Hacker News new | ask | show | jobs
by throwawayjava 2351 days ago
The official explanation from the vendor is that this was an "anti-fraud security setting".

Can anyone familiar with CC processing provide insight on whether that's a reasonable explanation?

Regardless, a problem that requires a "software fix" from the vendor and manual visitations to each individual machine doesn't sound like a mere "setting"
4 comments
kevin_thibedeau 2351 days ago
It's BS. They've already been handling cards with expiration dates beyond 2020. The broken part can only be their internal date handling.
link
CydeWeys 2351 days ago
I assume the meters are network-connected because they take credit cards, but they can't be remotely updated? Seems like an obvious omission.
link
leereeves 2351 days ago
Or a deliberate security measure. Embedded devices often use Harvard architecture, with separate memory for code and data, so not allowing remote updates makes remote code execution impossible.
link
Cyph0n 2351 days ago
Sure, but there are at least two other options that are essentially as secure, assuming the “remote attack” threat model:

1. Allow customers to download updates and flash over USB.

2. Boot device into a limited mode that allows signed updates. Certificate should be stored in secure memory.

link
ethbro 2351 days ago
I don't deal with PCI personally, so $0.02, but we're talking retail or unattended devices here.

I.e. low wage, minimal training, not technically proficient users with unsupervised physical access to the machine

A machine through which a large amount of cash (virtual or otherwise) flows.

The criteria of (a) being updatable by a semi-technical customer & (b) being secure against technically malicious or socially engineered ignorance attacks seem challenging to simultaneously satisfy.

link
NotSammyHagar 2351 days ago
allowing easy update over usb is its own thread model, lessened with only allowing signed updates. Like almost everything, it's likely these parking meters have terrible security design. the parking meter I use commonly is incredibly slow, every button push takes 1/2 a second to update the small lcd ui, I really wonder what it can be doing to be so slow. It's probably using multiple levels of interpolation to run a js program or something.
link
FDSGSG 2351 days ago
>Can anyone familiar with CC processing provide insight on whether that's a reasonable explanation?

It is not.

link
rasz 2351 days ago
"anti-fraud security setting" might be expired cert
link