Security Hole in Payments Terminal Supply Chain

Security Hole in Payments Terminal Supply Chain

Posted by John B. Frank Monday, October 20, 2008

Javelin Strategy and Research » A security hole in the payments supply chain

written by Tom Wills

A security hole in the payments supply chain
Supply chain security is a term most often associated with the risk of terrorists planting dirty bombs in shipping containers. But last week it claimed its place in the payments industry lexicon when a big compromise of the supply chain feeding the EMV-based Chip & PIN payments ecosystem came to light in the UK.

It seems that criminals implanted invisible electronic components in a batch of newly-manufactured Chip & PIN point of sale terminals destined for the UK and other European countries, which siphoned off account information when cards were read during a purchase, then sent it over to Lahore, Pakistan where other evildoers captured it and proceeded to rack up “tens of millions” (of Pounds, which means even more tens of millions of Dollars) in bogus transactions. The tampering happened either at the factory in China where the terminals were manufactured, or shortly afterwords while in transit.
This is big, not only because of the major fraud losses involved, but because it represents a whole new threat category in the industry which will take considerable effort, coordination and expense to protect against. Think about it … how do you secure a factory that makes POS terminals (which is likely to be in a country where security is a big challenge to begin with), and the containers the products are put in for shipment, and the trucks or trains that take them from the factory to the seaport, and the ships that take them across the ocean to their destination markets, then another port and more trucks and trains, and the warehouse they end up in before being distributed via even more trucks to the merchants who finally put them on their countertops to take card payments.

It’s non-trivial, and judging from the magnitude of this incident, non-optional as well. And there’s the question of who will pay for all this security. The card companies may pressure the terminal vendors to take this on, but tackling it thoroughly is likely to be beyond their budget, or that of any individual player in the supply chain. I’ll be really interested to see how this story unfolds, especially if the bad guys feel inspired to repeat this kind of attack, which wouldn’t surprise me a bit.

0 comments

Learn More About Us

Find out how our patented technology can empower your financial institution.

Our secure two-factor online banking authentication eliminates dangerous passwords and usernames and replicates the same trusted process used to access cash at ATM's. (Insert Bank Issued Card, Enter Bank Issued PIN)

There is an R.O.I. as FI's also earn recurring revenue from each transaction conducted using our PCI 2.0 Certified PIN Entry Device. Our technology also provides a unique real-time P2P "Instant-Transfer" which allows your online banking customer to transfer cash from ANY of their bankcards to ANY other bankcard...with the Swipe of a card.

Help your bank eliminate phishing and your customers avoid identity theft by providing them with the ability to stop typing and start swiping. There is no safer way to conduct financial transactions online than by 3DES DUKPT encrypting the cardholder details, which we do at the mag-head "inside the box/outside the browser."

All Top Banking