Pin-pads usaully are protected in quite sophisticated ways:

1) A simple microswitch on the back cover to detect case entry.

2) The internal electronics are often potted with a highly volatile metallic mesh. as soon as the potting is compromised the mesh fails (like a fuse) and an internal interrupt clears any stored keys etc in the flash. Once cleared the hardware itself if fairly useless. Sometimes a processor module with internal databuses and internal flash is used, giving similar protection to the potting idea

3) A Temerature sensor prevents freezing of the flash (very cold temperatures will prevent the flash being wiped). Once the pin-pad detects a low enough voltage it will erase the stored keys before the temperature drops too low.

4) DPA (differential power analysis) resistant software.

Once the pin-pad case is opened (easy enough, with a sample or two you can find where the case-opening micro-switch is),
you can then sit a simple microcontroller on the key-pad array (can be figured out from a visual inspection) and scan any mag card swipe (a doddle with the hybrid dip/swipe reader, no need for a seperate skimmer).

The data stored will then be a sequence of card swipe data followed by a sequence of key presses, repeated for every card used. The added circuitry could include a simple bluetooth chip to allow collection of harvested data by just walking into a location.

No need to compromise the software on the pin-pads, no need to piggyback on the terminal comms etc.

unencrypted traffic sent over suposedly “secured” network?

Once the units begin collecting card details these are sent abroad and used to withdraw cash.

The Smart 5000 PIN pads have Ethernet ports and an IP stack, so it’s possible the the crooks actually leaked the card details over Shell’s own network. It’s also possible that they fitted a separate wireless communication device within the PIN pads – it would be interesting to know whether there’s enough dead space inside for a GSM terminal.

If these techniques are ruled out, the ‘engineers’ might have returned at a later date to remove the log of customers’ card details, but this isn’t entirely consistent with the wording of the article.

http://www.theinquirer.net/?article=31547

According to our source, a team of shysters has been turning up at petrol stations posing as engineers and taking the Trintech Smart5000 Chip and Pin units away for repair. They have then bypassed the anti-tamper mechanisms and inserted their own card skimmer.

The hoods then return the unit, again posing as an engineer. Once the units begin collecting card details these are sent abroad and used to withdraw cash.

And our source warns the fraud could take place at any site, with any Chip and Pin terminal and trusting staff.

It is impossible for members of the public to distinguish a doctored unit from a standard chip and pin card reader, as the skimmer is inserted inside the unit, unlike with cashpoint card skimmers.

To get around the anti-tamper mechanisms, the fraudsters might have had access to a reset program that would allow them to reset the alarm or they were able to engineer their way round it by using different parts from previous versions of the Smart5000 unit. “Either way,” said our mole, “they were very clever.”

Tut tut and all that, but hey, everyone reads R Anderson security engineering book and the papers from your labs, and we all should know how difficult the practicallity of securiing things is. When not if the true deails are disclosed, it will be interesting to see how legistlation changes to protect the consumer, and whehter APACS are completely lacking in any form of impartiality in terms of governance…silly of me to say that of course, APACS is a concortium of the banks own interest is it not?…