But are we really at risk?

by Ivan Pintori, posted on 2007-01-08 01:46:00 under Banking

Well, Saar Drimer demonstrated that you can replace much of the elettronic of a POS terminal with something else. And yes, you can make it play Tetris. And they display some l33t skills too. But the question is: can you steal money? The answer is no.

You could use the magnetic band reader and key pad to clone a classic card, but then again you would have to let transactions thru, otherwise no one would use a "broken" POS to pay. And no, you can't copy the contents of the card's microchip either.

You see, tecnically the terminal pushes the data to be signed and the user pin on to the card, which then does the signing. And no, you can't steal a user's private key. You could try to send a fake amount, but that wouldn't work either: you would have to replace the terminal's own signed key, and you don't have access to the certificate server's private key.

So are we safe? Yap, we are resonably safe: too much effort for too little money. And nowadays the trend is to use stolen data in easter europe. So unless they get to read your magnetic strip, you can feel safe.

Still the Tetris play is awesome!