The Null Device
2008/10/15
It has emerged that organised crime gangs modified hundreds of credit/debit card terminals at the Chinese factory they were made at, installing a GSM module and SIM card, which was then used to send stolen credit card data to a number in Pakistan, and also receive instructions on what to target. The terminals, which were distributed across Europe, remained undetected for a long time, stealing only small numbers of details, only arousing suspicion when a security guard noticed mobile phone interference near the checkout area.
The corrupted devices are an extra three to four ounces heavier because of the additional parts they contain, and the simplest way to identify them has been to weigh them. A MasterCard International investigator said: "As recently as a month ago, there were several teams of people roaming around Europe putting the machines on scales and weighing them. It sounds kind of old school, but the only other way would be to tear them apart."
The illicit transactions took place at least two months after the information had been stolen, making it difficult for investigators to work out what had happened.
But after six months of fruitless investigation, investigators spotted an attempt at a similar fraud on a card which had only been used in one location in Britain. The chip and pin machine from the particular store was passed to MasterCard's international fraud lab in Manchester for inspection.There has been no announcement of anybody having been arrested, and the criminals got away with a tidy profit, so one can probably chalk this down as a success for the criminals, and a serious failure of security (for one, the chip-and-pin protocols governing communication between the chip on the card, the reader and the network seems to be too weak by far if they allow a card to be cloned; shouldn't the system be using some form of challenge-response security rather than handing all the information over in one go)?