From carbon-copy receipts and zip-zap machines to mag stripes, chip and PIN, contactless and mobile wallets, payment tech keeps evolving, and attackers evolve right alongside it. Felix sits down with Gareth, a payments industry veteran of 30 years, to unpack the real hardware attack surface: skimmers in stripe readers, ATM overlays, contactless relay tricks, and why static QR codes are basically begging to be abused. They also dig into why raising contactless limits changes theft economics, how phone theft turns into credential theft, and why the EU Cyber Resilience Act means you need to think about hardware security now.

In this episode, Felix is joined by Anjan, a cybersecurity engineer working at the sharp end of OT product security and compliance in UK manufacturing. They dig into what it really looks like to build security into connected industrial kit, especially with major regulation deadlines looming. Anjan shares a practical path into the industry, starting with bug bounty and vulnerability disclosure, then moving into IoT and OT during his Masters, including work on an autonomous vehicle project. Expect honest talk on “audit equals secure” myths, risk-based security, and how to start building an OT security career.

In this episode, Felix continues his conversation with David Rogers (Copper Horse) about the latest State of Vulnerability Disclosure report and why “what counts as IoT” is messy. They explore how consumer devices end up everywhere (including factories), how category labels can become compliance loopholes, and why good vulnerability disclosure needs more than a generic support page. David also shares concerns about the EU Cyber Resilience Act drifting toward tick-box compliance, and what that could mean for product security teams and, ultimately, all of us. Plus: the report’s dataset is open for anyone to check.

In the first of this two-part episode, Felix is joined by David Rogers (Copper Horse) to unpack a surprisingly powerful way to measure IoT security: vulnerability disclosure policies. David shares what eight years of research reveals about how easy (or impossible) it can be for security researchers to report flaws. We discuss why the lack of a clear route to report vulnerabilities to a vendor is an “insecurity canary” and how security researchers and businesses struggle to get along without enabling easy communications on these topics. We dig into the results from the Copper Horse annual report, the impact of new regulation, and why retailers might be the hidden force improving the market. Plus: the long tail of ultra-cheap devices, and why security shouldn’t be a luxury.

In this episode of the You Gotta Hack That podcast, the conversation continues with Emily, a principal industrial cyber security consultant, as they delve into the real-world threats facing operational technology (OT) environments. The discussion highlights the inadequacies of traditional IT penetration testing when applied to OT networks, emphasizing the need for tailored approaches that consider the unique vulnerabilities and operational realities of these systems. Emily and Felix explore the concept of dwell time, illustrating how sophisticated attackers can remain undetected within networks for extended periods, gathering intelligence before launching attacks. They stress the importance of understanding actual risks and the necessity of continuous monitoring and testing to ensure robust cyber security measures are in place.

In this episode of You Gotta Hack That, Felix sits down with Emily, a principal industrial cyber security consultant and former national utility cyber lead, to demystify ISA/IEC 62443. Why do so many teams treat it like a silver bullet and why does that backfire fast? Emily breaks down what 62443 actually is (spoiler: it’s a family of standards), why “be compliant” isn’t a requirement, and why maintenance matters as much as deployment. If you’re trying to secure OT environments, this one will help you focus on what to do first.

And don't forget to check out our training courses to get hands-on and nerdy.

In this episode, Felix and Alex discuss the alarming rise of phone thefts in London, sharing personal anecdotes and insights into the implications of losing a device. They explore security measures, user behaviors, and the broader impact of identity theft in today's digital age. The conversation emphasizes the importance of enhancing phone security and being proactive in protecting personal information.

In this conversation, Felix and Oli discuss the development of a hydrogen-powered uncrewed surface vessel (USV) and the associated cybersecurity challenges. They explore the importance of integrating cybersecurity measures from the outset, navigating regulatory frameworks like Workboat Code 3, and the ongoing challenges of ensuring compliance and safety in a rapidly evolving technological landscape. The discussion highlights the need for thorough documentation, the role of regulations in shaping industry practices, and the future of cybersecurity in maritime technology.