The U.K's Dedicated Cheque and Plastic Crime Unit (DCPU) have recently uncovered state of the art social engineering scheme, where once backdoored, chip and PIN terminals were installed at retailers and petrol stations in an attempt to steal the credit card details passing through. Originally, before online banking took place proportionally with the developments on the banker malware front, scammers used to take advantage of old-fashioned ATM skimming and fake keypad devices, which were installed at less popular locations due to the possibility of them getting caught. What this case demonstrates is that even trustworthy locations where you'd assume that a physical breach cannot take place that easily, remain vulnerable.
"According to police the tampered chip and PIN terminals are installed in (30) retail outlets and petrol stations either by someone working on the inside or by threatening staff. The criminals are then able to steal card details and PIN numbers. These are then used to create fake magnetic stripe cards containing the stolen card details, which can be used to withdraw money from cash machines or pay for goods in shops in countries that have yet to roll out chip and PIN technology. "
And while details on how did manage to install them at the popular locations without getting noticed, and whether or not there were insiders involved in the scheme remain unclear, a similar incident which recently took place in Ireland may be directly related to this one. Basically, the scammers installed the backdoored terminals by pretending to be bank technicians, the rest is fraudulent history :
"Opportunistic data thieves — masquerading as bank technicians — have fooled shop owners into giving them access to credit card terminals and managed to download the details of over 20,000 credit and debit cards, it emerged this morning. The Irish Payment Services Organisation has warned that individuals pretending to be from Irish banks convinced shop owners they were carrying out maintenance on behalf of banks. This enabled them to plug in wireless devices that pushed the data to the internet and allowed the card numbers to be used overseas."
From technical perspective, what these data thieves did is not rocket science, it's the direct result of a situation known as "when the academic community is talking nobody is listening until criminals do their homework". For instance, the folks working for the Computer Laboratory Security Group at the University of Cambridge have been extensively researching the trivial opportunities a criminal can take take advantage of on his way to backdoor and tamper with chip and PIN terminals. What they're trying to achieve is raise more awareness on the fact that just because a financial institution has a Security Tips section on its web site, urging its customers to update their antivirus software, run a firewall and don't open phishing emails, shouldn't mean that the institution shouldn't be held liable for fraudulent transactions given the highly insecure equipment it's using at the first place. Here's some of their research worth going through :
- Chip & PIN (EMV) relay attacks
- PIN Entry Device (PED) vulnerabilities
- Chip & PIN (EMV) interceptor
- Tamper resistance of Chip & PIN (EMV) terminals
As far as online credit card fraud is concerned, a recent survey that I did on the topic of whether or not stolen credit card details are getting cheaper, not only revealed that it's all a matter from who you're buying them from, and how much you actually want to buy, but also, that cybercriminals are using price discrimination based on the different banks and the account balances when they last verified them. Today's availability of stolen credit card obtained through banking malware botnets is getting so prevalent, that what used to be proprietary services offering access to such a botnet allowing the buyer to sniff as many credit cards and login details as he wants to for a certain period of time, are going mainstream with cybercriminals wanting to sacrifice anonymity for the sake of reaching a wider audience.
What happens once the preferred tactic of choice takes place, and the credit card details get stolen through banker malware infected hosts? Over at ISS's Frequency X blog, Gunter Ollmann has been researching the availability of tools and equipment allowing cybercriminals to quickly transform the digital data they've obtained into real credit cards, and the data speaks for itself.
Never play Tetris on a backdoored terminal, and stay informed.