[csinode]

I'd be more worried about someone compromising a card reader in the field and reading cached/stored real CC details, or installing some kind of intercepting malware. (That does seem to be difficult/impossible in this specific case, but it means research in this area is relevant.)

[rockbruno]

Aren't credit cards nowadays basically physical private keys? IIRC transactions are one-time payloads signed specifically for that operations, so intercepting that won't help you if I'm not mistaken about how cards work nowadays.

[literalAardvark]

Kind of, but if you control the card reader you could charge more for the transaction without showing the amount, for instance. And maybe even send the money to a different account.

[Aurornis]

Sending money to an arbitrary different account isn’t going to happen from the terminal reader itself.

Banks don’t have wide open protocols where anyone can submit a credit card transaction and have it go to arbitrary accounts.

Remember that credit card companies eat the cost of the fraudulent charges. They’re not going to make it easy for those to occur.

[thwarted]

Credit card companies eat the cost of fraudulent charges that they can not pass on to/blame the merchant for.

[Aurornis]

Which is why they won’t have a public API that allows running transactions that send money to arbitrary accounts.

If someone altered the terminal to charge more (a hypothetical suggestion above), they could recoup that money from the merchant’s account because they have an agreement in place.

You can’t run arbitrary transactions to arbitrary accounts (the other proposed attack above) because there isn’t an agreement in place.

[literalAardvark]

Yeah, I did think of that. I've never played with one of those so I don't really have much of an imagination about what they could do with a cracked one.

[lelanthran]

> Yeah, I did think of that. I've never played with one of those so I don't really have much of an imagination about what they could do with a cracked one.

I've got a couple on my desk right now; there's nothing I can do with them to steal money, even though they're in dev-mode.

[literalAardvark]

Someone in a parent post mentioned that you could change the merchant entirely, thus syphoning off the money to a potentially more accessible account.

[nine_k]

Arbitrary account, no. An arbitrary merchant, yes.

[account42]

That typically doesn't even need root access though but only a numeric PIN. Of course rout access might let you conceal what you are doing better.

[Arrowmaster]

You should read up on the wonderful system they call ACH.

[kortilla]

That’s precisely why credit card readers aren’t attached to it

[lelanthran]

> Kind of, but if you control the card reader you could charge more for the transaction without showing the amount, for instance.

Not supposed to be possible on a certified terminal. The certification tests this particular case (the transaction is a hash of the keys, amount and a few other things. The display of the swipe/tap/insert screen and the pin-entry are under control of the certified kernel, so the userspacve application has no control of the amount that is displayed).

> And maybe even send the money to a different account.

Not from the card reader.

[cesarb]

I've heard of it happening here in Brazil. In the simplest variant, something is glued on top of the screen to hide the higher digits, making the value appear to be lower; supposedly, some more advanced variants of the scam have a damaged or tampered screen.

[clait]

I was victim on this attack in Argentina. Paid a taxi with my card, and got charged 50x the amount shown on the display.

[weaksauce]

unless it's changed recently that only applies to tap and chip payments (which you should always prefer to avoid card skimmers) and not the old slide the ~~barcode~~ magnetic strip kinda payment.

[cesarb]

Does anyone still use the magnetic strip? I think it's been over a decade since I've seen a credit card without the chip, and terminals have been able to read the chip since forever. I think the last few times a store tried to use the magnetic strip on my card (because the chip failed to read due to a bad contact), the transaction was simply rejected due to not using the chip.

[mrngm]

Yes, occasionally when refueling a shared car owned by a company that distributes those cars all over The Netherlands. It's common here in leased car fleets as well, where the user gets a magstripe card to refuel (and needs to provide details about current mileage and if the car was a replacement car).

[account42]

I used it recently because my bank denied the contactless and chip payments I tried before that. Surprisingly the mag stripe worked - and this is with card issues from a EU bank where mag stripes have been an historical artifact much longer than in the US.

[bdangubic]

2 times just this week I was asked to swipe, “issues with the chip reader” (CVS and Wegmans)

[jamwil]

USA was very late to adopt chip/tap terminals, even relative to Canada. I could be wrong but IIRC it was only when Apple Pay came along that tap-enabled terminals began to hit critical mass.

[vel0city]

It's always incredible to see few people in the US uses the tech that's available until Apple makes it a thing, and seeing that play out over and over.

[joefife]

Seems surprising to me. I've not swiped a UK card in many years. Honestly can't remember the last time.

It's curious you're seeing so many stripe fallback incidents. Is this a USA issue?

[bdangubic]

possibly, can’t recall having any issues in europe where I reside over the summer.

[girvo]

That's wild to me, the last time I had to swipe my card here in Australia was sometime in the early 2010s!

Heck a lot of the terminals here can't swipe a card at all

[SoftTalker]

In the USA, gas station pay-at-the-pump were the last major holdouts, but it’s been a while since I saw a pump that didn’t use chip or tap to pay.

My HSA debit card, issued last year, still doesn’t have a chip.

[kccqzy]

Old automatic vending machines and old municipal parking meters still require swipes.

[Symbiote]

In some regions, credit/debit cards no longer have magnetic strips.

If I travel to the USA I'll be unable to use these old vending machines and parking meters.

[pornel]

> unless it's changed recently

In Europe it's changed 15-20 years ago, when EMV-capable terminals became required, and acceptance of magnetic stripe cards got phased out soon after.

Since Apple Pay became a thing a decade ago, we don't even get US tourists confused by inability to swipe their cards anymore.

[account42]

Note that is for the merchant side, not for the customer side - my EU-issued card still has a working mag stripe (got a chance to verify that it works this year).

And on a tangent about confused customers - I wish where to tap was as obvious as where to swipe. It varies by reader and sometimes that contactless logo is hard to see.

[mrngm]

Not to mention the (usually mobile) terminal designs where only the merchant sees the amount entered, usually doesn't flip it to show it to the customer, and the customer needs to tap it on their side without first seeing the amount entered.

... such as this one: https://www.paxtechnology.com/a77

[cwillu]

“which you should always prefer to avoid card skimmers” could use a disambiguation comma between “prefer” and “to”; I misread it several times before the intended meaning clicked.

[nine_k]

Someone with a root access to a card reader could just make it collect CC details with every transaction, no caches needed. It could also make certain transactions "temporarily fail", while siphoning a certain amount of funds to another, legit-looking, merchant under the hood.

[jhugo]

> could just make it collect CC details with every transaction

Only if the card is swiped (magnetic stripe) rather than tapped or inserted. EMV doesn't expose the full card details to the merchant; the card signs a payload with its internal private key and transmits it.

And the OP's root access wouldn't give card details in any case, because they didn't get root on the part of the reader that processes the transactions.

[reaperducer]

I'd be more worried about someone compromising a card reader in the field and reading cached/stored real CC details, or installing some kind of intercepting malware.

That's happened at least several times already.

I believe breached PoS terminals were what happened in the big Target hack.

[lelanthran]

> I believe breached PoS terminals were what happened in the big Target hack.

The problem is that PoS terminals are not EMV terminals. EMV terminals have been through a certification process, and the hardware part of that certification ensures that the vendor only runs signed-binaries.

Honestly, even if you could write and sideload (or even replace) the applications on the EMV terminal, I do not see a way to get them to a) run, and then b) send money elsewhere.

[adolph]

This story about a physical card reader checker to detect skimmer devices was interesting and posted here a couple years back.

https://tech.target.com/blog/cybersecurity-easysweep

https://news.ycombinator.com/item?id=36788831

[christina97]

There are much easier ways to skim cards than hacking the terminal.

[account42]

Not without leaving physical evidence.