[ISN] Hancock Fabrics Hackers Switch Stores' PIN Pads

From: InfoSec News <alerts_at_private>
Date: Mon, 15 Mar 2010 00:24:10 -0600 (CST)

By Andy Greenberg
The Firewall
March 12, 2010

Targeting point-of-sale devices with malicious software is standard 
practice, as the wave of retail hackings over the last few years have 
shown. But targeting them with malicious hardware -- that requires 
another level of brazenness altogether.

According to a letter that retailer Hancock Fabrics sent out to its 
customers last week, the swipe and type PIN pad gadgets used in debit 
and credit card transactions in several of its Wisconsin stores were 
actually stolen and replaced with "visually identical, but fraudulent, 
PIN pad units."

Hancock Fabric didn't reveal the number of victims affected by the 
scheme, and hasn't responded to our request for more information. And 
this is nothing new, apparently. Wendy's, for instance, suffered from a 
similar pad-switching breach as early as 2007.

But when we spotted this in the Identity Theft Resource Center's breach 
report, we were impressed nonetheless: Imagine the criminal guts 
required to walk into a retail store, steal the PIN pad next to a 
register, and plant your own, malicious look-a-like under the nose of 
one of your victims' employees.


Register now for HITBSecConf2010 - Dubai, the premier 
deep-knowledge network security event in the GCC, 
featuring keynote speakers John Viega and Matt Watchinski! 
Received on Sun Mar 14 2010 - 23:24:10 PDT

This archive was generated by hypermail 2.2.0 : Sun Mar 14 2010 - 23:38:24 PDT