Today, as I was picking up my dry cleaning I watched the attendent swipe my card through the reader and enter in the amount then asked me to enter my PIN. When I entered my PIN and hit enter I began to wonder what happens to that information as it's whisked out onto the wire on it's way to my bank for authorization. Is it encrypted in any form, is my PIN hashed before being sent, or as I suspected in the most likely answer, is the data sent over the wire in plain text. Hey, I work in information security, these are the things that I worry about.
Well it turns out my third theory was correct. An article over at The Register talks about a group of scam artists in Thailand that stole credit card information using wiretap equipment, then smuggled the information to Malaysia for encoding on to phony cards. According to the Thai police, an estimated $1.59M dollars was fraudulently charged over a 6 month period while an additional $9.5M in charges is still being investigated.
Another thing that concerns me is that some of these credit card machines don't even use phone lines anymore, they have connections to the internet for performing authorizations. Ideally, these machines would connect to the credit transaction clearinghouse via an encrypted VPN, but given the history of financial services lack of security, I doubt that is the case.