Skip to navigation
   
Davey Winder's Blog
RSS

Every little helps chip-and-pin thieves

By Davey Winder in Editorial

Posted in Data Protection, Blog, e-commerce on October 12, 2008 at 12:11 pm

Permalink | Author Profile

Blimey, just as I was about to leave for the regular weekly family supermarket hike to Tesco I have to go and read this rather disturbing news story from someone whose opinion on matters ITsec related I value very highly indeed.

Graham Cluley first got wind of the fact that there might be something fishy going on at the supermarket checkout a couple of months back, following a number of reports from local newspaper journalists asking if he knew anything about credit card fraud at the supermarket. It seems that readers of local newspapers had been getting in touch to suggest particular supermarket branches had been involved in some kind of chip and pin fraud.

Now the story has exploded into the national newspapers, with the The Telegraph reporting how hundreds of the chip and pin payment machines used in supermarkets across Europe have been tampered with to steal your credit card data.

OK, so nothing new in the old double swipe, or the false front card reader for ATM machines and even the odd bit of WiFi phreakery to do this sort of thing. But this is different, this the reports suggest, involves the terminals you use at the checkout actually having been tampered with before they shipped. Internally, so that there is no way of telling from an external examination that the device is compromised.

The head of the US National Counter Intelligence Executive warns that suspect devices have been shipped to Britain, Belgium, Denmark, Ireland, and the Netherlands. All with hidden hardware that can transmit card data via the mobile phone network to the criminal ring behind the scam based in Lahore, Pakistan.

Amongst the supermarkets said to have been affected in the UK are market leaders Tesco, Asda and Sainsbury’s. Graham Cluley says that supermarkets are now “weighing chip-and-pin devices to determine if they were compromised or not, as affected machines weighed three to four ounces heavier.”

Perhaps the most worrying of all is that this time the thieves have been clever. Patient and clever. They did not cash in on the stolen data immediately, as is the usual pattern of such things, but instead waited a couple of months to make tracking back the root of the data loss that much harder.

Cluley says that buying goods in a respected supermarket should be safe, however he does warn that “Retailers are going to have to do more in future to ensure the integrity of their payment devices is utterly without question, and to guard the supply of such devices from factory to supermarket checkout, or risk losing the confidence of their customers.”

It is also distrubing as it means that although previous news reports have suggested that credit card crime has been driven overseas, that the UK is actually still at risk.

12345
Rated: 100% (2 votes)
Loading ... Loading ...

Previous Post | Next Post

 
 
Comments

Comment by Roger - October 13, 2008 on 9:58 am

Such crimes would be prevented if banks use Card Key Code system described on website www.xwave.co.uk

Virtually all fraud crimes will be a thing of past if banks make signature and PIN systems reliable as proposed.

Comment by Mike Russell - October 14, 2008 on 11:57 am

If you follow to the video, you see, or rather hear, the problem; “Banks & institutions refuse to even listen.” No doubt there are people whose reputations sit on the current system. Were it to be demonstrated to be woefully inadequate (we all know it is..) then these, well-placed individuals would lose face. That will never happen.

Make a comment

* required

* required

We stop spam using reCaptcha.
Type the words below and click Submit Comment.

   
Tag cloud

AMD money Bill Gates iPhone 3G dumb MessageLabs help OCR man-in-the-middle scareware hacking staffing open source Health scan documentation Rumour CAPTCHA universe NBC fun Project Energy outsourcing theft biometrics remote working Top 500 Application Space storage BOFH trust shopping library migration rootkits Windows 7 stupidity students adware Paris Hilton XP Adobe web 2.0 HPC mobile Performance computing Trojan search service Twitter black hat VPN virus virtual world Flash Eee PC fraud MSNBC prison compromise virtual machine Big Brother Russia The Federation Jesus Phone InfoSec Research chips green Mobile Phone statistics tech IDC christmas SMS politics scam USA Eee code phishing museum hypervisor botnet ID Theft Rant global Windows Silverlight Yahoo VM Finjan OS Government copyright Apple environment terrorism carbon copy malware symantec DNS linkedin science Olympics productivity ASUS spam Texas Instruments exploit Kill Switch computer Business hacker privacy Noro Blogging Death betting Microchip xmas crime Lotus Deal patch management Linux Video gaming banking economics IP Microsoft Obama Digg ecommerce Google worm network email books hardware social networking Zango MSN work Vista Supercomputer China technology Internet world of warcraft Programming avatar FBI teleworking NASA e-commerce archiving policy surveys broadband credit card fraud printing office Web Development survey news hubdub remote iPhone security Gartner Firefox digitise Mars payment server Battery Steve Jobs ISPA transactional security sick fool stupid millions standards IBM computing SSL banks data Texting graphics Hack holidays payments debian web workplace worker MiniBook home report data protection second life Software Facebook development Funny Ballmer BSI size
Advertisement

   
Archives

   
Most commented posts

   
Highest Rated Blog Posts

Advertisement
Advertisement