From carbon-copy receipts and zip-zap machines to mag stripes, chip and PIN, contactless and mobile wallets, payment tech keeps evolving, and attackers evolve right alongside it. Felix sits down with Gareth, a payments industry veteran of 30 years, to unpack the real hardware attack surface: skimmers in stripe readers, ATM overlays, contactless relay tricks, and why static QR codes are basically begging to be abused. They also dig into why raising contactless limits changes theft economics, how phone theft turns into credential theft, and why the EU Cyber Resilience Act means you need to think about hardware security now.

In this episode, Felix is joined by Anjan, a cybersecurity engineer working at the sharp end of OT product security and compliance in UK manufacturing. They dig into what it really looks like to build security into connected industrial kit, especially with major regulation deadlines looming. Anjan shares a practical path into the industry, starting with bug bounty and vulnerability disclosure, then moving into IoT and OT during his Masters, including work on an autonomous vehicle project. Expect honest talk on “audit equals secure” myths, risk-based security, and how to start building an OT security career.

In this episode, Felix continues his conversation with David Rogers (Copper Horse) about the latest State of Vulnerability Disclosure report and why “what counts as IoT” is messy. They explore how consumer devices end up everywhere (including factories), how category labels can become compliance loopholes, and why good vulnerability disclosure needs more than a generic support page. David also shares concerns about the EU Cyber Resilience Act drifting toward tick-box compliance, and what that could mean for product security teams and, ultimately, all of us. Plus: the report’s dataset is open for anyone to check.