I thought this to be an interesting article and wanted to share some excerpts. I've blogged about hardware tampering in the past, (see "Terminal Disease Boosts Fraud") and made mention that one of the benefits of using our tamper-proof PCI 2.x certified device in the privacy of one's own home is the peace of mind in knowing that your PIN number is NOT going to be captured by a rogue PIN Pad...
Anyway, this threat is nowhere near the threat created by "typing" vs. "swiping."
Until the big brains in the financial industry stop being so stubborn and come to terms with how dumb typing credit/debit numbers into a box on a website is, (and call for the "elimination" of typing) I wouldn't worry too much about this threat. It's so much easier to use a malicious "soft"ware approach than start tampering with "hard"ware.
Ghosts in the Machine: Attacks May Come From Inside Computers
Anyway, this threat is nowhere near the threat created by "typing" vs. "swiping."
Until the big brains in the financial industry stop being so stubborn and come to terms with how dumb typing credit/debit numbers into a box on a website is, (and call for the "elimination" of typing) I wouldn't worry too much about this threat. It's so much easier to use a malicious "soft"ware approach than start tampering with "hard"ware.
Ghosts in the Machine: Attacks May Come From Inside Computers
Information Management Online, August 19, 2009
Shane Kite
The next wave of hacking into computers and stealing data will not be requests or code coming from remote points across the Web, security experts are warning.
Instead, the most sophisticated Trojan Horses appearing on Wall Street financial systems may be threaded into the silicon of integrated circuits by design, their malicious instructions baked right into the tiny physical aspects and intricate mapping of the chip itself, according to scientists and academics working with the National Institute of Standards and Technology, the White House and the Financial Services Information Sharing and Analysis Center in Dulles, Va.
Detecting such malware after a chip is fabricated will be extremely difficult, if not impossible, these experts say, because the microchips that run servers have millions to billions of transistors in them. Adding a few hundred or even just tens of transistors can compromise an integrated circuit can serve attackers' purposes and escape notice.
According to the Cyberspace Policy Review released by the WhiteHouse in May, "documented examples exist of unambiguous, deliberatesubversions" of the IT supply chain. While counterfeit products havecreated "the most visible" problems to date for hardware, the globalnature of IT manufacturing has made subversion of computers andnetworks through supply chain sabotage via subtle hardware or softwaremanipulations, more feasible.
Lawenforcement in Europe uncovered a scam late last year whereby criminalshad rigged credit card readers installed at Tesco and other retailoutlets there with what was essentially a tiny cell phone that wascapturing all the PINs from customers who used their cards on thereaders in stores and sending the data through Pakistan; though itsultimate destination remains unknown. Criminals often choose nationswith porous security or limited digital forensics practices to routetheir booty.
"What was interestingabout this is that some portion of it really was a supply chaincorruption," said Scott Borg, director and chief economist (CEO) at theU.S. Cyber Consequences Unit (US-CCU), an independent, non-profitresearch institute. Borg's work on securing IT supply chains was citedin the president's cyber policy review.
Borg makes pains however to emphasize that the threat of hardware tampering occurring in the private sector remains relatively low. "Malicious software is so much easier and cheaper to distribute," he says.
Plus, the risk is huge. "There's a serious danger that the whole world would stop buying electronics from your country if it was shown that the supply chain was compromised. The main danger here is hardware bargain hunting."
0 comments