Would you even trust the lowest-bidder factory where the card readers are made?

adrianhoward · on June 12, 2012

The factory isn't really an additional risk.

There's not a networked man-in-the-middle attack via the readers (they're not connected devices). You can't change the algorithm (it needs to be the same one implemented by the online bank). The algorithm is already essentially public (the devices are identical and widespread).

Pwning the factory doesn't really give an attacker an advantage.