I thought this to be an interesting article and wanted to share some excerpts. I've blogged about hardware tampering in the past, (see "Terminal Disease Boosts Fraud") and made mention that one of the benefits of using our tamper-proof PCI 2.x certified device in the privacy of one's own home is the peace of mind in knowing that your PIN number is NOT going to be captured by a rogue PIN Pad...
Anyway, this threat is nowhere near the threat created by "typing" vs. "swiping."
Until the big brains in the financial industry stop being so stubborn and come to terms with how dumb typing credit/debit numbers into a box on a website is, (and call for the "elimination" of typing) I wouldn't worry too much about this threat. It's so much easier to use a malicious "soft"ware approach than start tampering with "hard"ware.
Ghosts in the Machine: Attacks May Come From Inside Computers
Information Management Online, August 19, 2009
Shane Kite
The next wave of hacking into computers and stealing data will not be requests or code coming from remote points across the Web, security experts are warning.
Instead, the most sophisticated Trojan Horses appearing on Wall Street financial systems may be threaded into the silicon of integrated circuits by design, their malicious instructions baked right into the tiny physical aspects and intricate mapping of the chip itself, according to scientists and academics working with the National Institute of Standards and Technology, the White House and the Financial Services Information Sharing and Analysis Center in Dulles, Va.
Detecting such malware after a chip is fabricated will be extremely difficult, if not impossible, these experts say, because the microchips that run servers have millions to billions of transistors in them. Adding a few hundred or even just tens of transistors can compromise an integrated circuit can serve attackers' purposes and escape notice.
According to the Cyberspace Policy Review released by the White
House in May, "documented examples exist of unambiguous, deliberate
subversions" of the IT supply chain. While counterfeit products have
created "the most visible" problems to date for hardware, the global
nature of IT manufacturing has made subversion of computers and
networks through supply chain sabotage via subtle hardware or software
manipulations, more feasible.
Law
enforcement in Europe uncovered a scam late last year whereby criminals
had rigged credit card readers installed at Tesco and other retail
outlets there with what was essentially a tiny cell phone that was
capturing all the PINs from customers who used their cards on the
readers in stores and sending the data through Pakistan; though its
ultimate destination remains unknown. Criminals often choose nations
with porous security or limited digital forensics practices to route
their booty.
"What was interesting
about this is that some portion of it really was a supply chain
corruption," said Scott Borg, director and chief economist (CEO) at the
U.S. Cyber Consequences Unit (US-CCU), an independent, non-profit
research institute. Borg's work on securing IT supply chains was cited
in the president's cyber policy review.
Borg makes pains however to emphasize that the threat of hardware tampering occurring in the private sector remains relatively low. "Malicious software is so much easier and cheaper to distribute," he says.
Plus, the risk is huge. "There's a serious danger that the whole world would stop buying electronics from your country if it was shown that the supply chain was compromised. The main danger here is hardware bargain hunting."