Chip-and-pin fraud hits European supermarkets

Filed Under: Malware

Circuit board

If you thought living a secure life was hard enough with email phishing, keylogging spyware, backdoor Trojan horses, wi-fi hijacking and compromised websites here comes another thing to worry about.

According to British newspaper The Daily Telegraph this weekend, hundreds of chip and pin payments in European supermarkets have been tampered with to steal shoppers' credit card details.

Dr Joel Brenner, the head of the US National Counterintelligence Executive, told the newspaper that chip and pin devices exported to Britain, Belgium, Denmark, Ireland, and the Netherlands, were implanted with additional hardware that transmitted credit and debit card data via the mobile phone network to criminals in Lahore, Pakistan.

Hundreds of the tampered devices, which cannot be recognised as dangerous without opening as there is no external sign of interference, are said to have been found at affected countries, including reportedly at some British branches of Tesco, Asda (a subsidiary of Wal-Mart) and Sainsbury's. According to reports, supermarkets were weighing chip-and-pin devices to determine if they were compromised or not, as affected machines weighed three to four ounces heavier.

Once hackers had acquired stolen credit card information they did not steal cash or order goods online. Instead, they waited.

Waiting at least two months before making fraudulent withdrawals and payments made it harder for victims to piece together where their details may have been stolen. Thus undoubtedly meant it took the authorities much longer to identify how the crimes were being committed.

I first heard rumours of this huge data heist a few months ago, when local newspaper reporters called me saying that readers had contacted them, complaining of credit card fraud, but could only identify a particular supermarket branch they shopped in as a common thread.

To hear that the problem may indeed have been nationwide, and indeed a problem across other countries in Europe, puts this crime into a whole new league. There is next to nothing that consumers can do to protect themselves against this type of theft. What are people supposed to do? Take a set of kitchen scales with them when they go shopping and weigh the chip-and-pin machine before they swipe their card?? Buying goods in a respected supermarket should be safe.

Retailers are going to have to do more in future to ensure the integrity of their payment devices is utterly without question, and to guard the supply of such devices from factory to supermarket checkout, or risk losing the confidence of their customers.

You might like

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.