Gallery

Inside job: anatomy of a bank card heist

Posted on 26 Jul 2011 at 17:21

How high-tech card data thieves tap into payments systems to harvest details

Online attacks aren't the only way to grab credit card details - criminals are targeting card reader machines directly inside shops.

With high-profile attacks on Sony and retailers such as Lush, it's easy to think that card data theft is exclusively an online problem.

However, it can be easier to head straight for the source to get live, valid card details – and that means the point-of-sales terminals where the cards are actually used. Criminals use all manner of techniques to steal details, hacking keypads, replacing circuit boards and setting up their own wireless connection.

Cracked terminals can remain in use for months, according to experts.

"A criminal gang will notice that one terminal type is getting more popular, so it will figure out how to compromise it," said Simon Gamble, founder of Mako Networks, which advises companies on PCI DSS security compliance. “It goes on a lot.”

We had a couple of hundred people who used cards at the BP garage in Girton finding ATM transactions in Thailand on their accounts

Earlier this month, the US craft store Michaels had to replace card readers after it was discovered that terminals in 80 shops had been tampered with. Thin keypads had been inserted into the devices between the original pad and sensors, allowing hackers to read PINs as they were entered.

UK problem

The problem is not limited to the US. Similar crimes have been taking place in the UK for several years.

“It's happened a lot here,” said Ross Anderson, a security expert at the University of Cambridge's Computer Laboratory.

“Shell had to swap out all its chip-and-pin terminals back in about 1995, which led to the demise of its supplier. And we had a couple of hundred people who used cards at the BP garage in Girton finding ATM transactions in Thailand on their accounts.”

While the concept may not be new, criminals are constantly looking for new ways to beat the systems put in place to foil their attempts to tamper with the equipment.

Beating the system

Hidden within the terminals are anti-tamper switches that render the devices useless to criminals. By de-constructing the hardware, crooks are able to nullify these traps.

“First off, they'll steal one from a store. They'll crack it open and in the process they will destroy it, because the terminal vendors or the card reader manufacturers put a lot of effort into putting tamper-proof micro-switches into the terminal to stop people from being able to crack them,” said Gamble.

“Once they've worked out where all the micro-switches are, they'll make a template... so when they steal another one they can drill a little hole which they can stick super-glue through, which will hold the micro-switch down to they can get the casing off without destroying the machine.”

Once inside a device, the tech-savvy crooks add their own hardware to the mix, before resealing the device to look exactly as it did before.

“They'll add another circuit board in there, which scrapes the relevant data while leaving the terminal working like it should,” Gamble said. “Then it will send, wirelessly, that scraped data to a laptop that's sitting in a roof cavity or a van outside.”