Fake PIN pad units at Hancock Fabrics

[thewayne]

The Register reports that earlier this month, the Hancock Fabrics chain store published an open letter to its customers, informing them that in some of their stores the payment card terminals were replaced with "visually identical, but fraudulent PIN pad units", making it possible for criminals behind this scheme to steal payment card data such as the name on the card, its number and expiration date and PIN number when entered.

http://www.net-security.org/secworld.php?id=9033

I had not heard of this, and I know lots of people do crafty sort of things and probably go there on a regular basis.

Last week my debit card was compromised. I was compiling tax information and noticed a $94 charge with a vendor that I did not recognize. I queried the vendor info and it turned out to be a gas station in North Carolina. So now my debit card is gone, hopefully I'll have a new one before I go to Vegas next week for GTS.

The sad thing? My bank has branches in Vegas, I could have had my new card sent there. They'll only send the new card to my address on file, or to a branch. They only have one branch in Phoenix, way out in Tolleson.

Comments

[thewayne.livejournal.com]

The card reader needs to be integrated with the cash register, preferably with an encrypted key so that even a sniffer on the cable would not get clear traffic. You can also monitor reader connects/disconnects and send alerts.

[silveradept]

And how expensive would good security like this be?

[thewayne.livejournal.com]

From a hardware implementation POV, possibly zero. It's mainly software.

I'm finishing up reading Kevin Mitnick's second book, The Art of Intrusion. In it, in fact I think the first story, he describes a group who bought a video poker machine to study it for a weakness (which they found). What they were looking for was the type of CPU and the ROM which powered the machine. The ROM was not epoxied to the circuit board, so they were able to remove it and disassemble it, giving them the code to the machine.

They were then able to discover that the random number generator employed was no where near random enough. In fact, it was a predictable sequence, and they set up an analysis so that they could play the machine, and when a certain card condition occurred, they'd start a timer and then knew when a royal flush would happen.

They estimate they took over a million dollars from various casinos over a few years. Only got stopped by security once. No arrests.

There has to be physical security, so you would need a knowledgeable service tech to "pair" the reader and the register. Presumably the tech could identify and test to make sure neither side had been compromised. But then, if the bad guys threw a brick through the window of a store and stole a mated pair, then they can study it further.

It's a huge cat and mouse game, and most of the time the mouse is miles ahead of the cat.

[silveradept]

So, with physical security in place, what would it cost to build, for example, an RNG that was not easily breakable and would require juggling several complex variables in one's head to break the machine?

After all, we learned card counting and used it to great effect.

[thewayne.livejournal.com]

The particular machine that was broken didn't generate random numbers per se, it generated a random sequence, and the entire sequence was predictable. So when sequence X happened, they knew when sequence Y, the royal flush, would happen.

They had a system of using pager motors to send signals from a wearable computer. Quite clever.

Additionally, the CPU of that particular machine, was based on a 6502, the same chip in the Apple 2. Later machines used newer CPUs and more advanced RNGs, but still had problems. They also put in stronger physical security, such as epoxying the chips to the board. But they still had weaknesses that this particular team was able to exploit.

It's quite an interesting book.

The basic problem is that there's almost no such thing as a truly random number generator. It's a major field of computer science related to crypto. One of the cooler real implementations of randomization was at one of the UC campuses (IIRC) where they had two volcano lamps with digital video cameras pointed at them. through some sort of algorithm they integrated the two cameras to produce random numbers.

That I think is awfully cool.

Tom Clancy postulated a military crypto key where they bounced a radio signal off (IIRC) the Northern Lights and sing the scatter to produce, essentially, a one-time pad key, which is unbreakable for all practical purposes because the signal bounce is truly a one-time event.

I don't know if the radio bounce is a real thing, but it is also pretty cool.