would it be too hard to do: send request to bank, bank checks, says it's ok and ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		k3nx on Aug 4, 2016 \| parent \| context \| favorite \| on: How contactless cards are still vulnerable to rela... would it be too hard to do: send request to bank, bank checks, says it's ok and returns the amount to withdraw, the card reader already says "is amount $20.00 ok", just replace that with what the bank said it was authorizing, user wouldn't have to do anything else, but the real amount would be shown at the time of transaction not what the card reader was told

greenshackle on Aug 4, 2016 [–]

in this attack the card reader is compromised. the attackers can make it display whatever they want it to.

Edit: For this to work the card itself would have to have it's own display. Another commenter suggested e-ink.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact