BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Credit Card Roulette: Payment Terminals Pwned in Vegas

From: security curmudgeon <jericho () attrition org>
Date: Tue, 31 Jul 2012 12:16:02 -0500 (CDT)


---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.wired.com/threatlevel/2012/07/pinpadpwned/

By Kim Zetter
Threat Level
Wired.com
July 30, 2012

LAS VEGAS -- At least three widely used credit and debit card purchasing 
terminals in the U.S. and U.K. have vulnerabilities that would allow 
attackers to install malware on them and sniff card data and PINs.

The vulnerabilities can also be used to make a fraudulent card transaction 
look like it?s been accepted when it hasn?t been, printing out a receipt 
to fool a salesclerk into thinking items have been successfully purchased.

Or an attacker can design a hack that would invalidate the chip-and-PIN 
card system, a security feature that is standard in Europe but only 
nascent in the U.S. It uses cards embedded with a chip and requires 
cardholders to enter a PIN to validate a transaction.

The hacks were demonstrated at the Black Hat Security conference last week 
by Rafael Dominguez Vega, a Spanish security researcher and consultant for 
MWR InfoSecurity, and a German researcher who goes by the name Nils, who 
is head of research for MWR. Nils cemented his security bona fides in 2009 
when he hacked three browsers at the Pwn2own contest at the CanSecWest 
conference.

[...]

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.
Previous By Date Next
Previous By Thread Next

Current thread: