Millions siphoned off UK card holders accounts via Chip & PIN fraud - data centre news

Some Point of Sale machines modified to steal Chip & PIN Data

Published by Steve O'Donnell on Monday 20th October 2008, 11:25 | Related | Filed Under

I picked up an extremely interesting article in the UK’s Daily Telegraph this morning. The article claims that some Chip & PIN Point of Sale devices manufactured in China have been tampered with at source and that PIN numbers and other secure data has been sent to offshore thieves.

Dr Joel Brenner, the US National Counterintelligence Executive, warned that hundreds of chip and pin machines in stores and supermarkets across Europe have been tampered with to allow details of shoppers’ credit card accounts to be relayed to overseas fraudsters.

These details are then used to make cash withdrawals or siphon off money from card holders’ accounts in what is one of the largest scams of its kind.

In an exclusive interview with The Daily Telegraph, America’s counterintelligence chief said:

“Previously only a nation state’s intelligence service would have been capable of pulling off this type of operation. It’s scary.”

An organised crime syndicate is suspected of having tampered with the chip and pin machines, either during the manufacturing process at a factory in China, or shortly after they came off the production line.

In what is known as a “supply chain attack”, criminals managed to bypass security measures and doctor the devices before they were dispatched from the factories where they were made.

The machines were opened, tampered with and perfectly resealed, said Dr Brenner, “so that it was impossible to tell even for someone working at the factory that they had been tampered with.” They were then exported to Britain, Ireland, the Netherlands, Denmark and Belgium.

An investigation launched by Mastercard International is understood to have discovered several of the corrupted machines at British branches of Asda and Sainsbury’s.

In all, hundreds of devices in Britian and other affected countries had been copying the account details and pin numbers of thousands of credit and debit cards over the past nine months and transmitting the data via mobile phone networks to underworld electronic experts in Lahore, Pakistan.

Once MasterCard had uncovered the scam it alerted stores which set about examining tens of thousands of chip and pin machines to find out which ones had been tampered with.

The corrupted devices are an extra three to four ounces heavier because of the additional parts they contain, and the simplest way to identify them has been to weigh them.

A MasterCard International investigator said: “As recently as a month ago, there were several teams of people roaming around Europe putting the machines on scales and weighing them. It sounds kind of old school, but the only other way would be to tear them apart.”

The Chinese scam, which the investigator said had creamed tens of millions of pounds from British and other European accounts, came to light at the start of the year. MasterCard’s network experts picked up anomalies in charges being levied on its card holders and those from other issuers, including Visa, which suggested fraudulent activity.

They realised that card details were being stolen and used to produce “white”- or cloned – cards, which were in turn used to fund purchases from countries around the world. Sometimes the criminals used them to make “card-not-present” transactions – by phone or internet – for goods or services, often travel tickets.

On other occasions they would simply withdraw cash. The illicit transactions took place at least two months after the information had been stolen, making it difficult for investigators to work out what had happened.

But after six months of fruitless investigation, investigators spotted an attempt at a similar fraud on a card which had only been used in one location in Britain. The chip and pin machine from the particular store was passed to MasterCard’s international fraud lab in Manchester for inspection.

Dr Brenner, whose job is to unify counter-intelligence policy and strategy among the CIA, the FBI and US defence establishment, said the scam should act as a wake-up call to chip and pin machine manufacturers. “They have to do more testing. They have to guard that supply chain in ways that people guard the movement of jewellery, because this is value,” said Dr Brenner, who now has a group of experts dedicated to analysing this kind of threat.

Shoppers at Asda in High Wycombe, Buckinghamshire, last month reported that their cards had been used to make unauthorised withdrawals overseas after they had visited the store. One customer said 25 withdrawals from his account, totalling £1,400, had been made in the US and Pakistan.

In a statement MasterCard UK said: “We are not able to comment on specific cases or give out any details as to their specific fraud investigations.”

The Metropolitan Police referred all enquiries about the scam to Apacs, the banking payments association, which sponsors the Dedicated Cheque and Plastic Crime Unit investigating card fraud in the UK. A spokesman for Apacs said: “We have no evidence, data or intelligence pointing to a Chinese link to chip and pin fraud.” A spokesman for Asda said: “We are not aware of any new units being compromised.” A spokesman for Sainsbury’s said: “We have not had any issues with chip and pin machines being compromised at the point of manufacture.”