[tgsovlerkhgsel]

And as a user, I have absolutely no way of distinguishing this from a device that had all secure features removed, and is running a random Android that proxies the NFC or chip data to a real reader, siphoning off what they can, while my PIN gets proxied by a human typing it into the real reader in real time. All I'd notice is a second or so of latency.

[grishka]

Do you have a way do make sure that a terminal with physical buttons is secure? To me, the touchscreen doesn't make the whole device inherently less secure.

As far as I understand, the whole system is designed to make replay attacks useless. PIN on its own doesn't allow you to make a transaction, neither does it in combination with a recorded conversation between the reader and the card during a successful transaction. There's some asymmetric cryptography involved with the private key stored in the chip on your card and every signed payload containing a random nonce.

[tgsovlerkhgsel]

The PIN and magstripe data alone (which I think can be replicated from a one-time read-only interaction with the chip) are enough to make payments in some cases.

If there are sufficiently few legitimate terminal types in circulation and the user is aware of it, anyone presenting a different terminal would be looked at with suspicion. With the status quo, I as the cardholder essentially have to assume that anything presented to me is likely legit, even if it looks like someone's homemade skimmer.

However, this still leaves the merchant. If they (the person handing me the terminal) aren't in on the scam, any tampering has to be non-obvious to them. AFAIK some places go as far as weighing the devices and regularly checking seals and serial numbers. VISA recommends checking twice daily https://busfin.colostate.edu/Forms/Merchant_Svcs/Visa_Securi...

Trying to tamper with a terminal with physical buttons would almost certainly require rewiring it physically, triggering tamper detection and rendering the terminal useless. So it would have to be swapped with a unit that looks identical despite being tampered, and functions well enough to not raise suspicion. I guess an attacker could hollow out a case and insert completely custom electronics, in theory, but that's quite a high bar (especially if it requires forging serialized seals).

On the touch-screen-with-insecure-Android, a software-only change on the insecure side (never actually initiating PIN entry mode, or only initiating it after the first attempt and "pin incorrect" message) should be enough to get the PIN, and an added NFC skimmer not connected to the other electronics could do the rest.

The devices also look cheaply made, distributed in small numbers, and I have my doubts about them having as many anti-tamper features as the most common terminals, although I might be wrong. If they have strong physical anti-tamper measures, and the software is hardened against software-based tampering, I think that they could, in theory, be comparably secure.

[grishka]

Magnetic stripes seem to only still be popular in the US. It always blows my mind just how insecure card payments are there. For small payments, like several dollars, they'll swipe your card in a reader attached to the POS system and that's it. No pin code, no nothing, you just get an SMS that your card was charged several seconds later. For larger payments they'll rely on entirely human-based confirmation methods like "sign the receipt" or "show your ID". I didn't even know this was a thing before I visited the US.

In Russia, where I'm from, I haven't swiped my card for at least a decade. Lately many places also started getting those square Android-based Sberbank terminals that don't even have the magstripe reader, only NFC and chip. Granted, our banking system has been effectively disconnected from most of the world since 2022, but I would be surprised if these aren't designed to accommodate MasterCard and Visa requirements for when they return. And skimmers are simply not a thing here any more. People get scammed through social engineering instead.

I also remember reading that magstripe transactions cost merchants more or something like that, precisely because they carry more risk because they only need static, easily copyable data.

Anyway, the point I'm making is that the threat model changes, and becomes much simpler at that, when transactions can't be made with static data. Because no matter what the scammer captures, even if that's the PIN and the complete data exchange with the card through NFC or the chip reader, they can't use that to make transactions. Obtaining the number, the expiration date, and the CVC is also unlikely to allow them to make online transactions because those need a second factor now. Except on Amazon. Amazon somehow manages to charge my card with just the number and the date, no CVC needed, and no 2fa code either.

[grishka]

Thinking about it a bit more, no, your argument about touchscreens doesn't make sense. The terminal OP looked at runs Linux on the "insecure" side, but the keypad is still passed through to that the same way the touchscreen would be passed through to the Android SoC, because it's used to navigate menus and enter the purchase amount. The Linux side would still send some sort of command to the CPU core that runs the "secure" OS to initiate PIN entry, and it could still just do what you describe.