darkreading.com— Using your credit card or PIN to buy gifts? Beware of malware aimed at grabbing valuable data from volatile memory in point-of-sale systems.
Dec 20, 2009View in Crawl 4
Seriously, wtf are you talking about? If we could just 'check up' on botnets, we could just shut them down too. And you're missing the point of the article, it's talking about reading data directly from ram, thus avoiding the encryption altogether.I don't think anyone in the security industry ever thought they were creating a full proof system. It's a well known fact that it's simply a back and forth game between hackers and those writing security software. There will always be new holes, there will always be new patches.
Actually the keys have been lengthened and triple encrypted as well as unique to each pin pad. Also there is no more PKI used in PED transactions. If you manage to decrypt from one device only that device is compromised. If a master key gets compromised it is destroyed and a new one is generated. Yes expiration and remote key replacement works and is in use but not mandatory yet...
Generally speaking, developers thought of this method of attack so data is encrypted in the pad. However there are touchscreen and other, off-spec, POS systems that send numbers in the clear and ARE vulnerable to ram scrapers. There are also fake swipers and keypads, often seen on gas pumps. Your best defense is to never use your PIN except at one of your bank's ATMs. NEVER enter your PIN into a POS device. Virtually all ATM cards are also debit cards bearing the Visa or MasterCard logo. Use it as a credit card. The only reason not to do this is to save the retailer the credit card fees, and if you want to do that pay cash (written checks are very easy to defraud, avoid them when possible). If your bank doesn't offer debit cards, switch banks. I also recommend using American Express whenever possible, generally speaking they have better consumer protection features.
wiseguy1020Dec 21, 2009
@ricoduedThats because nobody would buy Apple's brushed aluminum, back-lit iPOS that is twice as expensive as a normal one.
nextekcarlDec 21, 2009
*Whoosh*I was referring to the "or" portion of the comment.
neotechniDec 21, 2009
*Whoosh*He's saying either mac users have fascinations with crap or little imagination
epopliveDec 21, 2009
Seriously, wtf are you talking about? If we could just 'check up' on botnets, we could just shut them down too. And you're missing the point of the article, it's talking about reading data directly from ram, thus avoiding the encryption altogether.I don't think anyone in the security industry ever thought they were creating a full proof system. It's a well known fact that it's simply a back and forth game between hackers and those writing security software. There will always be new holes, there will always be new patches.
lucutusDec 21, 2009
Actually the keys have been lengthened and triple encrypted as well as unique to each pin pad. Also there is no more PKI used in PED transactions. If you manage to decrypt from one device only that device is compromised. If a master key gets compromised it is destroyed and a new one is generated. Yes expiration and remote key replacement works and is in use but not mandatory yet...
epopliveDec 21, 2009
Sure they would, and then they would tell you the system is 4x secure, 12x faster, and that they were ultimately 100x more 'hip' than you.
rtechieDec 21, 2009
Generally speaking, developers thought of this method of attack so data is encrypted in the pad. However there are touchscreen and other, off-spec, POS systems that send numbers in the clear and ARE vulnerable to ram scrapers. There are also fake swipers and keypads, often seen on gas pumps. Your best defense is to never use your PIN except at one of your bank's ATMs. NEVER enter your PIN into a POS device. Virtually all ATM cards are also debit cards bearing the Visa or MasterCard logo. Use it as a credit card. The only reason not to do this is to save the retailer the credit card fees, and if you want to do that pay cash (written checks are very easy to defraud, avoid them when possible). If your bank doesn't offer debit cards, switch banks. I also recommend using American Express whenever possible, generally speaking they have better consumer protection features.