Having recently visited my local bank for a card replacement after finding my access deactivated, I’ve been pondering the list of ways it may have been breached:
– double swiping – I watch at the cash when they swipe my card for the second swipe or two readers in line. The local shops seem pretty safe.
– rogue reader in the bank machines – unlikely but possible though the ones I use are all in open areas and bank operated.
– shoulder surfing – only once has there been an odd person at the block of machines but maybe she was some kind of ninja.
I’ve also seen the BSOD galleries. Billboards and similar viewers are not so bad because it’s a network connection in you’d have to make unless your going to climb the sign thinking there is value in exploiting it’s powerpoint presentation or whatever displays the pictures. Public terminals; not great but one can expect them to be hostile environments (eg. not for banking). Traffic lights are a more scary thing but yes, they too run the world most popular swiss cheese.
Sometimes, I come across things that just make me go WTF where the designers thinking and how much drinking was involved in the development meetings?
Case in point. Bank machines with BSOD displays are sad but at least the system is already halted. Bank machines with rogue scanners take some physical effort. Bank machines with known vulnerabilities are another thing entirely though.
Some things should simply not be running the worlds most vulnerable platform. The machines that authenticate me, access my banking records and provide me cash. The servers behind the interface systems that maintain the data saying how much I have and how I authenticate before interacting with banking records.
There are valid uses for Windows but in security critical situations, why are such things still run with Windows?
Anyone else have a WTF rant to share?