A U.K. tradegroup that often speaks for European retailers on payment issues has gone on the record, trying to tone down the crime reports, claiming there is no evidence linking these crimes to either Pakistan or China.
"A very small number of shops have had devices compromised by criminals but not in the way that has been reported," said Mark Bowerman, a spokesperson for APACS, known as the U.K. payments association. Bowerman's version has the devices being taken from the stores, retrofitted with electronic capture devices and then put back. If true, that's a physical tactic seen periodically in the United States and is not especially controversial.
Among the chains that Bowerman confirmed were hit were Asda (owned by Wal-Mart), Tesco and J Sainsbury.
Other than the China claim—which some interpreted as a suggestion that the theft devices were added in at the point of manufacture—the most interesting part of the original story was a clever element of restraint, designed to elude detection. "The device can be told to copy certain types of transactions" such as "five Visa platinum cards or every tenth transaction. It can also be instructed to go dormant to evade detection. On average, only five to 10 card numbers would be phoned in to Pakistan, the person close to British law enforcement said."
The Journal story said the bogus devices weighed about four ounces and that an unexplained additional four ounces of weight is the best way to quickly identify tampered units. Some have questioned that figure, suggesting that four ounces is an awful lot of weight for what is typically a very small transmitter. Bowerman confirmed that the units appear to weigh more, but couldn't confirm the amount of that weight differential.