Oct 13 2008
You trust your PIN Entry Device[PED] (the thing you swipe your credit card through at the checkout stand) don’t you? You might need to rethink that trust: PED boxes in Europe were tampered with, either at the factory or somewhere else in the supply chain, and had additional hardware installed to capture full stripe data as well as PIN information. The information has been getting sent back to the crime ring responsible for the compromise and is turning up in fraud cases all over the world. The funny part is the best way to distinguish a compromised machine from an uncompromised machine is to weigh them; the attack adds 3-4 ounces to the machines thanks to the additional hardware installed in them.
To me, this is one of the scariest attacks against credit cards yet. True, attacking a merchant like TJZ will get you millions of credit card numbers, but an attack against the supply chain could affect every merchant if it goes unnoticed long enough. This attack is comparatively to detect, given the extra hardware that was installed. But what if the attack had taken place one or two steps earlier in the manufacturing process and actually became part of the software in the PED boxes? I can imagine a PED box having a little extra memory installed to log all the credit card swipes it processes oin a daily basis and calling home to upload that information on a daily or weekly basis.
This is the sort of attack that could possibly go undetected for years, especially if the people doing it have a fair understanding of the credit card company anti-fraud mechanisms. It’d be easy to create an algorithm that is specifically designed to choose credit card numbers from the pool and use them in such a way as to fly under the radar with a little insider knowledge. And anyone who’s already infiltrated the manufacturing companies will have a good chance at infiltrating other aspects of the process as well.
It took nine months for the authorities to track down and report on this breach of the supply chain. The people who pulled it off knew what they were doing and knew how to make their devices look like they’d never been tampered with. The authorities caught on, but the next time someone pulls this off, they’ll be smarter and it’ll be even harder to catch them.
This is just one more reason you should never use your debit card anywhere other than at a bank. When your credit card is compromised, you’re only responsible for the first $50; if your debit card is compromised, it all depends on how nice your bank decides they want to be. Do you want to rely on your bank’s charity? I sure as heck don’t.
One Response to “Supply chain attack on credit cards in Europe”