It seems that some payment terminals have been rigged with a device that collects card information and sends it “home” (somewhere in Pakistan, apparently). Now, the really interesting part is that this little addition to the device seems to have been done during their production process, apparently in China.
The news still needs further confirmation but if it is true, it gives a whole new meaning to “tamper evident”. The problem is here that, if you tamper with the device soon enough, then you don’t get any evidence. I am quite sure that these devices are supposed to be built in secure premises somewhere, but that somebody’s definition of security with weaker than expected.
What this story shows us is that we should not discard vulnerabilities just because they look impossible in “secure premises”. In particular, when most actors claim that loading unverified bytecode into cards is impossible because of the verifications performed in factories, they just forget one factor: given the right incentive, most people can take (a small) part in a criminal ring. I am not sure that the guy who actually rigged the devices in China made that much money, but if his factory also makes cards, it should have been possible to ask him to replace a CAP file by another one (with a Trojan, of course).
Of course, this can be considered as shameless advertising, since Trusted Labs offers consulting and services about this very problem. But it also is a candid view on the things that can happen anywhere when trust is placed upon human beings: social engineering works.