Inside job: anatomy of a bank card heist
Posted on 26 Jul 2011 at 17:21
How high-tech card data thieves tap into payments systems to harvest details
Online attacks aren't the only way to grab credit card details - criminals are targeting card reader machines directly inside shops.
However, it can be easier to head straight for the source to get live, valid card details – and that means the point-of-sales terminals where the cards are actually used. Criminals use all manner of techniques to steal details, hacking keypads, replacing circuit boards and setting up their own wireless connection.
Cracked terminals can remain in use for months, according to experts.
"A criminal gang will notice that one terminal type is getting more popular, so it will figure out how to compromise it," said Simon Gamble, founder of Mako Networks, which advises companies on PCI DSS security compliance. “It goes on a lot.”
We had a couple of hundred people who used cards at the BP garage in Girton finding ATM transactions in Thailand on their accounts
Earlier this month, the US craft store Michaels had to replace card readers after it was discovered that terminals in 80 shops had been tampered with. Thin keypads had been inserted into the devices between the original pad and sensors, allowing hackers to read PINs as they were entered.
The problem is not limited to the US. Similar crimes have been taking place in the UK for several years.
“It's happened a lot here,” said Ross Anderson, a security expert at the University of Cambridge's Computer Laboratory.
“Shell had to swap out all its chip-and-pin terminals back in about 1995, which led to the demise of its supplier. And we had a couple of hundred people who used cards at the BP garage in Girton finding ATM transactions in Thailand on their accounts.”
While the concept may not be new, criminals are constantly looking for new ways to beat the systems put in place to foil their attempts to tamper with the equipment.
Beating the system
Hidden within the terminals are anti-tamper switches that render the devices useless to criminals. By de-constructing the hardware, crooks are able to nullify these traps.
“First off, they'll steal one from a store. They'll crack it open and in the process they will destroy it, because the terminal vendors or the card reader manufacturers put a lot of effort into putting tamper-proof micro-switches into the terminal to stop people from being able to crack them,” said Gamble.
“Once they've worked out where all the micro-switches are, they'll make a template... so when they steal another one they can drill a little hole which they can stick super-glue through, which will hold the micro-switch down to they can get the casing off without destroying the machine.”
Once inside a device, the tech-savvy crooks add their own hardware to the mix, before resealing the device to look exactly as it did before.
“They'll add another circuit board in there, which scrapes the relevant data while leaving the terminal working like it should,” Gamble said. “Then it will send, wirelessly, that scraped data to a laptop that's sitting in a roof cavity or a van outside.”
For more details about purchasing this feature and/or images for editorial usage, please contact Jasmine Samra on firstname.lastname@example.org
- Yahoo seeks "cool" with Tumblr purchase
- Dell profits slide 79% amid buyout talks
- Forget cloud subscriptions: users prefer standard licences
- McAfee: cloud storage could help spread viruses
- Analysts question Windows 8 as UK PC shipments slump
- McAfee: smart homes need security
- Firefox 21 lands with "health report" and Android update
- Windows Blue (8.1): release date, screenshots, features
- McAfee LiveSafe protects PCs, mobiles and the cloud
- Android boss: Samsung's not a problem for Google
- Hands on with the new Google Maps
- Nokia Lumia 925 review: first look
- Why I won't subscribe to Creative Cloud
- GoPro camera strapped to a remote-control helicopter: the ultimate boy's toy
- Acer Iconia A1 review: first look
- Acer Aspire P3 review: first look
- Acer Aspire R7 review: first look
- How we produce the PC Pro podcast
- Google Now draining iPhone battery
- The government website that doesn't work with IE, Chrome, Firefox, Safari, Macs or smartphones
- Yes, I write down my passwords
- How to deal with a ransomware attack
- How secure is your Wi-Fi network?
- How QR codes caught out the security pros
- Why I do not trust Do Not Track... yet
- The hard disks you can "secure" with a single-digit password
- Why I've started using a password manager
- Time to kill off CAPTCHA
- Are today's young people Generation I (for insecure)?
- Ransomware that's better made than antivirus software