Supply chain attack
Encyclopedia
A supply chain attack is a cryptographic attack where a product, typically a device that performs encryption
or secure transactions, is tampered with during manufacture or while it is still in the supply chain
by persons with physical access
. The tampering may, for example, install a rootkit
or hardware-based spying components.
warned that Chip and PIN
credit card readers used at point of sale
in Europe had been tampered with either where they were manufactured or while in transit to financial institutions. Credit card information intercepted by the rogue devices was being relayed back to criminals in Pakistan and China via the mobile phone network.
According to MasterCard
, the easiest way to identify devices that have been tampered with is to weigh them, as the rogue devices weigh 4 ounces (113.4 g) more than the authentic ones because of the addition of hardware-based spy components.
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
or secure transactions, is tampered with during manufacture or while it is still in the supply chain
Supply chain
A supply chain is a system of organizations, people, technology, activities, information and resources involved in moving a product or service from supplier to customer. Supply chain activities transform natural resources, raw materials and components into a finished product that is delivered to...
by persons with physical access
Physical access
Physical access is a term in computer security that refers to the ability of people to physically gain access to a computer system. According to Gregory White, "Given physical access to an office, the knowledgeable attacker will quickly be able to find the information needed to gain access to the...
. The tampering may, for example, install a rootkit
Rootkit
A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications...
or hardware-based spying components.
Description
In October 2008, Dr Joel Brenner of National Counterintelligence ExecutiveOffice of the National Counterintelligence Executive
The Office of the National Counterintelligence Executive directs national counter-intelligence for the United States government and is responsible to the Director of National Intelligence. The Office was established on January 5, 2001 by a directive from President Bill Clinton which also...
warned that Chip and PIN
Chip and PIN
Chip and PIN is the brandname adopted by the banking industries in the United Kingdom and Ireland for the rollout of the EMV smartcard payment system for credit, debit and ATM cards.- History :...
credit card readers used at point of sale
Point of sale
Point of sale or checkout is the location where a transaction occurs...
in Europe had been tampered with either where they were manufactured or while in transit to financial institutions. Credit card information intercepted by the rogue devices was being relayed back to criminals in Pakistan and China via the mobile phone network.
According to MasterCard
MasterCard
Mastercard Incorporated or MasterCard Worldwide is an American multinational financial services corporation with its headquarters in the MasterCard International Global Headquarters, Purchase, Harrison, New York, United States...
, the easiest way to identify devices that have been tampered with is to weigh them, as the rogue devices weigh 4 ounces (113.4 g) more than the authentic ones because of the addition of hardware-based spy components.