[btown]

But if an attacker owns the touchscreen, they can do nefarious things like adding a "Please re-enter your PIN on the touchscreen to confirm your purchase" dialog, then match that PIN against a separate leaked database of card numbers and user identities. It's not just whether the card reader can be pivoted to; it's the entire notion that the kiosk itself carries the trust of the overall brand.

[naugtur]

If you can match a pin to a database of cards numbers, I can supply you with a database of all pins in existence

[belter]

You joke, but if we talk about web applications, one dangerous attack is not to guess the user password, but instead to match the most common passwords to a list of inventoried users...

[sandworm101]

Damn. How many bitcoins did you spend on that leak?

[sgjohnson]

for (i = 0; i <= 9999; i++) { ... }

[sandworm101]

Glad to see that my 6-digit pin is safe from hacking for at least a few more years.

[forinti]

In 2009 my card had a 6-digit PIN and I went on holiday to Argentina. The card readers there only accepted 4 digits and they validated my card with the first 4 digits of my PIN.

That was a bit disconcerting.

[sgjohnson]

PIN is actually completely optional.

A rogue terminal can decide to authorize the transaction with a “signature” (there are legitimate uses for this)

Or even with no PIN at all (there are also legitimate uses for this)

It’s also possible to do either of these 2 things and then report back that the transaction what authorized with a PIN

[saiya-jin]

Same experience (card came with default 6-digit pin that I didn't change), never have longer-than-4 pin when traveling outside of western democracies. The fact that it worked made me doubt that it was actually verified, but didn't have balls to play with this too far away from easily obtainable money

[hardware2win]

What the...?

Its crazy, but kinda reasonable

[bomdo]

Don't be so sure of that. If your PIN just happens to start with 00, it is fairly trivial to jury-rig a common 4-digit hacking device to crack your 6-digit PIN.

[sgjohnson]

jerry-rig*

[notafraudster]

This is why my PIN is 9998.

[vorticalbox]

I believe most banks stop sequence numbers such as "1234", "9876"

[cuteboy19]

Less work to do for the hacker, how kind

[thfuran]

Marginally reducing the search space to prevent significant clustering probably is beneficial.

[sgjohnson]

They probably do, but those still are valid PINs, that some banks probably don’t block.

[y4mi]

Aren't card PINs only 4 numbers long? That's almost 10k possible combinations I believe, pretty trivial to put together.

Checking which corresponds to what card is the hard step because you need access to an acquirer to my knowledge, and you'll lose that access quiet quickly if you attempt too many incorrect combinations.

[Reason077]

You can use more than 4 digits if you want a more secure PIN.

EMV (the card standard used by all modern chip/contactless cards) supports PINs between 4-12 digits in length.

[hoppla]

I have been wanting to try a 4< digit pin, but I expect payment terminals to go bonkers because they don’t accept it. Have any of you a card pin longer than 4?

[iakov]

Six-digit pin works well for me in European countries - Czechia, Germany, Austria, Spain, Italy.

[Reason077]

My girlfriend used a 5-digit PIN for over 10 years in the UK and never had any issues that I can recall.

I’d change mine too except I use the PIN so infrequently (99% contactless now days) I’m worried I’d forget the new one!

[soco]

Just try and be surprised - no issues.

[ChoGGi]

Mine is eight digits, never tried it outside Canada yet.

[InCityDreams]

All pins in my country are 5 digits. Which can be annoying for four-d visitors (depends on the bank, and I've not heard of problems for a while).

[charles_f]

Damned, with 5 digits, the cost of storage alone is a deterant for a rainbow table

[Gigachad]

It would be a huge amount of work to pull this off and it's something that would be detected within the day because its so odd and not at all how normal payment flows work.

Not clear how you would match the pin either without having some personal info on the user which you don't have.

[alonsonic]

Exactly. The kiosk app that communicates to the terminal only gets a "transaction approved" response. There is no personal identifiable information provided to the kiosk app so there would be no way to link the pin they typed in the kiosk back to the customer identity or card number.

In short, for the kiosk this is a anonymous transaction that was confirmed paid.

The most you could do is ask for more details in the kiosk app which would be clunky and very suspicious.

[BoorishBears]

You could also tape a piece of paper up with a fake (tech support/tax help/credit help/reverse mortgage) line with a fake McDonald's endorsement in the early hours of the morning and make off with plenty of victims as the senior crowd rolls in for a grand time investment of 60 seconds.

If you want to get creative with attacks you can, but sometimes comparing a creative attack to a "boring" attack can help frame the conversation.

I've written kiosk apps that landed across the US and while there was a ton of hand wringing about security, and in an informal setting I brought up a simple question:

If you reverse engineer the update process to have it show a penis, or you just carve a penis into the public display with a pocket knife, what's the difference and which is more likely to happen?

[franga2000]

If an attacker can take control of the update process, they can push a penis-showing (or actually dangerous) update to all the machines in the network. That could be hundreds or thousands! Good luck doing that with a pocket knife.

Also, vandalism is about the least interesting reason to hack kiosks. It can get you into an otherwise inaccessible network, which often contains all sorts of internal services with loose or no authentication (POS software often uses default creds because "it's on an internal netwok anyways"). Hacked kiosks are also often used as proxy servers for illegal activity and bots in DDoS botnets.

[BoorishBears]

Did you read the article? This is about security on-device

The update process can be backed on the kiosk side, hacking the remote side of the update process is a completely different story.

I mean in some cases that was a simple signed package hosted on an S3 bucket... how are you going to leverage that to vandalize a network of devices?

And the kiosks are never on an interesting network (if they were there's dozens of ethernet ports scattered about the place you can use to get access anyways)

Hacked kiosks being used as proxy servers when you need physical access to hack is also a very uninteresting problem. Why risk tying your physical self to a bot for nefarious usage when there are a million and one other "IoT" devices you can pwn instead?

[tinus_hn]

It’s the old joke of listening in on the McDrive intercom after putting up a sign saying ‘the microphone is acting up, please yell’