Mag stripes died… Is contactless dangerous again?
The main problem with old mag stripes is it’s actually really quite easy to copy. QR codes for payments are also a pretty stupid idea, especially if they’re static.
12/02/2026 Article
Back to Insights
Subscribe now:
Apple
Spotify
Pocket Casts
Overcast
Electronic payments have had a repeating pattern for decades: deploy a new control, attackers adapt, and the industry responds with hardware hardening, better cryptography, and tighter rules. In a recent episode of You Gotta Hack That, Gareth, a payments industry veteran with 30 years in the trenches, walked us through the security evolution from carbon copy receipts to contactless wallets, with a blunt warning: when you make it easy, you often make it valuable again.
Mag stripes were always clonable, and terminals were the real prize
Mag stripe plus signature was built on sand. Stripe data is trivial to copy, signatures are rarely verified, and fraud often isn’t spotted until the monthly statement arrives. The uncomfortable bit is that the card was never the only problem.
At scale, the bigger risk has always been the merchant side. Compromise a single high-volume terminal, think petrol stations, convenience shops, unattended kiosks, and you can harvest hundreds of cards a day. Early “defences” focused on making readers harder to tamper with, including protecting the swipe path and later encrypting data between the read head and the processor. That helped, but it did not change the core issue: the stripe itself carried rich, reusable data.
Chip and PIN made stolen wallets boring
Chip and PIN did something important operationally: it made the average stolen wallet far less profitable. Without the PIN, you get a few tries and then you’re blocked. It turned opportunistic theft into a low-yield activity, at least for card-present fraud.
That’s why the current trend worries Gareth. As contactless limits rise and “tap-and-go” becomes the default, the stolen wallet becomes valuable again. Multiple contactless transactions can often be made before the card demands cardholder verification (CVM). A thief does not need your identity, they just need your card, and a short shopping list.
Contactless crypto helps, but it’s not a magic shield
Contactless payments use modern cryptography and transaction-specific values, so replaying a captured RF stream should not work. Good. But “no replay” does not equal “no attack”.
One real-world pattern is relay behaviour. If an attacker can get you to tap a card onto a malicious overlay, they may be able to forward the transaction in real time to another reader or environment. Another risk is the terminal itself. Payment devices are designed with tamper detection, key erasure, and “brick on open” behaviour, but attackers look for where data is usable, not where it exists. If you can add hardware between the RF interface and the secure processing boundary, you can still cause damage.
And then there’s the elephant in the room: the phone. A wallet app concentrates credentials, authentication, and session state. A stolen unlocked handset can shift an incident from petty theft into account takeover territory, fast.
Standards, economics, and why you should care about the EU CRA
Payments security is heavily driven by standards and lab testing. The key idea is attacker economics: how much time, kit, and money does it take to extract secrets or intercept PIN entry, and is the payoff worth it? That’s why tamper response and secure elements exist.
Gareth’s parting shot matters outside payments too. With regulation like the EU Cyber Resilience Act (CRA) on the horizon, the time to think about hardware security is now. If your product’s trust boundary is wrong, you will not patch your way out of it later.
Call to action: If you build or assess embedded kit, especially anything that touches identity, payments, or RF, talk to us. We also run hands-on training, including PCB and electronics reverse engineering and unusual RF penetration testing. Details are on our courses page, spaces are limited for lab quality.
Transcript
Felix (00:02)
Hello and welcome to You Gotta Hack That, the podcast all about the cybersecurity behind the operational technology and the Internet of Things. Today we’re going to discuss the evolution of electronic payments from carbon copy receipts to present-day cryptography, and the security, or indeed insecurity, of each of these methods. My guest today is Gareth. He is an expert with 30 years of experience in the electronic payments industry. Hi Gareth, tell us, when did it all start for you?
Gareth (00:29)
You know, I started off in the era of mag stripe signature, and then being with that industry through chip and PIN and contactless and electronic wallets and things like that.
Felix (00:39)
I imagine you’ll have seen some things over the years.
Gareth (00:42)
Yeah, seen and heard. It’s always quite interesting to see how people try to circumvent these systems and sometimes you do sort of think, yeah, okay, that was pretty clever. And you sort of also wonder, if you’d redirect your energies somewhere else, you’d probably be able to do something really worthwhile, rather than probably ending up in prison.
Felix (01:03)
Wow. Okay, well, I’d love to hear more if you’re able. Today’s topic is all about the hardware security of stuff. If you’ve been around since mag stripes and signatures and so on, I imagine you’ve seen quite a few evolutions of what hardware security has looked like. Are there any particular moments in that that stand out to you in terms of how big a leap was that particular thing?
Gareth (01:27)
When I started electronic payments, it was predominantly magnetic stripe and signature. The main problem with that is that it’s actually really quite easy to copy a magnetic stripe. So copying cards became a thing. And in our industry, protecting the swipe reader itself became pretty important because a good way to capture a lot of cards, of course, is to capture them when people make payments. So the electronic payment would go through, everything seems all right, but actually the stripe data’s being captured.
Felix (01:55)
Yeah, that’s really interesting because I imagine a lot of consumers don’t really think about the security of the other side of this transaction. They’ve got the thing that holds the access to their bank account, it’s that card, a magical piece of plastic. But the security of that clearly massively makes an impact on that individual’s account. But actually the other side of all of these transactions is where it becomes bigger scale, more important.
Gareth (02:20)
Yeah, especially for the introduction of PIN, you know. Especially when it was just mag stripe and signature. That was a big problem really, because prior to that, right, it was what used to be called a zip-zap machine where you used to physically take the numbers off the card using a carbon copy. And that had its own sort of problems and people just wrote card numbers down and stuff like that.
But the big difference with capturing mag stripe and making a copy of mag stripe is that then you can go around using that card. No one in reality checks the signature and by the time the cardholder finds out it’s far too late because it’s usually when they get their monthly statement, right? So by that time a lot of transactions could have been done.
And a sort of evolution of that was introducing more protections for the mag stripe slot in card machines so that it was more difficult to just disassemble them, put another reading head in, or just intercept the traffic, store that somewhere, come along at night and collect it. You could get a lot of transactions in a short period of time. If you’re in a high volume place like a petrol station or something like that, then you could capture hundreds of cards a day easily. And that would help. The mag stripe, at that time, had all the information on it, so it had expiry date and it had various check characters and things like that.
Felix (03:32)
It’s always struck me as if mag stripe data was always a bad idea. I don’t understand how that was suggested as a good idea, but it strikes me still as obviously not clever. Is this fair? I wasn’t there at the time.
Gareth (03:47)
I think at the time it was the straightforward way to electronically capture the information off the card because it was far simpler than trying to optically recognise characters or anything like that. The sophistication to be able to put a chip on a card wasn’t there, so it was the sort of intermediate form, I suppose.
Felix (04:04)
All technologies intermediate between now and the really good version.
Gareth (04:09)
I mean, I would argue that QR codes are a pretty stupid idea as well, especially if they’re static. I concur. We’ve seen that right now with car parks, right, where people just come on and stick another sticker over the top, pretend to be the payment app, take people’s card details, say, yeah, yeah, you’re parked for four hours. So they’ve got all the card information, probably go and do another transaction for 10 times the amount. And the poor old cardholder gets a ticket as well because they haven’t actually paid for the car park after all.
QR codes, I think, is one of those technologies where the hype is overtaking the actual security concerns about it, which is pretty valid. In China, they’re quite common, but you generate them on the fly, on a screen. So they’re not static. Then you can tie the transaction uniquely to a particular retailer or whatever. And also, you can’t just stick a static code over the top because everyone will think, someone’s just stuck a label on top of this thing. It’s obviously not right.
Felix (05:01)
Yes, I guess there’s still ways in there but quishing is definitely a topic that comes up every now and then.
Gareth (05:07)
Yeah, yeah. So I think the mag stripe thing was cheap. A bit of mag tape cost very little. It gave you a really quick way to get cardholder data off a card. And at the time, it was relatively sophisticated, I guess, because compared to physically taking copies of the card with carbon paper was, I guess, a step in the right direction.
And for things like ATMs, of course, it was mag stripe with PIN. And that was online PIN. There was no PIN stored on the card. At least with ATMs, you could copy a mag stripe card, but you couldn’t just go to an ATM and draw cash out. But you could go and make transactions because the signature was the verification method for a long time.
So the sort of evolution there was, well, you know, the card terminal manufacturers had to do a lot more to protect their stripe readers. You couldn’t just disassemble products and put bugs in, or you couldn’t just disassemble them and put another mag stripe reader in.
Felix (06:03)
I’m assuming quite a lot of that stuff is maybe even obsolete now in terms of the protection limits.
Gareth (06:09)
Well, yes and no. I mean, it probably is just about now. But for a long time it wasn’t because although places like the UK and some of Europe had moved to chip, the US was on mag stripe, predominantly mag stripe until what, five years ago.
Felix (06:24)
Seems unreal from a European perspective. As in, how on earth? I don’t think I’ve been able to use a mag stripe for much, much longer than that, let alone optionally.
Gareth (06:35)
There’s a few things, I think. One, it was a bit of not invented here because chip cards were basically invented in Europe. But also a lot of resistance from the card issuers because a chip card costs a lot more than a mag stripe card. So they weren’t the ones who necessarily experienced the fraud. It was the retailer who got the grief from the customer when their card was being compromised and the card scheme would quite often just wash their hands and said, well, what can we do?
There was a bit of resistance from the card schemes, but eventually, because everywhere started adopting chip, then the US had to, because they just became the go-to place for fraud then, because it was an easy place for mag stripe fraud. Even UK cards, I’m not sure if mine has, but I’ll have a look now. But even UK cards have still got stripe, right? Some of them. I want this one. I want it now. Yeah, so the stripe on there.
Felix (07:28)
Show me those.
Gareth (07:30)
If you don’t implement the latest technology everywhere, then there’s always going to be some place where you’re going to have a weak point.
When you start asking people to regularly use QR codes, it’s a bit like going back to mag stripe, really. We’ve gone via an electronic system like chip and PIN, and the same essentially with contactless, right? So I’m a little dismayed that the contactless limit keeps being pushed up because we had a relatively secure system with chip and PIN.
So if you or I lost our card in the street, you go to a retailer with it, if you’ve just picked that up off the floor, you can’t use it. And after three to six tries, however many it is these days, then the card gets blocked. So your wallet went from being really quite a valuable thing to steal to not very valuable at all, because none of the cards in it could be used.
And now we’ve gone back to a situation where those cards are now valuable again, because they’re all contactless, the limit has gone up to £100, it’ll probably go up to more. And those cards can be used multiple times for contactless transactions before they demand a PIN. You’ve got three or four cards, then that’s £300, £400 quid at least compared to nothing with chip.
Felix (08:40)
And then we’ve got the evolution further to pay by phone or pay by watch or whatever, which there are plenty of stories knocking around of people buying Aston Martins and other very expensive products using their watch. But that’s ultimately an extension of the kind of contactless tech.
Gareth (08:55)
Yeah, and then you’ve got issues like having all your credentials on your phone. Something like 30% of all burglaries in London involve mobile phones. It may have been higher, but it was certainly at least 30%. So, you know, people’s phones being stolen is a major problem. Mostly they go overseas, so the networks are being put under pressure to block people’s phones. But if they’re not on a UK network, then that’s less viable.
Felix (09:19)
It’s an interesting problem with space as well, isn’t it? Because I was under the impression that kind of phone theft was increasingly becoming less and less valuable because of all of the protective measures that are in place and so on. But actually there’s maybe like an arms race here, isn’t there? Because if you manage to get hold of a device which has also got loads of credentials and has like the banking app open and that kind of stuff, then you are in a much stronger position to be able to take advantage of the person’s identity and all their money and so on.
Gareth (09:47)
Yeah, there’s two reasons for phone theft. One is the phone itself is valuable, same with car theft, right? Cars that are stolen these days tend to be shipped overseas pretty quick and completely out of the reach of UK law enforcement. And phones are the same. And people will pay money for them.
If you manage to get an unlocked phone, someone’s on the phone at the time you steal it. You’ve got a fair chance of accessing all their bank credentials or their credit card information, passwords for this, that, and the other. So the phone has again sort of become a hugely problematic area for compromising people’s identity and getting hold of people’s financial information.
Felix (10:24)
In 2026, the You Gotta Hack That team has two training courses. On March the 2nd, we start this year’s PCB and electronics reverse engineering course. We get hands-on with an embedded device and expose all of its hardware secrets, covering topics like defeating defensive PCB design, chip-to-chip communications, chip-off attacks, and the reverse engineering process. On June the 8th, we launch the unusual radio frequency penetration testing course. We dig into practical RF skills so that you can take a target signal and perform attacks against it in a safe and useful way. Both courses are a week long. They are a deep dive. They’re nerdy. And we provide everything you need other than your enthusiasm.
As the unusual RF penetration testing course is brand new, you can be one of our beta testers and get £1,000 off. There’s more information available on our website at yougottahatthat.com slash courses, and we recommend booking straight away as we have to limit the spaces to ensure the best learning experience. But for now, let’s get back to today’s topic.
Okay, so in terms of defending the hardware of payment stuff, you briefly mentioned about changing the mag stripe so that it was, presumably by the sense of things, it was more complex. You say they put three read heads in there instead of like two or something.
Gareth (11:37)
The later regulations said you had to have an encrypted mag stripe head. So the data was encrypted on the head and decrypted at the processor. You could still have plain text on the card, but encrypted from the head to the processor that was actually decrypting it into plain text.
Felix (11:45)
Still plain text on the card. That sounds like an impossible key management problem right there.
Gareth (11:58)
Yeah, it’s not the most friendly process, but it’s done within the confines of the two devices. So once they’ve agreed on a mutual key, you know, it will be an AES key or whatever for the duration of the life of the product, but that’ll all be unique. So there’d be some factory initial process which pairs the two together.
Felix (12:17)
OK, that’s interesting.
Gareth (12:19)
But of course you can get around that by, especially when you’ve got things like dip readers where the card is not swiped through but is sort of inserted. There were compromises around having additional mag heads added afterwards and that happens sometimes on ATMs as well. Especially the cheaper ATMs which have got insert dip readers rather than motorised. You can have a second head which is actually reading the card as it goes in, which is not anything to do with the product itself but it’s been added as an after fitting by someone who’s capturing your credit card details.
Felix (12:48)
From my experience, those tend to be in the slightly dodgy corner shops and that kind of thing knocking around across the country. And if that’s the case, then you know, I imagine it’s in a hostile environment because there’ll be all sorts of people who potentially have access to the physical device. And if my guess is correct and the owner of the shop, the proprietor or whatever, is the one who has to refill it with the cash because they’re sort of operating on behalf of the company with an agreement, presumably they’re quite vulnerable to being physically manipulated, shall we say. Is that fair?
Gareth (13:25)
It should be very difficult to do without tampering the device in some way. So it shouldn’t be possible to get to the mag stripe reader internally. Most of those machines, all you can do is refill the cash really. You can’t really do anything else. If you try to, then the tamper mechanisms will be operated.
What can be more problematic is overlays on the outside, which look like they’re supposed to be there, but actually have got some sort of card reading capability in there.
In fact, I saw very recently someone’s got a contactless overlay, which is quite interesting. So basically stuck a contactless card overlay on a contactless reader so that actually the card’s read by both and the contactless details are used for a transaction through a relay attack of some sort.
Felix (14:13)
That’s interesting. And it’s all right, I hadn’t realised it was being done in the contactless space. There’s some interesting RF properties that need to be investigated in some of the communications protocol bits that I need to get my head around to see how I would see that would work. But that’s fascinating.
Gareth (14:17)
No, I haven’t until recently. The contactless is, of course, magnetic coupling. It’s called RFID but it’s all magnetic so it’s quite difficult to get a very large magnetic field enough to illuminate a card. So you’re not going to read cards at a long distance but if you can persuade someone to tap their card onto something such as an overlay then you’ve got a pretty fair chance of intercepting the traffic, which I guess is just a question of making it thin enough and having all the other electronics in there so that it doesn’t look suspicious.
Felix (14:56)
I had made the assumption around contactless payments that the tech involved some form of cryptography between the card and the reader. And if that’s the case, I would have guessed that there would be some form of nonce once you do that cryptographic initialisation. So you can’t just replay that same RF stream.
Gareth (15:16)
Yeah, you can’t do replay attacks. And I haven’t looked exactly at what they were doing, but I suspect what they’re doing is something along the lines of the reader itself is out of use. Someone taps on it and then it’s relayed in real time somewhere else.
Or they set themselves up as a fake merchant, which is sort of risky because you only need all the credentials to set yourself up as a fake merchant. But, you know, it could be done. You could set yourself up with a card acquirer, with the acquirer as, you know, XYZ company, take a whole load of transactions and then just disappear, I suppose. But I suspect it’s probably a relay to somewhere else. So when you tap the card, you know, that is being transferred to another real reader for some actual transaction. You wouldn’t know the amount, of course, because you don’t know what the amount is.
Felix (16:04)
Yeah, okay, that is really interesting though. All of these little handheld contactless readers, if I wanted to take one to pieces, it wouldn’t be that difficult.
Gareth (16:13)
It wouldn’t.
Felix (16:15)
That depends a little bit. It wouldn’t work anymore for sure. Are we getting somewhere where there is now actually quite difficult technology to overcome? Because a lot of these things, they’re not insurmountable. There’s usually a way, it depends on how much effort you want to put in them. But those look to me like they must be built relatively cheaply because they’re everywhere.
Gareth (16:17)
It shouldn’t work anymore.
Felix (16:37)
They are little tiny consumer little devices and they tend to be paired via presumably Bluetooth or something similar to your phone and then the phone has an app and the app does the transaction. To me those look so flimsy that I can’t imagine they’ve got much security in them at all from a physical point of view.
Gareth (16:54)
They will. There’s actually a bit less sensitivity about just the contactless interface because in theory you can intercept it anyway. But there will be tamper mechanisms which will operate if you disassemble it such that it shouldn’t work afterwards. And that’s really to protect against putting some sort of disclosure bug in which is after the RF interface. The RF interface is relatively complicated.
You’ll see the digital data coming out of the decoder, because it’s a binary bit stream. Mostly, as you say, it’ll be around detecting disassembly of the device. It should permanently tamper. So, you know, it should erase keys, set flags, all that sort of stuff, and become inoperable so that if you have disassembled it, then you can’t actually use it afterwards. Payment terminals have got a lot more security in because they’re handling PINs as well and handling the physical interface, which is in plain text, which is also not a good thing. So…
Felix (17:48)
Yeah, so the contactless stuff is like tokenised transactions as opposed to the card details that are being transferred. So therefore it has a finite value rather than an infinite. If you can keep using these details, it’ll just carry on working. You’re essentially reducing the value of the data you can get. That’s cool.
Gareth (18:06)
But I mean, another shift that is happening is contactless with PIN, right? So, and it’d be interesting to see where that goes. That makes a lot of sense, actually. Much more sense than contactless without PIN. A lot of devices will do contactless with PIN. And then, of course, you’re worried about protecting the PIN entry process, but at least that gives you some sort of, effectively, two-factor authentication, which you don’t get with just a standard contactless transaction.
Felix (18:29)
My slightly ill-educated experience of card stuff was that the PIN was validated locally sometimes, not necessarily to the acquirer or upstream. That presumably can’t be the case anymore, contactless with PIN, because the data wouldn’t have been transferred to be able to validate what that PIN number was.
So if that’s no longer the case, is that going to be only available when you’ve got a good internet connection and suitable equipment? Cause I’ve not seen that become an option for me as a consumer. I bank with one of the sort of more forward-leaning banks, should we say, and they tend to have a lot of the security options available to you as a consumer quite early on. So you can turn things on and make it more secure if you wish and so on.
So presumably, contactless with PIN, then you have to have an internet connection. It’s a mandated aspect of this.
Gareth (19:30)
Yeah, my understanding is it goes back to the acquirer for PIN verification. Yeah. Okay. Yeah.
But you’re right, on chip with PIN, the PIN can be verified by the card because the PIN is also transferred to the card in the clear, which is pretty bad. And another reason why you need to worry about the interface between the card and the terminal. That’s again, historical costing, you know, it was expensive to have cryptographic capabilities on cards. So the specifications didn’t demand it.
And therefore once you’ve got your PIN on the terminal you transfer it in plain text to the card, which means of course you can intercept the PIN in transit if you want to, relatively trivially, if you haven’t got a lot of protections around it.
Felix (20:16)
So back in the early stage of my career, I was a PCI QSA, so payment industry qualified security assessor, if I remember the acronym correctly. And I’ve got to be honest, I didn’t enjoy the work, so I didn’t do it for very long, but it was a bit of a segue into an interesting part of the world.
And from a PCI DSS point of view, the data security standard, what I found was that it was quite binary in terms of the requirement that is being placed on the merchants and that kind of stuff. I mean, aside from the fact that you can do different SAQs and so on, the kind of the technical requirements for delivering a secure environment and all the rest of it were very, very simplistic, but very, very specific.
And I don’t necessarily think that’s a bad thing, but I do think it means that there are opportunities for people to be excluded incorrectly or have problems with their network that they would have maybe picked up on anyway, because it wasn’t part of the requirements, and they were left open for whatever reason. I find that interesting, but then I also recognise that it was a reasonable amount of time between iterations of this standard. And it wasn’t huge, it’s shorter than some, but it was still long enough for there to be like a technological lag between what the world seemed to be expecting of this set of tech and what the requirements were.
My guess is that the requirements for the kind of PIN entry devices would be even slower to evolve or at least have this kind of overlapping arrangement because there’ll be lots of kit out there already that’s to a previous standard.
Gareth (22:00)
Yeah, to a degree. I think a solid difference between the payment terminal standard and the DSS standard is that the testing regime was less objective, I guess. So for PCI-PTS, you got a set of requirements that you had to meet. They were fairly high level, right? So, you know, along the lines of there should be no way of an attacker obtaining the PIN from the keyboard, right? Or something really high level like that.
And then the assessment was via a small number of labs who pretty much came up with their own ideas of how they think they should attack individual terminals. So they would give it to someone who had obviously done this quite a lot. And it was, as you were saying before, it was a time and cost analysis. So, you know, if the guy in the lab said, you know what, I’ve tried this, that, I’ve tried poking it with sticks, I’ve tried, you know, putting it in liquid nitrogen, whatever you want to do with it. I think it would take at least a week and $100,000 to attack this thing.
The return on the investment at that point becomes dubious and therefore that meets, they give you points basically. So you’d have got six points for that and you’d have got, you get X points for clearing buffers or doing all the stuff you’re meant to do, not being able to get to the display. So they basically do various different tests. They were pretty subjective tests. So there wasn’t like a pass fail in the same way. It was more the assessor decided that in their opinion, it would take X and Y amount of time and resources.
That did leave it a bit open for novelty because you could have novel solutions that perhaps they hadn’t seen before, which might be low cost, but still meet the objective. And as long as the assessor couldn’t find a way to break it, then in a short period of time or something, then that would work.
Felix (23:55)
Okay. How did that relate to the hardware requirements then? Because we talked before we were on air that would you ever have JTAG ports still on a board? And presumably the answer would be no, and that would have been the case from quite early on.
But removing JTAG is not just a case of simply not exposing the test pins. It’s more than just that. You’re having a processor that doesn’t have JTAG exposed on its edges, or, you know, only using BGA chips or something so that it’s really difficult to get access to or something. But presumably it’s in there somewhere and it must have been programmed at some point. So JTAG is a legitimate option for that.
Gareth (24:39)
Yeah, what you tend to find, and this is supposed to, again, a difference and a challenge for commercial implementations, is that most payment terminals will use a small number of secure processors for all the important stuff, right? So there are a relatively small number of manufacturers who make a relatively small number of devices which by default don’t have provisions to either turn this stuff off or not have it, or, you know, the version of the chip which doesn’t have it, when you have another one which you use for development or things like that.
So, yeah, mostly that problem is solved that way, which is slightly different from what’s gonna happen in a commercial environment where people are gonna wanna use more off-the-shelf devices and use them in a secure way. So I think that, you know, that potentially is a challenge.
The opposite, I guess, is that, you know, semiconductor vendors are gonna have to come up with more secure solutions. And I know that, you know, there are some out there. I know, you know, the likes of ST and NXP and Maxim will make secure devices and some of them are quite low cost, you know, the security infrastructure built in. So, don’t know, a lot of these devices, you know, they have dedicated tamper detection. So either physical tamper detection or over temperature, under temperature, over voltage glitch detection.
Felix (25:40)
If you use them correctly, they do raise the… sounds like a whole other podcast episode there, Gareth. We could… But for today, have you got any other lasting thoughts that you’d like to share with the audience?
Gareth (25:59)
Yes, yeah. The lasting thought really, especially about the EU CRA, is that the time to start thinking about it is now because it’s going to be too late in two years’ time and you won’t necessarily be able to fix it in software. So you need to start taking a look at your hardware and making sure that it will actually be compliant at the end of the day.
Felix (26:23)
Yeah, we need to touch on the EU CRA, the Cyber Resilience Act, because it’s a whole topic in its own right and has some quite significant implications for embedded systems as a whole, not just the hardware. Perhaps that’s also another episode.
Gareth (26:42)
Well, maybe, yeah. I think some sort of practical guides for developers and implementers might be useful because a lot of these standards, as you know, can be very generic and it’s difficult to actually tease out of them exactly what you actually have to do. All they’re so high level as to be almost meaningless.
Felix (26:58)
This appears to be the case for pretty much every standard out there. Yeah, for sure. Gareth, it has been a pleasure chatting to you today. Thank you for joining me. Cheers. And thanks to everyone for listening. I hope you’ve all enjoyed it. Your reviews are really important to us. So if you haven’t already, please do give us that five star rating and recommend us to all your friends and colleagues and everybody else, including the dog if necessary.
If you have any questions about cybersecurity of embedded systems, why don’t you get in touch? You never know, we might be able to answer it on air for everyone to hear.
You can also find us by email on helpme@yg.ht, with @gotta hack on Bluesky, or by searching for You Gotta Hack That on LinkedIn.