The Telegraph reports:
…hundreds of chip and pin machines in stores and supermarkets across Europe have been tampered with to allow details of shoppers’ credit card accounts to be relayed to overseas fraudsters.
These details are then used to make cash withdrawals or siphon off money from card holders’ accounts in what is one of the largest scams of its kind.
…America’s counterintelligence chief said: "Previously only a nation state’s intelligence service would have been capable of pulling off this type of operation. It’s scary."
An organised crime syndicate is suspected of having tampered with the chip and pin machines, either during the manufacturing process at a factory in China, or shortly after they came off the production line.
This is why using the idea of a claims transformer as the general panacea for identity issues has always been very scary to me: if you have a good claims transformer, you don’t really (want to) know that it is there, but your security depends on the security of each and every claims transformer in the chain.
Here, nobody thought that the card reader (a claims transformer) was even a possible security issue. How many more claims transformers are there in the credit card (or any other) value chain, and how many of them are susceptible to similar attacks? I think we’ll only know after the next attack has been detected on the next claims transformer in the chain … one by one .. and that’s even more scary.
It’s also a very good example for what works within an enterprise has little or no bearing on whether it works for a whole value chain, or the whole internet: in an enterprise you can enumerate and watch your claims transformers, even if it’s hard. If you go beyond the enterprise, it’s almost ridiculous to attempt and try …