Hacking card readers--for fun, profit, or hotel-room entry--was a leading theme at this year's Black Hat. One of the more elegant, related attacks demonstrated involved a memory corruption vulnerability in some point-of-sale (POS) credit and debit card readers, detailed by "Nils," head of security research at MWR InfoSecurity, and security consultant Rafael Dominguez Vega.
While their attack has three variations, including targeting the magnetic-stripe card readers used in the United States, arguably the most interesting version targets chip-and-PIN smartcards used in Europe, which require the user to enter a PIN to authorize in-person transactions. But Nils and Vega detailed how a malicious smartcard could be used to rewrite the software running on the terminal, providing fake authorization that a transaction went through, or instructing it to record all credit card numbers and PIN codes that it sees. At the end of the day, an attacker could return to purchase goods and "pay" with a smartcard programmed to retrieve and store all data seen by the POS terminal during the day.
Credit card photograph by Flickr user Images_of_Money, via Creative Commons license.