Tamperproof, yet playing Tetris.

[Peter Gutmann]

"Perry E. Metzger" <perry at piermont.com> writes:

>Handheld "Chip & Pin" terminals for reading credit cards in the UK are
>required to be tamperproof to avoid the possibility of people suborning them.
>Here is a report from a group that has not merely tampered with such a
>terminal, but has (as a demo) converted it into a tetris game to demonstrate
>that they can make it do whatever they like.

>From the "Now it can be told" department: Back in the early days of the WWW,
there was no online credit-card based Internet payment system.  This was
before STT and SEPP and SET and all the others.  There were things like
Cybercash, but they were too complex to make much headway.

There was however one company that could set up anyone to do live credit card
processing over the Internet (they had a travelling dog & pony show where they
could demonstrate this to potential customers).  This was (for the time)
pretty amazing, something that no major CC vendor could offer.

What they had done was set up an Internet front-end to hacked "tamperproof"
POS terminals that effectively turned them into Internet-controlled remote
payment devices, so as far as the acquirer was concerned the purchaser had
swiped their card at the terminal and entered their PIN when in fact it was
someone sitting at a laptop on the other side of the world.

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com