Javelin Strategy and Research » A security hole in the payments supply chain
written by Tom Wills
A security hole in the payments supply chainSupply chain security is a term most often associated with the risk of terrorists planting dirty bombs in shipping containers. But last week it claimed its place in the payments industry lexicon when a big compromise of the supply chain feeding the EMV-based Chip & PIN payments ecosystem came to light in the UK.
It seems that criminals implanted invisible electronic components in a batch of newly-manufactured Chip & PIN point of sale terminals destined for the UK and other European countries, which siphoned off account information when cards were read during a purchase, then sent it over to Lahore, Pakistan where other evildoers captured it and proceeded to rack up “tens of millions” (of Pounds, which means even more tens of millions of Dollars) in bogus transactions. The tampering happened either at the factory in China where the terminals were manufactured, or shortly afterwords while in transit.This is big, not only because of the major fraud losses involved, but because it represents a whole new threat category in the industry which will take considerable effort, coordination and expense to protect against. Think about it … how do you secure a factory that makes POS terminals (which is likely to be in a country where security is a big challenge to begin with), and the containers the products are put in for shipment, and the trucks or trains that take them from the factory to the seaport, and the ships that take them across the ocean to their destination markets, then another port and more trucks and trains, and the warehouse they end up in before being distributed via even more trucks to the merchants who finally put them on their countertops to take card payments.
It’s non-trivial, and judging from the magnitude of this incident, non-optional as well. And there’s the question of who will pay for all this security. The card companies may pressure the terminal vendors to take this on, but tackling it thoroughly is likely to be beyond their budget, or that of any individual player in the supply chain. I’ll be really interested to see how this story unfolds, especially if the bad guys feel inspired to repeat this kind of attack, which wouldn’t surprise me a bit.