Sunday, October 12, 2008

Ouch! Card Swiping Devices Now Being Doctored During Manufacturing

Chip and PINImage via WikipediaIt's bad enough when point of sale (POS) devices are tampered with at the physical retail location, but now it's getting a little ridiculous.  Now... there's  reports that the some POS devices are being doctored (by adding circuit boards which can transmit cardholders data to 3rd parties) during the manufacturing of the devices.  They actually weigh 3 or 4 more ounces with the additional boards.  It's still unclear whether the circuit boards were added "during the manufacturing" process or "shortly after leaving the production line.

Conclusion?  This is getting downright scary and certainly supports the reasoning behind getting one of HomeATM's SwipePIN devices and shopping in the safety of your own home! 

Here's a couple stories from the U.K. newspapers on this latest development... 

The gang is understood to have added tiny circuit boards to chip and pin machines during or shortly after the manufacturing process. Three circuits embedded in a metal card were added, enabling the machine to transmit a credit or debit card’s details to a third party.

The first circuit is designed to copy the card’s details and pin number before the device has time to encrypt the information.  The second takes that information, encrypts it and stores it in a buffer. The third circuit acts as a tiny mobile phone transmitting the stored data to a computer in Lahore, Pakistan, where it is decrypted.
The stolen data is then used to make cloned cards.  A source close to the investigation said: “In some cases it called in once a day, in others as little as once a week. It would say to the computer: here are the 50 card details I’ve stolen this week. How many and what type do you want me to steal next? 

“It would then receive new instructions and act on them. It would act like a tick: it would continually sift blood without necessarily being noticed by its host.” To remain discreet, the criminals would tailor the sums they stole to the type of store a corrupted machine was operating from. “If it ended up in a small shop that only did a few thousand pounds of business a week, they would probably keep the amount of money drained very small. Whereas if a machine ended up in a high-value electronics store, they could crank it up and make it steal more money,” said the
Organized crime tampers with European card swipe devices • The Register
Customer data beamed overseas
By Austin Modine • Posted in Crime, 10th October 2008 21:21 GMT

Hundreds of card swipers used by retail stores across Europe are believed to have been tampered by organized crime syndicates in China and Pakistan, according to US National Counterintelligence Executive Joel Brenner.

Brenner told The Daily Telegraph that criminals have doctored chip and PIN machines either during manufacturing in China or shortly after leaving the production line in order to send shopper credit card account details overseas. The devices were then expertly resealed and exported to Britain, Ireland, the Netherlands, Denmark, and Belgium.

"Previously only a nation state's intelligence service would have been capable of pulling off this type of operation," Brenner told the publication. "It's scary."

Hundreds of devices have been copying credit and debit card details over the past nine months and sending the data by way of mobile phone networks to tech-savvy criminals in Lahore, Pakistan, The Telegraph reports.

MasterCard International has alerted stores in affected areas and determined doctored devices can most easily be revealed by virtue of weighing an extra three to four ounces due to the additional parts they contain. MasterCard first uncovered the plot at the start of the year after detecting suspicious charges to British and other European accounts.

The scam is believed to have resulted in the loss of tens of millions of pounds by criminals creating cloned cards, making phone or internet transactions, or withdrawing cash from the account. The Telegraph reports the thieves usually wait at least two months before using the stolen data in order to make it harder for investigators to determine what happened.

Brenner said the scam should motivate card swipe device makers to not only do more testing, but guard their supply chain in the same way jewelry suppliers do.

Reblog this post [with Zemanta]

Disqus for ePayment News