Before starting this article, I first have to say that I won't publish all the information required to perform this manipulation, due to the obvious legal aspects of it.
However, I will explain in details the security of this particular laundry machine, without showing any picture that would help you know which one it is:

Laundry machine
Let's start. First step, understand what we are up against. How? Well, the laundry machine is in a quiet place, with practically nobody passing by... so let's open it.
Surprisingly (seems the manufacturer is not worried by people meddling with their products), only 2 screws are in your way to see what is inside the machine:

Inside the machine
In the machine, we see two main PCBs. One full of relays and power electronics and another one with only two connectors (shown above).
It seems obvious that the latter is in charge of the machine security: the top connector allows communication with the main board to launch the washing programs, the other one is where you connect your card socket:

Card reader
Luckily, the card socket has its part number visible, allowing us to find its pinout. Then it's time to use the multimeter for some checks.
That's how we discovered that only 8 of the 10 wires of the ribbon cables are actually used. 2 of them are connected to a switch detecting the card presence, the rest are connected to the C1-C3 C5-C7 smartcard pads:

smartcard pinout
Anyway, what is a smartcard? Well, there are several types of smartcards, all following the iso7816 standard.
However, not all smartcards follow all the 'subcategories' of this standard. Concretely, that means that one smartcard could only follow the iso7816-1 specs, which only defines the physical layout of the card.
For more details, I invite you to have a look at this document.

Back to the security PCB. Looking up the part numbers, we discover that the main microcontroller is based on a 8051 architecture. Therefore it is a fair assumption to assume that there won't be any cryptography involved.
So how to get more information about the card itself? One obvious choice, due to the quiet environment where the machine is, was to sniff the traffic.
One of my friends actually had a smartcard sniffing tool laying around:

sniffer
However, this didn't work, as the C6 pad line was not connected between the card and socket contacts.
This was actually quite curious since the 2006 revision of the iso7816 standard removed the use of Vpp.
This did leave us with no other choice but to directly sniff the signals on the connector:

Adapter
With a standard 2.54mm 8 pins header & socket, we managed to create a 'port extension':

Adapter in place
From there on, sniffing the traffic was very easy. Using a logic analyzer and the 'card detected' signal to trigger the acquisition, we got this when the machine was reading the card amount:

Logic analyzer
We can see that the machine will set Vcc and Vpp to 5 volts a little while after the card is inserted.
Let's have a look at the activity on the reset/clk/io lines:

Logic analyzer
This looked a lot like the I²C protocol...
Therefore, the 'maximum' standard the card can follow is the ISO7816-3. That means you may get the Answer To Reset (ATR) (description here).
Manually reading the ATR, we find the sequence 0xA2 0x13 0x10 0x91.
A quick search on google shows us that the chip in the smart card is likely to be the SLE4442 from Siemens. Another quick search allows us to find its datasheet....

SLE4442
Please note that this chip is supposed to be very used around the world. You'll find many web pages talking about it.
What we needed to do next was to create a parser that could interpret what was going on between the reader and the card, our logic analyzer program being able to export csv files.
1 hour of coding later, we could see what was going on when the machine reads the amount left on the card:

Sniff read
Random reads at some places... strange.
Let's run a machine and compare the two reads before and after having subtracted some money:

Compare
The 2 bytes data on the emplacements 0x2E 0x32 0x36 0x44 0x48 0x4A seems to be the amount left on the card.
Thinking a little bit, we find that 0x230 = 560 = 280 x 2 cents. However, for the 2.10chf amount case, I don't understand why the first byte is not equal to 1... weird.
Now that we've identified the memory emplacements, one could wonder how to change the values...

I'm not going to explain all the different attacks you could perform, but the very famous Strom Calson in his 2006 Defcon talk explains it all.
You'll have understood by now that this kind of hack is not new. So I will focus on doing it with new tools.
Anyway, on the SLE4442, you need to present a code to be able to change the contents of the memory:

Verification procedure
So logically, if the machine is changing the amount stored in your card, you should see it at some point:

pin sniffing
And bam, the card security is broken.

To perform a proof of concept, one could follow the very well written hackaday guide.

As I had a bus pirate at home, we followed the instructions.
Pinout (from smartcard to bus pirate pin):
5 volts -> 5 volts power supply
reset -> AUX
clock -> SCL
dataio -> SDA
Vpp -> 5 volts power supply
Ground -> Ground

From HaD:
The sle4442 has open collector outputs, and depends on pull-up resistors to hold the bus high. Instead of switching the data pin between ground and 5volts, it switches between ground and high-impedance states. High-impedance means that the chip exerts no state on the line, it lets it float, like a microcontroller input pin.
Each of the signal lines need to be pulled-up to 5volts with a 2K-10K resistor, the value isn’t particularly important. Without the pull-up resistor, we’ll never see anything but 0 (ground) on the bus because the sle4442 doesn’t exert a voltage of it’s own. A benefit of this technique is that the Bus Pirate, which only switches at 3.3volts, will talk to the sle4442 at a full 5volts, in compliance with the 3.5volt minimum voltage for a high level (datasheet, page 27, table 3.2.3:Vih).

Then we just send a couple of commands to the bus pirate in order to get the ATR and be able to communicate with the SLE4442:

HiZ>m
1. HiZ
2. 1-WIRE
3. UART
4. I2C
5. SPI
6. 2WIRE
7. 3WIRE
8. LCD
9. DIO
x. exit(without change)

(1)>6
Set speed:

1 ~5KHz
2 ~50KHz
3 ~100KHz
4 ~400KHz

(1)>2
Select output type:

1) Open drain (H=Hi-Z, L=GND)
2) Normal (H=3.3V, L=GND)

(1)>1
Ready

2WIRE>L
LSB set: LEAST sig bit first

2WIRE>W
Power supplies ON

2WIRE>@^arrrr
AUX INPUT/HI-Z, READ: 1
CLOCK TICKS: 0x01
AUX LOW
READ: 0xA2
READ: 0x13
READ: 0x10
READ: 0x91

And from there it is quite simple to change the values stored in the card (PSC not written here) ;) :
{0x38 0x2e 0x2f}\ r:32 {0x38 0x32 0x2f}\ r:32 {0x38 0x36 0x2f}\ r:32 {0x38 0x44 0x2f}\ r:32 {0x38 0x48 0x2f}\ r:32 {0x38 0x4a 0x2f}\ r:32