… and in this week’s news…. A large supermarket chain reported that approximately twenty locations had their card readers compromised, resulted in dozens of instances of account fraud.
This attack was not terribly different than the one reported by Michael’s earlier this year. The attack was carried out by individuals who were knowledgeable of the POS systems, in this case purportedly on the POS systems in the self-checkout lanes.
Credit/debit card skimmers are often some sort of device such as a computer board with memory chips that can read card data and track numbers entered into PIN pads. In the supermarkets case, the cardholder data was then transmitted via blue tooth, most likely to ‘collector’ devices outside the store.
The successful skimming attacks at larger retailers are usually a result of a well-coordinated crime ring. The ringleaders hire ‘flackies’ to insert skimmers in the equipment or to replace the equipment. They are the ‘in the trenches’ criminals who know how to modify or replace POS devices quickly – think of an auto theft ring where the first action is to steal the car.
The criminals then hire the counterfeit specialists that turn the stolen data into counterfeit cards (with PIN numbers, if they have them) taped on to the counterfeit cards. Think of these guys as the ‘chop shop’.
The third phase is to partner with the ‘cash out’ flunkies to use the cards at ATM machines or other POS systems to turn the stolen cards into stolen cash or products that are easily resold such as consumer electronics. Think of the guys moving the disassembled auto parts. These actions all take place within a short time window to be in and out before they are caught by fraud detected systems.
In the spring blog post, I commented that high volume retailers, food chains, and other high-velocity transaction points are less likely to experience compromises at POS devices. This is due to the increased attention and coverage at the POS devices, where unattended payment terminals, lower volume locations, or locations where the employees must multi-task or are consistently drawn away from the POS devices (including craft stores, convenience stores and one-person retail operations), are susceptive to this type of fraud since device swapping can occur without observation. Let’s now also add self check-out POS devices to the list….
How do those criminals do it? Often, the ‘flackies’ will work together to distract employees away from the POS terminal, so that the swap can be made without the employee’s knowledge. Other times, the criminals simply replace the pad when staff leaves the terminals unattended. Some fraudsters use social engineering to make the swap, such as posing as a POS repair technician. Some criminals resort to collusion with employees (i.e. employees get a cut on the action), or even use threats of violence to get the devices replaced.
The PCI Security Standards Council has created PIN entry device security standards which require PIN pads to include technology that prevents tampering or makes tampering evident. Unfortunately, many companies do not have processes in place to ensure that employees are aware of how to check for tampering. In addition, fraudsters have learned to circumvent this control by completely swapping out the devices.
Even new technologies such as end-to-end encryption (which encrypts cardholder data at the swipe) and chip and PIN are not immune to this type of attack. For example, some fraudsters get around Europay, MasterCard and VISA (EMV) by disabling the part of the POS device that reads the chip, and then the customer is forced to swipe their card to make the transaction.
In This Case… Be ‘Unlucky’
What can you do to help reduce the probability of unauthorized PIN pad swaps or to reduce the potential duration of such an attack. Most of these suggestions were posted in my previous post, but I have fine-tuned the list to keep up with the times
1. Be prepared for social engineering attacks – Do not trust anyone that just shows up to replace your card terminals. If you did not specifically ask to have a POS device repaired or replaced, there is a reasonable chance nefarious activity is afoot. Your acquiring bank, processor or POS/PIN pad maintainer should always notify you of any terminal replacement BEFORE they show up on site. In addition to being skeptical of any service person that appears out of nowhere to “fix” your terminals, do your homework to ensure that notifications for replacing your equipment are legitimate. You should provide periodic training to store personnel to keep them on the lookout for nefarious activities. This is critical – there is always a need to improve awareness and there is no cost associated with driving this communication to store personnel.
2. Be PCI compliant – Retailers should adhere to the PCI Data Security Standard at all locations, including retail locations. In addition, retailers should ensure that their PIN entry devices adhere to the PCI standard. Compliance mandates that PIN pads be tamper-resistant, tamper-proof and tamper-evident.
3. Be vigilant – “Gone in 60 Seconds” is not only a movie, but also could be about how long it takes for an experienced criminal to swap out your PIN pad. What are you doing to make this endeavor more difficult for attackers?
4. Communicate with your POS and PIN pad vendor – They will be up to speed on recent trends and potential nefarious activities. Make sure that you are the one to drive these communications as many of these vendors may not have an established program in place to proactively reach out to their user base.
5. Implement daily processes to check for evidence of tampering or swapping – Create daily checklists that have employees check for evidence of tampering and to verify inventory of POS devices. An inventory may include device type, location, and serial number. You may also consider using serialized security tape, decals or stickers on seam openings of card terminals or other detective controls. Make sure that your employees who perform the periodic checks know what to look for when searching for evidence of tampering!
6. Have strong change management controls in place – This goes without saying. Any changes of POS equipment should go through the proper approval channels. When in doubt, always contact the centralized entity responsible for management of your POS systems (sometimes this is store operations, sometimes it is your POS vendor, and sometimes it is an ISO or other third party).
7. Implement technical controls to prevent swapping (if possible) – Some POS systems may be configured to communicate with a unique/dedicated PIN pad. These systems may be configured to prevent a full PIN pad swap.
8. Assess the risks – PCI requires that companies perform an annual risk assessment. Retailers should include a review of the POS environment as part of this risk assessment. Consider hiring a third-party organization to perform the security review. You might unveil a pattern in which employees are routinely leaving POS devices unattended and open to theft or tampering.
9. Have a plan – Make sure your employees have a process to follow if they discover any evidence of tampering or swapping. This may include an email/phone call to your security team, to your acquiring bank and/or to whoever is responsible for maintaining POS systems and PIN pads. This should be part of your current Incident Response plan. Remember to test this plan regularly!
10. Refine technical controls for better monitoring – If your POS terminals are on your network, monitor your terminals for disconnections. You may also be able to monitor if a PIN pad is disconnected from a POS terminal. Create alerts when these types of activities occur (of course, this will only work for organizations that have event management in place and who rarely disconnect POS terminals), so any such alert would be an indication that something abnormal has occurred and should be investigated.
11. What happens after-hours? If you have a ‘night crew’ for janitorial services or inventory control/restocking, make sure that you have controls in place to protect and monitor your POS systems. This includes anything from employment pre-screening (if they are employees), reading/acknowledging policy that forbids use of or tampering with PIN pads, supervision of crew, and/or morning-after checklists. If the night crew is contracted, make sure that your contract protects you from crew mis-doings.
12. ATMs and kiosks – Many people think that devices like ATMs and Kiosks are “super secure” because they are boxed and locked, but reality is that they are just as exposed as any other device if proper controls are not in place. Any entity that has these devices in their environment should include them in their on-going monitoring plan. Helping improving your security posture is an incremental exercise – an ounce of prevention is worth a pound of cure. Determine which of these tips will work best for your organization and craft an implementation strategy.
Improving your security posture is an incremental exercise – an ounce of prevention is worth a pound of cure. Determine which of these tips will work best for your organization – the more you can do to proactively protect your POS environment, the better chance you have of being ‘unlucky’!