Apparently, the JTAG debugging interface is exposed to the outside. You know, the one that should be turned off physically in the CPU itself through a blow fuse on production processors. The one critical interface where you don't even populate the headers and connectors on the finished boards.<p>As it stands, the only way to fix this is to exchange or repair all devices in circulation.
Isn't the fact that Chip and Pin is susceptible to "Man in the Middle" attacks, affecting all terminals, the bigger issue?<p><a href="http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf" rel="nofollow">http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.p...</a>
I find it amusing how the CC execs admit they couldn't reproduce the attack, and he seems somewhat proud of that fact. Maybe my interpretation is just colored with my impression of execs of large companies. -.-
> “This is one lab that has reported (unsubstantiated) that they were able to do this,” she wrote. “No credit card users are at risk.”<p>And if they had released the attack, VeriFone would have cried even louder..
So its possible to remotely overwrite the Verifone software to capture PIN numbers. The local attacks aren't as terrifying, since it was already possible to replace them with modified devices to skim PINs. And what about all the HSM PIN-recovery attacks, on which the details are already available? And where are those <1mm thick ATM skimmers they warned us about?<p>Ultimately, stolen credit card numbers just aren't that monetizable (they're sold for pennies on the dollar, $2-$3 per) and not enough people use their pin numbers at POS terminals. It seems more fraudsters steal using Scareware/rogue AV (its less likely to be charged back, since the victim actively entered their details).<p>Well-funded organized crime seems more interested in targeting bank logins, or Medicare (losses in the billions, mixed with bonafide doctor-fraud), or maybe home loans and other forms of ID theft.