Attackers Tamper With Credit Card Scanners To Steal Personal Data

from the bait-and-switch dept

Tue, Feb 20th 2007 9:12am — Joseph Weisenthal

A recently announced vulnerability of Chip and PIN payment terminals in the UK was predicated on the idea that attackers could somehow remove the devices and then replace them with something identical looking that would swipe information off of shoppers' payment cards. There were a few aspects of the attack that seemed impractical, but perhaps the removal of the machine was not one of them. This week, in Boston, a supermarket chain announced that attackers had stolen data from many of the store's customers by removing and modifying a few credit card readers. How the attackers got the readers to transmit the data back to them is unclear, as the store is remaining tight-lipped on the technical details of the attack. Of course, it now says that it has locked down all of its readers so as to prevent this from happening again. That seems like an obviously good idea; why is it, though, that these measures like these are only taken after a breach?

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

7 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

IT, 20 Feb 2007 @ 10:08am

seriously
Most security measures are only taken after a major theft, take Walmart for instance, where a series of robberies took place in Florida where two men dressed as store employees went through the unattended registers, emptying the larger denomination cash bills into bank bags, moving slowly, looking bored, using keys made for Walmart by NCR. This prompted WM to change the keys to the registers in many of their stores, so that few keys will work between different stores in the chin.
[ link to this | view in chronology ]
Aliyah, 20 Feb 2007 @ 10:22am

No Organization is Perfect
We never had tamper-proof packaging until some idiot decided to put cyanide into Tylenol caplets. I don't expect a store chain to be able to anticipate every possible security breach before it happens. They would spend too much time and money second-guessing the criminals. It's easier to fix the damage and make sure that it doesn't happen the next time.
[ link to this | view in chronology ]
Anonymous Coward, 20 Feb 2007 @ 10:32am

Shaws or S&S
[ link to this | view in chronology ]
Anonymous Coward, 20 Feb 2007 @ 1:00pm

S&S:

http://www.boston.com/business/articles/2007/02/19/stop__shop_reports_credit_data_was_st olen/
[ link to this | view in chronology ]
Sanguine Dream, 20 Feb 2007 @ 1:06pm

I wanna know...

How the attackers got the readers to transmit the data back to them is unclear, as the store is remaining tight-lipped on the technical details of the attack.

How did the attacker get their hands on the machines to modify them?
[ link to this | view in chronology ]
Sean, 20 Feb 2007 @ 1:29pm

How did they do it?
Sounds like an inside job to me!
[ link to this | view in chronology ]
Merchent, 13 Jun 2007 @ 11:08am

Security Measures...
It seems they based their security on the good will and faith of people being honest. Locked down now, I thought most companies did that sort of thing off the top!
[ link to this | view in chronology ]