Police say that every chip-and-Pin terminal in the country must
be checked and modified to counter a security compromise that
cracked the payment system.
The disclosure comes after police issued a
public warning earlier this month that gangs have developed
technology to steal customer bank details from inside such
terminals.
Computer Weekly has established that a programme of carrying out
checks and modifications to every terminal in retailers throughout
the UK began behind the scenes in July.
The massive undertaking will take months to complete, although
the dedicated police unit that specialises in detecting "plastic
crime" was unable to give a precise timeframe.
Detective Chief Inspector John Folan, head of the
"dedicated cheque and plastic
crime unit" confirmed the programme. He said, "The irony is
that the system will be enhanced to make it more secure. We have
been able to see the gap in the system."
Criminals were said to be hiding devices inside terminals to
reveal Pin numbers matching credit cards, as well as obtaining data
to make cloned magnetic stripe cards. Although these do not work in
UK cash machines, criminals can use them to withdraw money in
countries that have yet to roll out chip and Pin.
They were even able to transmit that data from these devices to
a mobile phone, according to well-informed sources. This meant that
while they would have to break into terminals to insert reading
devices, they would not need to do so again to retrieve the
data.
But police were especially alarmed by compromises to various
tampering-detection systems on card terminals. These systems are
designed to send an alert down the line that the terminal has been
opened.
Folan said that modifying the tampering detection systems in
response has required both software changes that can be achieved
through "remote engineering" as well as "working through the estate
physically".
Each terminal must be checked to see whether criminals have
already inserted a data-reading device, and to make physical
changes to its tampering-detection system.
The unit began finding evidence of the compromise in May, but
was only in a position to issue precise confidential technical
advice in July on the necessary modifications to the terminals,
said Folan.
He said, "The response of the retailers has been very good. They
are doing this day and night."
Peter Sommer, visiting professor in the Information Systems
Integrity Group at the London School of Economics, questioned
whether modifications would be enough.
He said, "In the longer term, they have to reissue new terminals
that cannot be compromised quite so easily."
This would, however, depend on the relative benefits compared
with the costs, he said. "They can already make shops aware of the
risk, and rely on the detecting software to tell them which
terminals seem to be compromised."
Sources familiar with the investigation say that police
considered whether to go public about the compromise, resulting in
last week's warning.
The unit had already issued confidential advice via the UK
payments association, Apacs,
to help prevent the banking industry from being defrauded.
The benefit of going public was to alert the consumers to the
importance for them to check their statements for any fraudulent
transactions.
Folan said, "They will not be able to tell from a device that it
has been compromised. The advice is to check your statements
regularly."
Cameras above terminals filming consumers input their Pins
remains a bigger threat, he added.
Questions were raised about the security of the chip-and-Pin system
by researchers at the Cambridge University Computer Laboratory last
February.
But, security experts say, criminals have developed the
compromise a good deal further than the scientists.