Visa recommends weighing card readers to detect tampering
According to reports, Visa has revoked security approval for two Ingenico card readers (3070MP01 and i3070EP01), apparently in response to successful modification by skimmers. By introducing additional electronic components, the skimmers were able to store and later retrieve credit card details and PIN numbers. The compromised PIN entry devices (PEDs) are reported to be old models primarily used in the US. Visa has also published a list of other PEDs which do not meet the PCI standard and are frequent targets of skimming attacks.
Although this type of attack is not a new phenomenon, Visa's response is, according to industry experts, surprising. The report states that this is the first time a specific vendor has been named and the first time Visa has admitted that a PCI-compliant retailer has fallen victim to an attack. The specifications contained in the Payment Card Industry Data Security Standard (PCI DSS) are intended to prevent attacks on computers and credit card systems.
Although the number of compromised PEDs appears to be on the rise, an internal Visa memo states that approval of the devices was revoked as a purely precautionary measure. Visa is also advising retailers to always verify the identity of repair technicians and to monitor them while they are working. It further recommends weighing terminals periodically to detect any discrepancies due to inserted devices.
Protection can also be realised through the use of terminal authentication systems, in which a host continually checks the internal serial number, availability and integrity of the PED. This prevents a PED from being replaced by an unauthorised device.
Modification of terminals is not restricted to those in actual use by retailers – in late 2008 US investigators and MasterCard tracked down a group of criminals who were modifying card readers during manufacture. The devices were still able to pass security tests and, according to a Daily Telegraph report, hundreds of these machines were supplied to retailers. The data collected was forwarded to a criminal in Pakistan using a mobile phone signal. In response MasterCard sent a number of teams off around Europe equipped with scales to identify the offending terminals by weight.