Supply chain attack

A supply chain attack is a cryptographic attack where a product, typically a device that performs encryption or secure transactions, is tampered with during manufacture or while it is still in the supply chain by persons with physical access. The tampering may, for example, install a rootkit or hardware-based spying components.

Description

In October 2008, Dr Joel Brenner of National Counterintelligence Executive warned that Chip and PIN credit card readers used at point of sale in Europe had been tampered with either where they were manufactured or while in transit to financial institutions.[1] Credit card information intercepted by the rogue devices was being relayed back to criminals via the mobile phone network.

According to MasterCard, the easiest way to identify devices that have been tampered with is to weigh them, as the rogue devices weigh 4 ounces (110 g) more than the authentic ones because of the addition of hardware-based spy components.[2][3]

References

  1. Austin Modine (2008-10-10). "Organized crime tampers with European card swipe devices". The Register. Retrieved 2009-04-18.
  2. Henry Samuel (2008-10-10). "Chip and pin scam 'has netted millions from British shoppers'". The Telegraph. Retrieved 2008-10-13.
  3. Siobhan Gorman (2008-10-11). "Fraud Ring Funnels Data From Cards to Pakistan". Wall Street Journal. Retrieved 2008-10-13.