Educause Security Discussion mailing list archives

Re: POint of Sale Device

From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Fri, 11 May 2007 07:00:10 -0400

On Thu, 10 May 2007 13:15:16 CDT, "Gibson, Nathan J. (HSC)" said:

Does anyone know of a tool/product that can be used to check a credit
card point of sale device to make sure it does not store credit card
information?  To give you a picture of what I am talking about. Let say
you walked into a gas station and purchased a soda with your CC. The
attendant swipes your card in a little black box that sits on the edge
of the counter. It does not tie into an application, just a device with
a modem that sends the information to a bank for processing. I want to
be able to check the device to make sure it is not storing information
locally?


I'm betting somebody read about the Cambridge crew that hacked a point-of-sale
terminal to play Tetris:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9007498

I'll bite - how do you explain to the minimum-wage worker of uncertain
nationality and grasp of English that:

a) They should let you fool around with their device.
b) Why you want to make sure their device isn't hacking your card.
c) Explain to them that you aren't hacking their device to do exactly
the same thing that you're worried they might be doing to you.

At some point, you have to just decide to either pay cash, or quit walking
around in public with all that aluminum foil wrapped around your head..

You want to *worry*, I'd worry more about what thet min-wage server at your
Applebee's is doing with your credit card while you think they are ringing up
your lunch tab.  The same goes for anytime you buy something online using
computing resources not under your control.  Remember that Vint Cerf estimated
some 140M pwned boxes out there - your odds are *not* good.  The only reason we
don't see *more* spyware hijacking credit card numbers is because the crews
doing it are quite talented, and know exactly how much they can siphon off
without the banks and credit card clearinghouses getting upset and taking
action.

Attachment: _bin
Description:

Current thread:

POint of Sale Device Gibson, Nathan J. (HSC) (May 10)
- <Possible follow-ups>
- Re: POint of Sale Device Bill Ogle (May 10)
- Re: POint of Sale Device Valdis Kletnieks (May 11)
- Re: POint of Sale Device Jim Dillon (May 11)
- Re: POint of Sale Device Gibson, Nathan J. (HSC) (May 11)
- Re: POint of Sale Device Duksta, John C. (May 17)
- Re: POint of Sale Device Hull, Dave (May 18)
- Re: POint of Sale Device Clyde Valdez (May 18)