The thing I finally saw that made me realize that it was commercial were the plated “via holes”. A homemade board would most likely have used soldered jumpers to connect the top and bottom layers; plating would be a difficult and unnecessary expense for a hobbyist already willing to hand-assemble these circuits.

The expert was from one of the many online services that will collect requests for small custom boards from various private people, combine them all onto a single 10″x15″ production board, then they send that request to a Chinese PCB factory. It takes from 10 to 20 days, and the boards that come back are of commercial quality. Based on size, these would cost about $10-$15 each. He noted this board was “immersion gold” plated (his shop only deals in “immersion silver” plated boards, so he knew it wasn’t his shop that the thieves used.)

So yeah, someone somewhere placed an order for these boards, and evidence of that order is likely to be lying around on someone’s servers. But just as there are many custom circuit board services here in America, I also saw 125 PCB factories listed in a Chinese manufacturing directory, and there are an unknown number of others around the world (there are many factories right here in the USA.) Tracking down a small circuit like this could be a lot of work for an investigator.

I could probably do it if I took a few shots at it, and I’m just a software engineer who dabbles in electronics from time to time. (I likely would have been more qualified back when I was in high school, but SMT technology didn’t exist then.) I also know at least a dozen fellow nerds at work who would be at least up to the challenge. Add in thousands of ham radio operators who’ve been building circuits their whole lives, and it wouldn’t surprise me at all to learn that 100,000 people in this country would be capable of creating these devices if they had to.

As far as fear of “recognizing the craftsmanship” goes, the software to design these boards is cheap and common, and every board they crank out out looks pretty much like every other board. It’s all drag and drop to grid lines – mad skills are not required. It also wouldn’t surprise me to learn if the board Brian pictured was based on a reference schematic for the chip. That’s a part of why I’d feel confident that a hobbyist could build these – all the necessary info is out there.

If the criminal wanted, they could also outsource the board manufacture to a shop. There are on line stores where you simply upload your Eagle files, type in your credit card number, and wait for the box to arrive in the mail. With no components or schematics specified or needed, there is no way for the board makers to know if a board is destined to be used for good or evil. But a custom manufactured board could leave big footprints right back to the criminals, and I’m guessing they wouldn’t be that bold. There aren’t very many online shops, and all of them would likely cooperate with the authorities.

I was somewhat surprised that the chip didn’t appear to be an Atmega CPU, as there are literally a million Atmega based developer boards out in the world today. They are the the most accessible, friendliest development platforms around, and can be had at Radio Shack for $30. You can head to http://arduino.cc to learn more about this phenomenon.

The excess of unused pins on the CPU leads me to think it was an amateur who designed the circuit instead of a seasoned professional. Wasting that much capability makes me think they are building it based on the one chip they know (perhaps studied in school), instead of selecting the right sized chip for the job.

As far as the criminal organizations go, we’ve caught professional theft rings who distributed “shoplifting lists” to low-level junkies who do the actual stealing (stolen razor blades go for $8/pack, stolen Tylenol goes for $3/bottle, etc.) Organized gangs already know exactly how to spread their risk to avoid capture at the higher levels, and they know how to get desperate people to steal things like card readers off of countertops, or to walk into a store and push a few buttons on a special phone.

It shouldn’t take too much imagination to picture one of these many thousands of capable electronics amateurs hooking up with some of these professional criminals.

Your guess is that the physical evidence and craftsmanship being so common makes it untraceable?

I guess I just look at it like this:

Say I learn how to cut and sodder my own board, add a blue tooth component, add custom data encryption, design the board to fit in retail machines, and then wirelessly collect the data and sell it. That’s a lot to learn…I’d put my money on this guy (or this team) knowing this stuff over time. Meaning he had or has a job doing some of this for a living legitimately. Otherwise, it might really be a kid in a basement.

I guess when I think about putting myself in the shoes of this person I’d be more fearful of the physical evidence. Forget about finger prints. I’d worry that someone in the industry would recognize my craftsmanship, my training, my methods.

The parts, tools, and knowledge don’t seem all that common to me. For example, although it’s possible to convert your car to run on diesel fuel, who does that? I don’t know anyone that does that. But if a crime were committed using a car with a diesel fueled engine, I’ll bet most people would immediately think of their goofy 3rd cousin that they know does that sort of thing and start to put two and two together.

I’m guessing the builder of the circuit is also the guy who implants the bugs. He started by having a talented thief steal a few working PIN pads from a retailer. He designed, built, and added the bugs to them. He then sent his co-conspirator back out to the original stores to swap the existing devices for the bugged ones, giving him a pool of clean devices with which to expand his scheme.

He probably now sends out “mules” to do the dirty work of swapping devices to infect new stores, as well as visiting the existing stores every few days to download the latest data. He probably pays them on a per card basis. But the mules can’t be trusted to not make their own copies of the data and sell or use it. It would be bad if they did, as they’d be much more likely to get caught and blow the scheme.

So the builder is the only guy with the secret decryption key. He pays the mules for the encrypted data, then he markets the track data on a darknet and collects the profits.

The Bluetooth module (the one with the screened number and metal shield) was a separately purchased component, soldered on to the homemade board. You can buy them in quantity here: http://www.alibaba.com/showroom/bluetooth-smt-module.html

The CPU on the back side of the board has a lot of unused pins, which makes me think the builder purchased whatever chip he could get for dirt cheap. Perhaps they were old phone CPUs desoldered and recovered from recycled electronics in Shenzhen (which are really cheap, and cash walks.) Impossible to tell from the out of focus pictures of the chips.

It’s not that difficult to create a decent quality circuit board at home. They can be produced with a few freely available software tools, a laser printer, and some stuff from Radio Shack. Any recent E.E. graduate could do it, as well as a lot of ordinary hobbyists.

Here are some home-grown projects and tutorials that will give you an idea of just how accessible this stuff is:
http://hackaday.com/tag/surface-mount/
http://hackaday.com/tag/stencil/
(I was especially amused by the Manga comic on soldering SMT components.)

They once delivered us terminals that had the tamper detectors completely disabled. They could have been opened while being powered up – and they did nothing with this. You could have attached probes to the live terminal.

French junk.

If you are encrypting the data before sending it on it’s journey, it does not matter if the link is secured or not.

I would assume, that any legit POS systems would also be required to encrypt the data before putting it on the airwaves.

This makes the security of bluetooth as a channel irrellevant. If your data is encrypted you could send it over an open wifi, it would still be encrypted ie secure.

The cashier usually isn’t told the difference between a “denied – NSF” and a “denied – stolen card” situation. It’s certainly not the cashier’s job to confront or accuse a customer.

The processor is in a position to see multiple “decline-stolen” responses on a single transaction, and their fraud detection logic could flag further responses as “suspicious”, but there’s only so much they can do.