14 DAY TRIAL // The US National Counterintelligence Executive, Joel Brenner, announced that an organized crime group succeeded into tampering with commercial credit card readers which were shipped to and installed in retail stores around Europe. These devices are believed to have been in use for at least nine months before they were discovered and the fraud amounts to millions of euros.
The devices were modified, by adding hardware, in order to send credit card details over mobile telephone networks to the scammers. The scam is particularly important due to its complexity, scale and techniques used, which led the authorities to think that an organized crime group is responsible.
Mr. Brenner believes that the devices were modified before being shipped from the factory in China, which could either mean that the criminals got unauthorized access to the factory or that it was an inside job. The factory workers would have had a very small chance of noticing the mischief because there was no visible physical trace of tampering on the devices.
In fact, they were so accurately put back together that there is no way of telling which is good and which is bad except for weighing them or taking them all apart. The modified devices weight a bit more than a normal device because of the additional hardware they feature. The scam was uncovered by Mastercard after they received complaints of unapproved overseas withdrawals from numerous accounts.
The fraudsters were very organized and they were waiting for at least two months after a card's details were compromised before cloning one based on them. This was aimed at making it difficult to track when and where the compromise occurred. They were then using the fake cards to withdraw money from ATMs in countries that do no use the additional chip verification system, like US or Pakistan.
The seriousness of this scam should alert all major retail chains that they might lose customer confidence if they do not adopt more strict policies and enforce additional product quality testing before such devices are cleared to be used. Not long ago, a similar scam was discovered in stores in Ireland, where scammers posing as tech service personnel tampered with legit card readers in order to receive the card details over a Wi-Fi connection.
"Previously only a nation state's intelligence service would have been capable of pulling off this type of operation. It's scary," commented Mr. Brenner for The Daily Telegraph, while Graham Cluley, Senior Technology Consultant at Sophos, wrote on his blog that “to hear that the problem may indeed have been nationwide, and indeed a problem across other countries in Europe, puts this crime into a whole new league”.