/ infosec

The 'error 53' situation

that isn't a situation

Right, all you moaning about the ‘Error 53’ situation.

You say that your device has been ‘rendered useless’ by the company that created and developed the device because they put security checks in the software to ensure that your data is safe (I’m purposely generalising this particular post). Bear in mind that this data they are protecting isn’t just contacts and your most recent pictures from a visit to the pub, it's financial data, in particular, a tokenised version of your Debit/Credit/Charge Card.

You had your screen/fingerprint recognition sensor/digitiser assembly replaced by an unauthorised, third-party individual or company, that’s great, you do that. It was a cheap fix to an issue you were having and the device now, in your eyes, is as good as new. Now, due to the sheer complexity of the inner workings of a device that contains a TPM (Trusted Platform Module), if you tamper with anything that interfaces with that, it gets destroyed. Allow me to present you a scenario:

You own a shop, you have a EFT Terminal in there (Some of you may call them PDQ’s). The screen on that terminal stops working, what do you do?

  • Send it back to the manufacturer for repair/replacement (which is more common)
  • Send it to a bloke who said he will do it for £20.

Whoever opens that terminal, be it the manufacturer or a third-party, there are security mechanisms in place that are DESIGNED to destroy any sensitive data (encryption keys, security codes, etc.). At that point, that device is safe, because it can no longer communicate with the finance networks, it is safe because it will most likely not even turn on, therefore the bloke that may have repaired your screen (and possibly installed a card skimmer) has lost this particular battle because the designers of the product thought ahead to protect your data and your money. The terminal is now useless, it has been destroyed via tamper, good luck explaining that to your terminal provider.

If you have had your screen/fingerprint recognition sensor/digitiser assembly replaced by a third party, what is to say they have not installed software/hardware that effectively copies your fingerprint, the encryption keys, your data entered on the digitiser assembly, much like a key logger, for example. If you expect your digital wallet and fingerprint assembly to work after a third-party, unauthorised repair, you are undermining not only the security of the device you own, you are undermining the security of the entire payments network by ‘expecting it to work’ after some bloke ‘did you a favour’.

Be thankful that it didn’t work. Be thankful that your data is secure. I’m pretty sure that getting a call at 3 in the morning from your banks fraud team saying that all your savings have gone and your credit card has been maxed out wouldn’t be the best call you have that day. And, in all fairness and in the long run, it’s your own fault as you have essentially given someone your card and the PIN, then told them to help themselves.

Don’t bugger about with data security.

PS. I’m aware that many TPM’s are read-only, but the context and general topic of this post remain perfectly valid.



I'm also aware that there has been a recent statement from the company involved in this, but my argument still stands