Stories
Slash Boxes
Comments

SoylentNews is people

Whatever You Do, Don't Give This Programmable Payment Card to Your Waiter

posted by chromas on Wednesday April 11 2018, @03:01PM   Printer-friendly
from the a-bluetooth-dong'l-do-ya dept.

"exec" writes:

Fuze card is wide open to data theft over Bluetooth. A fix is on the way.

The makers of the programmable Fuze smart card say it's powerful enough to be your wallet in one card yet secure enough to be used the same way as traditional payment cards—including trusting it to restaurant servers when paying the bill. But it turns out that convenience comes with a major catch. A flaw makes it possible for anyone with even brief physical control of the card to surreptitiously siphon all data stored on the device.

Fuze representatives said they're aware of the vulnerability and plan to fix it in an update scheduled for April 19. They also thanked the two researchers who, independent of one another, discovered the vulnerability and privately reported it. So far, however, Fuze officials have yet to fully inform users of the extent of the risk so they can prevent private data stored on the cards from being stolen or tampered with until the critical flaw is repaired.

Mike Ryan, one of the two researchers, said he created attack code that impersonated the Android app that uses a Bluetooth connection to load credit card data onto the smart cards. While the official Fuze app takes care to prevent pairing with cards that have already been set up with another device, Ryan's rogue app had no such restrictions. As a result, it allowed him to take complete control of a card, including reading, changing, or adding payment card numbers, expiration dates, and card-verification values.

https://arstechnica.com/?p=1290811

-- submitted from IRC

Original Submission

 
This discussion has been archived. No new comments can be posted.
Whatever You Do, Don't Give This Programmable Payment Card to Your Waiter | Log In/Create an Account | Top | 41 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by VanessaE on Thursday April 12 2018, @04:03PM

    by VanessaE (3396) <vanessa.e.dannenberg@gmail.com> on Thursday April 12 2018, @04:03PM (#665988) Journal

    You know, for recurring expenses like phone, cable or insurance, I'd be more than happy to let them auto-draft my monthly bills, because it would be less for me to hassle with, since the amounts rarely change. I'm with a good bank that's easy to work with if an error occurs, so I don't worry about these horror stories of double charges or wait[ers/resses] defrauding me. Besides, those cases are so rare that the risk is just too slight to be worth thinking about.

    There's just one problem:

    Companies usually won't fucking LET ME CHOOSE THE DAY the payment is drafted!

    Look, I don't give two shits what your billing cycle says, if you try to debit on the first day of the month, the money may not even BE there, and if you wait until some time into the third week of the month (which seems to be equally as common as the first day), then you screw up my budgeting, which unlike yours, doesn't have any accountants or automation to manage it.

    Yeah, I know I could just make sure to leave a minimum amount in the account to make sure they'll be covered, but then that denies me the peace of mind of "good, all the bills are paid for the month" that I get after paying them all manually.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2