Police warn of security threat to every chip-and-Pin terminal

Police say that every chip-and-Pin terminal in the country must be checked and modified to counter a security compromise that cracked the payment system.


Police say that every chip-and-Pin terminal in the country must be checked and modified to counter a security compromise that cracked the payment system.

The disclosure comes after police issued a public warning earlier this month that gangs have developed technology to steal customer bank details from inside such terminals.

Computer Weekly has established that a programme of carrying out checks and modifications to every terminal in retailers throughout the UK began behind the scenes in July.

The massive undertaking will take months to complete, although the dedicated police unit that specialises in detecting "plastic crime" was unable to give a precise timeframe.

Detective Chief Inspector John Folan, head of the "dedicated cheque and plastic crime unit" confirmed the programme. He said, "The irony is that the system will be enhanced to make it more secure. We have been able to see the gap in the system."

Criminals were said to be hiding devices inside terminals to reveal Pin numbers matching credit cards, as well as obtaining data to make cloned magnetic stripe cards. Although these do not work in UK cash machines, criminals can use them to withdraw money in countries that have yet to roll out chip and Pin.

They were even able to transmit that data from these devices to a mobile phone, according to well-informed sources. This meant that while they would have to break into terminals to insert reading devices, they would not need to do so again to retrieve the data.

But police were especially alarmed by compromises to various tampering-detection systems on card terminals. These systems are designed to send an alert down the line that the terminal has been opened.

Folan said that modifying the tampering detection systems in response has required both software changes that can be achieved through "remote engineering" as well as "working through the estate physically".

Each terminal must be checked to see whether criminals have already inserted a data-reading device, and to make physical changes to its tampering-detection system.

The unit began finding evidence of the compromise in May, but was only in a position to issue precise confidential technical advice in July on the necessary modifications to the terminals, said Folan.

He said, "The response of the retailers has been very good. They are doing this day and night."

Peter Sommer, visiting professor in the Information Systems Integrity Group at the London School of Economics, questioned whether modifications would be enough.

He said, "In the longer term, they have to reissue new terminals that cannot be compromised quite so easily."

This would, however, depend on the relative benefits compared with the costs, he said. "They can already make shops aware of the risk, and rely on the detecting software to tell them which terminals seem to be compromised."

Sources familiar with the investigation say that police considered whether to go public about the compromise, resulting in last week's warning.

The unit had already issued confidential advice via the UK payments association, Apacs, to help prevent the banking industry from being defrauded.

The benefit of going public was to alert the consumers to the importance for them to check their statements for any fraudulent transactions.

Folan said, "They will not be able to tell from a device that it has been compromised. The advice is to check your statements regularly."

Cameras above terminals filming consumers input their Pins remains a bigger threat, he added.

Questions were raised about the security of the chip-and-Pin system by researchers at the Cambridge University Computer Laboratory last February.

But, security experts say, criminals have developed the compromise a good deal further than the scientists.

Read more on Antivirus, firewall and IDS products