People get scammed through social engineering instead.
I also remember reading that magstripe transactions cost merchants more or something like that, precisely because they carry more risk because they only need static, easily copyable data.
Anyway, the point I'm making is that the threat model changes, and becomes much simpler at that, when transactions can't be made with static data. Because no matter what the scammer captures, even if that's the PIN and the complete data exchange with the card through NFC or the chip reader, they can't use that to make transactions. Obtaining the number, the expiration date, and the CVC is also unlikely to allow them to make online transactions because those need a second factor now. Except on Amazon. Amazon somehow manages to charge my card with just the number and the date, no CVC needed, and no 2fa code either.
Dont see the appeal of putting even more stuff into phone or ewatches (prefer good mechanical ones), losing it would be catastrophe enough as it is for privacy. But thats me.
I could easily live without it and I wouldn’t even consider it to be an important gesture for my next phone but it’s pretty useful when you have it.
Also, idk for Android but on iPhone it’s faster than plastic cards and more secure.
But I hope plastic cards are there to stay because that’s yet another thing locking us into the iOS/Android duopoly.
Also, I think Linux always loads loadercode + mp1.img, regardless of the tamper state. The different code paths depending on tamper state are taken within the (integrity protected) loadercode.
Ie. The system is either in secure mode (with all necessary crypto keys for operation), or it is in insecure mode with a root shell open for debugging and failure analysis, but that transition also deleted the critical private keys.
Now I am curious if I can find a terminal myself, if they are actually getting phased out it might not be too difficult to find a used one...
What keys would you flash them with? Anything encrypted with your "new" keys can't be decrypted on the other end of the transaction anyway, so what would be the point?
Plus I meant for the manufacturer to "repair" it. Maybe tamperproof gets triggered if you accidentally drop the device in an unfortunate way
Almost certainly yes.
Unfortunately, out of 36 readers that I bought, 7 have "died" (2 won't hold a charge, 1 won't scan NFC, and 4 report "tampered"). That attrition rate is pretty bad on the surface but it doesn't tell the whole story of course, how often were they used? How old are they?
The answer to those questions is much more damning. The devices are 1-3 years old (I bought them over time) and have been used a max of 9 days total [0]. Yes, 9 days _total_ of use and 7 of 36 readers failed in some fashion. Oh, and the readers are all kept in hardshell cases with foam inserts (1 slot per reader) whenever they are moved.
Needless to say, I'm not a huge fan of the M2 readers but they are still the best option for me :/
[0] Some background, my company handles festival payments. We travel to events and handle the in-person payments (most happens on web/app) with iPads+M2 Readers. That's why there are so few "days of use" over 3 years.
I have to assume that one of the hard-shell cases got thrown around a little too much which caused 4 readers to go into tamper mode. 3 of the tamper mode readers were in the same case but the other was in my nicest case and still had the issue ("nicest" = custom made case vs pick-and-pluck-style).
The tampers I can somewhat understand (still just so odd to have 4 die "at once"), maybe they did get banged up, but the failed NFC and not holding a charge issues are less acceptable to me given the time/use.
The author is clearly curious and leads in knowing a lot to begin with.
The work-behind-the-work is looking up data sheets for the chips involved, desoldering them without damaging them, in the case of memory resoldering with hookup wire and hopefully its access is slow enough that it can work fine over the length of the wire, following hunches, trying things, and knowing (for next time) the possibility of using a pinhole camera or something of the sort when drilling shallow holes and looking through for tamper traces to avoid in further drills, if so desired be.
As others have mentioned, it would be interesting if the author stuck in and got past the tamper checks to see if it would work as normal. Oh well!
However, this place used to be JS framework news not too long ago
However these folks aren't known for their technical expertise so there's a lot of unnecessary noise feeding into the AI hype cycle of late.
I don't think a TL;DR can replace most articles that appear on HN, but it can certainly tell me whether the article is interesting, much better than any headline ever could. Especially so if the TL;DR is written by a neutral AI with no interest in making me click anything, and hence no qualms about surfacing the most important information to the top.
I actually tried to do this, but it was with GPT-3.5, and I didn't exactly like how it worked. I should look at this again, I wouldn't be surprised if the code I used back then could just be ported over to 2.5 Flash and produce much better results.
In the meantime, if you install the browser extension, you can get the tags directly in HN itself. Would that address the ui issue?
Source: https://gitlab.com/histre/hn-tags
Chrome: https://chrome.google.com/webstore/detail/hacker-news-tags/i...
Firefox: https://addons.mozilla.org/en-US/firefox/addon/hacker-news-t...
If you can figure out how to add the tags while keeping down the visual bloat I would consider a switch.
Well, it's actually just a hardcoded slideshow of E1M1 while something vaguely approximating the main riff of At Doom's Gate plays inconsistently in the background, but you'll have to watch all 15 excruciating minutes of this poorly-narrated Youtube video I'm linking to figure that out.
But it's the spirit of DOOM!!!
/s
It's usually to help teach them the other language.
The rewrite part makes it easier for observers to learn and compare/contrast techniques in different environments for themselves.
Why this would ever be criticised, I can't imagine.
Even emacs was rewritten to rust ( https://github.com/remacs/remacs ), many hours were spent, and the last actual code commit was 5 years ago.... why not spend that time by making the "normal" emacs better? Or make something new in rust?
HACKER [originally, someone who makes furniture with an
axe] n. 1. A person who enjoys learning the details of
programming systems and how to stretch their capabilities,
as opposed to most users who prefer to learn only the
minimum necessary. 2. One who programs enthusiastically,
or who enjoys programming rather than just theorizing
about programming. 3. A person capable of appreciating
hack value (q.v.). 4. A person who is good at programming
quickly. Not everything a hacker produces is a hack. 5. An
expert at a particular program, or one who frequently does
work using it or on it; example: "A SAIL
hacker". (Definitions 1 to 5 are correlated, and people
who fit them congregate.) 6. A malicious or inquisitive
meddler who tries to discover information by poking
around. Hence "password hacker", "network hacker".
No history of the term "hacker," however brief, would be complete with a reference to The UNIX-HATERS Handbook[3].
[1] https://speechcode.com/jargon/
I've been helping run a Hackspace for a few years; I can't tell you how many times (sometimes per week or even day depending on what I'm doing) I have to have this conversation.
I've gotten quite used to going through the patter with non-tech people - try dealing with the local council, or applying for insurance or even personal jobs when it's on your CV. Thankfully a lot of the older people remember the term "hack" meaning "amateur" which eases explanations in a workshop context.
I always assumed IT people would realise the non-negative connotations, but that really isn't the case.
Another word whose change in meaning over the years has resulted in its original sense being effectively erased.
's/with/without/'
I think it’s meant to mean the “move fast and break things” style hacking. Which basically means churning out code fast and pushing through problems quickly instead of getting stuck on perfectionism.
That's the kind of thing a lot of guys in suits would take very seriously. After all you have to connect it to the banking network to see if it works as normal. Not advised.
It could also lead to lowlife types putting pressure on you to help them do that. Not the kind of thing to brag about.
No, it is not, though there is a connection. As it happens, the founder of Hacker News wrote a very inspiring essay shortly before setting up the site on what the word "hacker" means to him, and it's not breaking into computers: https://www.paulgraham.com/gba.html
> To the popular press, "hacker" means someone who breaks into computers. Among programmers it means a good programmer. But the two meanings are connected. To programmers, "hacker" connotes mastery in the most literal sense: someone who can make a computer do what he wants—whether the computer wants to or not.
> To add to the confusion, the noun "hack" also has two senses. It can be either a compliment or an insult. It's called a hack when you do something in an ugly way. But when you do something so clever that you somehow beat the system, that's also called a hack. The word is used more often in the former than the latter sense, probably because ugly solutions are more common than brilliant ones.
...
He goes on to explain in detail how he thinks about the connections between the different senses of the word.
Because it requires no mastery or indeed any special level of ability, finding a passwordless root shell on an exposed serial port does not rise to the level of being a hack in this sense, only in the popular-press sense.
But to validate those transactions, you must send them to the bank over the internet, and you'll get a visit from the feds/FBI/whatever if you do it.
There is no real protection on card readers (most use Linux with a small shitty password). The protection comes from the contracts and regulations between the shops and the banks.
Banks don’t have wide open protocols where anyone can submit a credit card transaction and have it go to arbitrary accounts.
Remember that credit card companies eat the cost of the fraudulent charges. They’re not going to make it easy for those to occur.
I've got a couple on my desk right now; there's nothing I can do with them to steal money, even though they're in dev-mode.
If someone altered the terminal to charge more (a hypothetical suggestion above), they could recoup that money from the merchant’s account because they have an agreement in place.
You can’t run arbitrary transactions to arbitrary accounts (the other proposed attack above) because there isn’t an agreement in place.
Not supposed to be possible on a certified terminal. The certification tests this particular case (the transaction is a hash of the keys, amount and a few other things. The display of the swipe/tap/insert screen and the pin-entry are under control of the certified kernel, so the userspacve application has no control of the amount that is displayed).
> And maybe even send the money to a different account.
Not from the card reader.
Heck a lot of the terminals here can't swipe a card at all
It's curious you're seeing so many stripe fallback incidents. Is this a USA issue?
I remember using Google Wallet years before Apple pay existed. When Apple Pay was announced so many cashiers thought they didn't support tap to pay credit card transactions despite me using it at those locations for years. What was really annoying was a lot of vendors turned off the feature while they "investigated" supporting Apple Pay, and didn't turn it back on for another year or so after they slapped the Apple Pay logo on the exact same terminals.
Nobody cared until Apple did it.
My HSA debit card, issued last year, still doesn’t have a chip.
If I travel to the USA I'll be unable to use these old vending machines and parking meters.
In Europe it's changed 15-20 years ago, when EMV-capable terminals became required, and acceptance of magnetic stripe cards got phased out soon after.
Since Apple Pay became a thing a decade ago, we don't even get US tourists confused by inability to swipe their cards anymore.
And on a tangent about confused customers - I wish where to tap was as obvious as where to swipe. It varies by reader and sometimes that contactless logo is hard to see.
That's happened at least several times already.
I believe breached PoS terminals were what happened in the big Target hack.
The problem is that PoS terminals are not EMV terminals. EMV terminals have been through a certification process, and the hardware part of that certification ensures that the vendor only runs signed-binaries.
Honestly, even if you could write and sideload (or even replace) the applications on the EMV terminal, I do not see a way to get them to a) run, and then b) send money elsewhere.
Only if the card is swiped (magnetic stripe) rather than tapped or inserted. EMV doesn't expose the full card details to the merchant; the card signs a payload with its internal private key and transmits it.
And the OP's root access wouldn't give card details in any case, because they didn't get root on the part of the reader that processes the transactions.
I definitely remember making an _offline_ payment with an AMEX card at a restaurant in the UK some 10 years ago.
Also, most airlines that take payments on board also run the terminals in offline mode.
There must be some mapping of BIN codes and whether to allow an offline transaction.
The way the rules are set up though, the risk of a failed offline transaction is almost entirely borne by the merchant. In most cases the merchant is unwilling to accept this risk and disables the feature.
I don’t typically carry any cash on me, and, well, if their terminals go down before I’ve closed my tab, they assume all of the risk anyway.
they would pass the card with one of those old engraving things lol
Transactions with the cards requiring authorization will take several seconds while with my other cards it will be instant most of the time.
It depends on the configuration of the terminal : most merchant will allow offline (or asynchronous) transactions up to a certain amount when there is an important flux of customers waiting to pay.
I’m also pretty sure (that’s speculation at that point but I felt it in my experience) that some cards have more chances to have instant (offline) transactions than others. The more « premium » the cards the less I saw the "waiting for authorization" screen. Especially for small amounts.
Anecdotal, but most airliners I have recently flown with seem to have switched to online POS terminals, though they do still seem retain offline payment functionality as a fallback. I've seen payments being made, only for the flight attendant to return back to the passenger a few minutes later to inform that the payment was declined. This was over the ocean, so definitely no ground communication.
Airplanes for commercial flight all have VHF/HF or satellite connectivity, the've had that for a long time already. It's used for functionality like ACARS, voice connectivity, remote monitoring / diagnosis, etc. I can imagine this can also be used for payments and other low-bandwidth functionality.
Most airplanes also have WiFi access points on board, even when not offered to passengers. Typically these use hidden SSIDs. Speaking to an airplane tech once I know these are used for flight-crew handheld devices such as the POS terminals and iPads.
I happen to have a few friends that are pilots (all working for the same company) and they told me that their entire fleet already has Starlink terminals retrofitted, though they aren't offering that to passengers yet.
I guess what I'm trying to convey here is: the era of airplanes being 'offline' is already behind us.
I'm afraid that's not true. Merchant terminals have secure hardware embedded inside to store the bank and interchange keys. If those keys leaked, someone could spoof legitimate transactions.
You mean, whenever those keys leak. It's not that hard to do, see e.g. https://media.ccc.de/v/32c3-7368-shopshifting#t=2207
It seems that the banks here are okay with a certain percentage of shrinkage as long as merchants don't have to upgrade and consumers are not inconvenienced. The banks prefer to eat the cost to maintain large fraud and dispute resolution departments. Whereas elsewhere in the world they're much smaller and mainly focused on correspondent banking. It's really interesting to see that the "customer is always right" policy has such a strong influence on the financial sector.
Not asking "teach me how to do this" but could you explain in a little more detail ?
You can read a card (stripe) with one of those cheap readers. The magnetic stripe is not encrypted and you can extract the card number (PAN), expiration date, and cardholder name. Some other less important bits too. You cannot extract the CVV this way, but that is not required for transactions.
Most cards are EMV now. That data is encrypted and it's read/write. These keys can leak, putting you back into a similar state as if you'd read the card via magnetic stripe.
But no amount of card reading gives you the ability to submit transactions to the network. For that, you'd need merchant credentials for their gateway or processor, and you'd usually need to have a presence on the merchant's network (to get through the upstream firewall).
These are all achievable things. Doing so gets you the ability to create transactions against the card. These transactions will be submitted to the network and approved or declined. If approved, funds will settle from the issuing bank to the merchant bank, possibly in multiple steps.
I'm oversimplifying a bit, but the essential point is that funds will settle to the merchant's bank account, not yours. You can cause some headaches, but you cannot steal money.
The compromise of a credit card terminal is only interesting because it gives an attacker the ability to steal the card details for all cards that are subsequently used at the compromised terminal. They can be saved and retrieved later, or sent out to a C&C server, etc. Then these card details can be used for all the usual types of credit card fraud.
It is possible to create a "push" transaction too of course. Visa Direct, Mastercard MoneySend, etc. But that requires a separate merchant account, and should not be possible from the card reader or POS.
If you've compromised deeply enough to be in the AP system, you can create arbitrary payments, but that's well out of scope for this thread.
Then you could just complete a normal transaction on their website and introduce your account in to their system that way, no real need for a compromised terminal?
Then again, changing the merchant account is usually only protected by a numerical PIN so you wouldn't need root access. Maybe it would be to send the original requested amount to the expected merchant account but also do a separate smaller transaction to your own account?
If it were possible to change the settlement account via an online portal or similar, then you'd need the user login credentials for that portal. In which case, compromising the card reader has no additional value.
Is there any proof to this statement or are you just trying to scare people? I think it's possible there are bigger groups that would have their attention and a single fraudulent transaction would just be noise.
In a typical scenario my understanding is that you get the terminal from your acquirer - this is your broker to the card networks. When the terminal makes a transaction, it does some crypto magic using its own keys (that identify it to the acquirer), sends that to the card which does more crypto magic using its own keys, and finally the result of that is sent to the acquirer.
If you do this flow yourself with fake keys you'd get the card to sign a transaction for your fake terminal's key (assuming you know the card's PIN of course - unless you're happy to forego any CVM), but you have no acquirer that would accept said transaction, so I don't see how you could commit a crime here even if you wanted to? You just got some meaningless bytes back.
And of course, if you have an actually valid terminal key that is trusted by an acquirer and do all this, you've effectively just made a normal payment - if the person was willingly paying you then no crime either, and otherwise it's no different than using a legit terminal to bill someone without their knowledge.
You can charge more than the displayed value. But that's pretty much it.
Sure there is: only signed binaries can run, executable filesystem is read-only, data filesystem has noexec bit set, root login is disabled, crippled busybox misses a lot of functionality, keys are loaded from a secure area on bootup, master key injection only available when loading at the factory, bootup itself is more or less secure, tamper detection blanks the chip, etc.
Sure, if you have a cheap non-EMV certified Android terminal imported from Asia it'll probably use a standard Linux, with a rw root filesystem, with root login enabled *and* sudo enabled for the username used to execute applications, tamper-detection is non-existent, screen-casting not locked down, ports are all openable and busybox is more or less complete.
Source: Me. I developed (and still sometimes do) EMV applications for card acquisition for a few years. Even in dev mode (which requires the vendor to provide IDs of the developers), these things are very much locked down solidly.
Sounds good. Has anyone been hired to attempt to attack the device and find vulnerabilities?
In the company I work with, yup. I'm not sure about the rest of the industry, but the security in place ensures that even the developers of the EMV applications are treated as hostile actors.
The certification process itself does do a little bit of malicious attempts too (try to get the terminal to do something out of spec, like during pin-entry, etc).
I’m not looking to hack anything, but it sounds cool to have signed binaries only on linux!!
The way it worked in 2003 (when I first wrote EMV applications) was, when we have a binary that we are ready to deploy, we ship that binary to the manufacturer (Schlumbeger(sp?), at that time), if it passes cert-testing, they sign it and ship it back and that's what we would program the terminals with.
The way it works now is pretty much the same - we build an APK bundle, send it to the manufacturer (Verifone, Pax, etc) and after signing they make it available on their appstore which their terminal can access.
Why? I don't see any benefits.
In any case, the developers don't get a say in what is used to secure the terminal. The manufacturer decides that, then they get the hardware+firmware certified.
The terminals the developers get are already certified and locked down.
If a payment system is relying on my local privilige on some random-ass device to authenticate a payment it deserves every garbage request it gets.
how's that been working out in practice? change the ring tone on your washing machine, dryer, and microwave already?
Of course the microwave generator itself is not mechanical :)
What makes you think it does?
Probably different vendors but this has not been my experience.
Not how it works at all, banks don't have some open API on the internet for processing card transactions
Not that a random person can hit these endpoints, unauthenticated, and try to run a transaction.
People would be surprised if they really took the time to learn how much of life is just operating on good graces.
The first thing to understand at an even higher level about payment cards is that they have always had two separate and barely related components, Authorisation and Settlement.
Authorisation is concerned with whether this specific transaction has been approved in some sense by a card issuer. Authorization today is relatively high tech, there's somewhat decent cryptography, tamper resistance, uniqueness = they really care - and that's because when Authorization problems occur the banks might lose money, which they hate.
Settlement is "just" moving the money from one customer to another. $123.45 from Jim Smith to Terrible Goose Inc, done. This is very mid-late-20th century technology, we're not talking pieces of paper and scribbly hand writing, but fixed width ASCII fields on magnetic tape is fine - it's the customer's money so the banks don't care more than legally required.
Settlement replays are how you get "accidents" where a big store's customers all get charged twice for a whole day - the associated Authorizations can't be replayed, that's the banks money at risk - but the settlements aren't protected.
Merchants can, and some do, choose not to care about Authorization. In a huge business it could make sense to eat say 2% of sales as undetected fraud (ie you never receive payment) rather than have any transactions fail. If you operate a food truck using a terminal to take $1000 per day on your iPhone the people who supply your terminal may not let you opt out because that's risk they don't want. But if Jeff Bezos or Doug McMillon makes more without Auth he's turning it off.
In the US, the two steps for the merchant are Authorize (optional) and Capture. If both steps are performed, it's a dual-message transaction. If you skip Auth, it's a single-message transaction.
Settlement of funds is a multiparty bank-bank-bank operation, in which merchants are not directly involved.
I believe what this comment is getting at is that making fake transactions is useless without a connection to a bank that will execute them.
While the comment is not quite true (see sibling replies), this part is spot on.
This is also why crackpot theories about people walking around with portable card readers and stealing money from contactless cards are false. Yes you can walk around and make those transactions, what comes after (and the setup you had to do before) is the problem. I'm not even sure whether you could get the money out before being caught and shut down. With how many people these days have push notifications for their transactions, I highly doubt that.
I mean with the amount of stolen card details routinely traded and used successfully (at least for a while) and with how little crime like that is investigated or punished in some jurisdictions, I dunno...
Still it's not quite as simple as "taking the money from your card" like said crackpots think.
There's a huge difference between me using your credit card to buy stuff off Amazon (chance of success: somewhere between "doubtful" and "near-definite" depending mostly on geographical factors and your particular bank), and me walking around with a hacked card reader and stealing money out of your account by dialing in phony transactions directed to my account (chance of success: somewhere between "zero" and "also zero, but with a decimal point followed by more zeroes").
I got a notification asking me to confirm a transaction on the Visa and then looked in my app and found they'd actually got another transaction pending at a hotel. I called them up and the hotel said they would "kick out the guests" and refund me. Not sure why they didn't want to call the police on them, because when I called later they said I should report it to the police, but all of the transactions had been refunded so I literally had zero loss and there was nothing really to report... It was them who'd provided the services and suffered the loss, the hotel should have had the police remove them!
Anyway, on the same day the Visa had been used at the hotel, I also had some fraudulent transactions on the Amex, although most of them seemed to be automatically refunded by the vendor themselves (so maybe it was flagged by the vendor's anti-fraud mechanisms and refunded to avoid a chargeback from American Express) before I cancelled the card. They'd tried three times with a similar amount and they'd all refunded.
The other weird thing was that the hotel that the Visa was used at claimed that it had to be a card-present transaction or in a digital wallet, but I didn't get any notification about it being enrolled in a digital wallet and I always had the physical card with me. So not sure if that was mistaken or BS or if they managed to somehow fake the digital wallet.
But yeah it didn't work out for them because I caught the transaction the same day they'd checked in to a hotel with the card and then both were cancelled that day...
It's the hotel that has to clean the room, has lost consumables, and has lost revenue from it not being available to be booked...
At the end of the day the money only goes from one bank account to another, account can be frozen, charge reversed, ... So you just need to secure the POS enough that user feel safe to use it and there is a low number of people that can hack them and are willing to risk prison.
The BDK for your merchant acquirer is held by them in an HSM or equivalent. The IPEK is device specific, derived from the BDK based on the terminal ID.
The individual keys for the HMAC are generated for each transaction and are cryptographically linked to a transaction ID and the IPEK, so that the acquirer can determine whether there are missing messages.
Card readers that comply with the latest EMV chip/contactless standards require a secure element that maintains the crypto information and only allows specific requests from the non-secure element and only provides encrypted blobs for transmission between the acquirer backend and the secure element.
https://en.wikipedia.org/wiki/Derived_unique_key_per_transac...
Any real testing happening in the tamper state might be meaningless. Perhaps the shell is available after the tamper state triggers for resetting purposes.
It just seems like opening it would be the last thing you would try.
No, I got a shell on second, untampered one, as well.
I wonder if they offer their customers source to keep the Busybox folks happy?
Pre-OpenWRT days I was maintained a Linux distro ISL3893 that ended up in court in Germany, the first GPL enforcement:
"17 apr 2004 — GPL testing in court by the Netfilter/Iptables team, due to refuse to give source code of the Sitecom WL-122 (isl3893 based!). In the same time, some source code has appeared on the webserver of Sitecom."
This root shell is probably not a security issue - and maybe even meaningfully user-accessible (for some fancier network configurations or diagnostics) - as, I suspect, it’s nothing more than a glorious modem for a stream of encrypted and authenticated data, plus a firmware updater (likely useless without a valid signature) - it could be potentially pretty much the same as hacking the upstream router. Sensitive (so there’s probably a sticker intended) but not something that breaks device’s security.
I guess Atos Worldline really doesn't like root passwords.
1. Under the current EMV standards for terminals, the NFC and/or chip connection is via a secure element that protects the data in the transaction both in transit and at rest.
2. The transaction is protected in transmission not only by TLS encryption, but with an individual HMAC generated using a key that is derived from a base key that is unique to the terminal and merchant.
The interaction with the card is relatively read-only. There is a "dynamic CVV" that is generated on the card in chip/contactless transactions that adds some security, however, the data on the card is mostly open (PAN, expiry date, CC name etc).
The CHI (cardholder information) has to be maintained in an encrypted state at all times.
The business processes (where this article found the root shell) is not involved in the actual card or transaction security. It communicates with the secure element via a protocol that allows it to specify the amount and other details for a transaction, but the authorization (PIN or otherwise) and encrypted messages are entirely within the secure element.
Liftyee•1d ago
I love thinking of ways to exploit and circumvent hardware restrictions like the extensive tamper protection here, but it seems I'd assumed that once they were triggered it was game over. Apparently not so - still plenty of interesting bits left over to poke around with. Makes sense that the secure part gets properly disabled though, otherwise I'd lose all confidence in their designers.
lxgr•1d ago
> [...] only text strings seem to be passed to a binary (display_tool), that issues some inter-processor messages. The same goes for the key pad or the card reader itself. I could not find any evidence that these peripherals could be accessed directly from Linux.
> Instead, there is an entirely separate processor, refered to as mp1, that seems to handle all the “secure” stuff, like handling the card, getting the pin and showing information on the screen. The “insecure” Linux, running on the second processor, mp2, only handles the networking, the updating, and the business logic.
fredthestair•1d ago