Forget Fancy Hacking, Card-Data Theft Is Now All About PIN Pads

A ring of Canadian thieves who were caught with 30,700 stolen payment-card numbers is providing a view inside the process of tampering with PIN pads—and it's not pretty. On November 9, Toronto police said a five-man gang arrested in September had tens of thousands of stolen card numbers on PCs and USB thumb-drives, along with at least a dozen stolen POS devices.

It's the PIN pads that are disturbing. They make it clear this gang was regularly swapping compromised PIN pads for the legitimate versions on retailers' counters. Even more disturbing: It wasn't the PIN pads that got these thieves caught.

The gang members were arrested after a months-long investigation into a sudden rise in the use of fraudulent payment cards to buy transit passes at Toronto Metro kiosks. Once the spike in fake cards appeared, the transit agency worked with its card processor to match time stamps on fraudulent purchases with surveillance camera images. That made it possible to pick up the five members of the gang, headed by Umasangar Ramasamy, on September 27 after they had just bought 29 more monthly transit passes.

A search of Ramasamy's condo the next day turned up more than 250 counterfeit debit cards, four computers, credit-card readers and writers, and at least a dozen PIN pads of several different models.

"Most of them have been ripped apart," Toronto Police Detective Ian Nichol told a press conference a few days later. "They're essentially used as a parts Christmas tree to build point-of-sale terminals, altered ones that are capable of capturing credit-card data and personal identification numbers."

In other words, this gang was allegedly modifying several different models of PIN pads, then swapping them for legitimate PIN pads on retailers' counters. That means they were doing it at multiple retailers, and doing it easily enough that they believed an assembly-line approach made sense.

Based on the volume of card numbers involved, police said they believe the operation wasn't confined to Toronto. As of last week, the gang's alleged fraudulent transactions identified so far totaled $350,000.

Police also didn't identify any of the retailers, so it's possible that the thieves collected 30,000 card numbers from PIN pads in mom-and-pop stores. Raise your hand if you think that's likely.

Understand, there's no reason to believe this gang was operating on the scale of those targeting U.S. chains in recent years—most recently Barnes & Noble, where 63 stores in several states across the country had compromised PIN pads. Or at least there's no way of knowing right now. A similar group of U.S. thieves actually farmed out the work of getting cash from stolen card numbers to street-gang members. This Canadian gang seems to have done it all themselves.

It seems they didn't need a sophisticated organization or highly sophisticated tools or skills. The retailers made it easy for them. The thieves just had to know how to tamper with a PIN pad and then deftly swap it in on the counter.

That wouldn't have been possible if the merchants (or their processors) checked electronic serial numbers on the PIN pads with each transaction, or closely monitored network logs to make sure the connection to the PIN pad was never broken.

But never mind the complicated security techniques: It wouldn't have been possible if the merchants hadn't used free-standing PIN pads that anyone walking in off the street could disconnect and replace in seconds.

A few years ago, thieves like uber-hacker Alberto Gonzalez had to know how to tap a wireless connection, break into a network, plant a virus or hack into a database. Now, it's typical for thieves not to bother with the network or the database at all. They just skim cards using compromised POS devices swapped in for PIN pads that the merchant didn't bother to screw down.

That type of crime doesn't take a lot of technical brilliance. But neither does defending against it. And all the expensive—and very useful—network encryption and database security that chains implement to satisfy PCI requirements doesn't do much good when crooks can grab card numbers before they ever get that far.

Welcome to the state of the art in breaches: Five guys with quick fingers and a soldering iron.