Chip-and-pin fraud hits European supermarkets

Graham Cluley
Graham Cluley
@[email protected]

Circuit board

If you thought living a secure life was hard enough with email phishing, keylogging spyware, backdoor Trojan horses, wi-fi hijacking and compromised websites here comes another thing to worry about.

According to British newspaper The Daily Telegraph this weekend, hundreds of chip and pin payments in European supermarkets have been tampered with to steal shoppers’ credit card details.

Dr Joel Brenner, the head of the US National Counterintelligence Executive, told the newspaper that chip and pin devices exported to Britain, Belgium, Denmark, Ireland, and the Netherlands, were implanted with additional hardware that transmitted credit and debit card data via the mobile phone network to criminals in Lahore, Pakistan.

Sign up to our free newsletter.
Security news, advice, and tips.

Hundreds of the tampered devices, which cannot be recognised as dangerous without opening as there is no external sign of interference, are said to have been found at affected countries, including reportedly at some British branches of Tesco, Asda (a subsidiary of Wal-Mart) and Sainsbury’s. According to reports, supermarkets were weighing chip-and-pin devices to determine if they were compromised or not, as affected machines weighed three to four ounces heavier.

Once hackers had acquired stolen credit card information they did not steal cash or order goods online. Instead, they waited.

Waiting at least two months before making fraudulent withdrawals and payments made it harder for victims to piece together where their details may have been stolen. Thus undoubtedly meant it took the authorities much longer to identify how the crimes were being committed.

I first heard rumours of this huge data heist a few months ago, when local newspaper reporters called me saying that readers had contacted them, complaining of credit card fraud, but could only identify a particular supermarket branch they shopped in as a common thread.

To hear that the problem may indeed have been nationwide, and indeed a problem across other countries in Europe, puts this crime into a whole new league. There is next to nothing that consumers can do to protect themselves against this type of theft. What are people supposed to do? Take a set of kitchen scales with them when they go shopping and weigh the chip-and-pin machine before they swipe their card?? Buying goods in a respected supermarket should be safe.

Retailers are going to have to do more in future to ensure the integrity of their payment devices is utterly without question, and to guard the supply of such devices from factory to supermarket checkout, or risk losing the confidence of their customers.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.