By Andy Greenberg
March 12, 2010
Targeting point-of-sale devices with malicious software is standard
practice, as the wave of retail hackings over the last few years have
shown. But targeting them with malicious hardware -- that requires
another level of brazenness altogether.
According to a letter that retailer Hancock Fabrics sent out to its
customers last week, the swipe and type PIN pad gadgets used in debit
and credit card transactions in several of its Wisconsin stores were
actually stolen and replaced with "visually identical, but fraudulent,
PIN pad units."
Hancock Fabric didn't reveal the number of victims affected by the
scheme, and hasn't responded to our request for more information. And
this is nothing new, apparently. Wendy's, for instance, suffered from a
similar pad-switching breach as early as 2007.
But when we spotted this in the Identity Theft Resource Center's breach
report, we were impressed nonetheless: Imagine the criminal guts
required to walk into a retail store, steal the PIN pad next to a
register, and plant your own, malicious look-a-like under the nose of
one of your victims' employees.
Register now for HITBSecConf2010 - Dubai, the premier
deep-knowledge network security event in the GCC,
featuring keynote speakers John Viega and Matt Watchinski!