Rich Freeman on 7 Mar 2018 12:31:56 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] POS Malware Found at 160 Applebee’s Restaurant Locations


On Wed, Mar 7, 2018 at 3:17 PM, Walt Mankowski <waltman@pobox.com> wrote:
>>
>> The terminal could display "your total is $100", I could enter my PIN,
>> and then the terminal could send to my card a transaction for $10k
>> with the PIN, get the validation code, and send that to the bank.
>
> I'm confused about whether this is a real problem or one you've
> invented.

Is it really that confusing?  It is a completely theoretical attack.
I never claimed it was happening in the wild.

>> Also, current chip+PIN doesn't provide a solution for online or phone
>> transactions.  Ideally a better solution would address this as well.
>
> Apple Pay supports online payments. Again, I don't know how Android
> Pay works.

I was talking about chip+PIN, not Apple Pay, which is a completely
different system.  I'm not sure how secure it is against attacks from
software on a rooted phone, but other than that it obviously doesn't
rely on an untrusted terminal.

>> It would also eliminate the need for PCI compliance, because the
>> terminal wouldn't need to be secure.  Why we're keying PINs into
>> untrusted terminals in the first place seems like an anachronism.
>
> The Wells Fargo app for my phone has a relatively new feature where it
> gives you a one-time code you enter into the ATM instead of entering
> your card. You still have to enter your PIN, but it's not tied to your
> account number.
>

If they went a step further and had the one time code only show up
AFTER you've entered the desired transaction, and then it appears on
the phone screen, and you've hit the confirm button, that would be
more secure.  Granted, that still doesn't guarantee that the machine
will spit out the authorized amount of cash, but I don't really see a
solution to that one.

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug