How to be Crafty
Lessons Learned from Michael’s Breach
June 3, 2011
Views
Michael’s stores have reported that debit card information was compromised from nearly 90 stores in 20 states stretching from Rhode Island to Washington. The breach was first discovered in the Chicago area, where victims reported suspicious debit card activity. The customers’ debit cards were allegedly copied during recent transactions at local area Michael’s craft stores. Investigators believe legitimate PIN pads were swapped out for PIN pads that skim and collect card details.
As a precautionary measure, Michael’s has removed over 7,200 PIN pads from almost 1000 U.S. stores and will be replacing them in the near future. In addition, PIN pads in Michaels’ Canadian locations are being screened as well.
High volume retailers, food chains and other high-velocity transaction points are less likely to experience compromises at POS devices. This is due to the increased attention and coverage at the POS devices, where unattended payment terminals, lower volume locations, or locations where the employees must multi-task or are consistently drawn away from the POS devices (including craft stores, convenience stores and one-person retail operations), are susceptive to this type of fraud since device swapping can occur without observation.
These crimes typically occur at a single store, or in some cases if the criminals are well organized, at several locations. Often, teams of crooks will work together to distract employees away from the POS terminal, so that the swap can be made without the employee’s knowledge. Other times, the criminals simply replace the pad when staff leaves the terminals unattended. Some fraudsters use social engineering to make the swap, such as posing as a POS repair technician. Some criminals resort to collusion with employees, or even use threats of violence to get the devices replaced.
The PCI Security Standards Council has created PIN entry device security standards which require PIN pads to include technology that prevents tampering or makes tampering evident. Unfortunately, many companies do not have processes in place to ensure that employees are aware of how to check for tampering. In addition, fraudsters have learned to circumvent this control by completely swapping out the devices.
Even new technologies such as end-to-end encryption (which encrypts cardholder data at the swipe) and chip and PIN are not immune to this type of attack. For example, some fraudsters get around Europay, MasterCard and VISA (EMV) by disabling the part of the POS device that reads the chip, and then the customer is forced to swipe their card to make the transaction.
Lessons Learned
What can you do to help reduce the probability of unauthorized PIN pad swaps or to reduce the potential duration of such an attack?
- Be Prepared for Social Engineering Attacks – Do not trust anyone that just shows up to replace your card terminals. If you did not specifically ask to have a POS device repaired or replaced, there is a reasonable chance nefarious activity is afoot. Your acquiring bank, processor or POS/PIN pad maintainer should always notify you of any terminal replacement BEFORE they show up on site. In addition to being skeptical of any service person that appears out of nowhere to “fix” your terminals, do your homework to ensure that notifications for replacing your equipment are legitimate. You should provide periodic training to store personnel to keep them on the lookout for nefarious activities. This is critical – there is always a need to improve awareness and there is no cost associated with driving this communication to store personnel.
- Be PCI Compliant - Retailers should adhere to the PCI Data Security Standard at all locations, including retail locations. In addition, retailers should ensure that their PIN entry devices adhere to the PCI standards. Compliance mandates that PIN pads be tamper-resistant, tamper-proof and tamper-evident.
- Implement Daily Processes to Check for Evidence of Tampering or Swapping – Create daily checklists that allow employees to check for evidence of tampering and to verify inventory of POS devices. An inventory may include device type, location and serial number. You may also consider using serialized security tape, decals or sticker on seam opening of card terminals or other detective controls.
- Implement Controls to Prevent Swapping - Some POS systems may be configured to communicate with a unique/dedicated PIN pad. These systems may be configured to prevent a full PIN pad swap.
- Assess the Risks – PCI requires that companies perform an annual risk assessment. Retailers should include a review of the POS environment as part of this risk assessment. Consider hiring a third-party organization to perform the security review. You might unveil a pattern in which employees are routinely leaving POS devices unattended and open to theft or tampering.
- Have a Plan – Make sure your employees have a process to follow if they discover any evidence of tampering or swapping. This may include an email/phone call to your security team, to your acquiring bank and/or to whoever is responsible for maintaining POS systems and PIN pads.
- Refine Technical Controls for Better Monitoring – If your POS terminals are on your network, monitor your terminals for disconnections. You may also be able to monitor if a PIN pad is disconnected from a POS terminal. Create alerts when these types of activities occur (of course, this will only work for organizations that have event management in place and who rarely disconnect POS terminals), so any such alert would be an indication that something abnormal has occurred and should be investigated.
- What Happens After-Hours? If you have a ‘night crew’ for janitorial services or inventory control/restocking, make sure that you have controls in place to protect and monitor your POS systems. This includes anything from employment pre-screening (if they are employees), reading/acknowledging policy that forbids use of or tampering with PIN pads, supervision of crew, and/or morning-after checklists. If the night crew is contracted, make sure that your contract protects you from crew mis-doings.
- ATMs and Kiosks – Many people think that devices like ATMs and Kiosks are “super secure” because they are boxed and locked, but reality is that they are just as exposed as any other device if proper controls are not in place. Any entity that has these devices in their environment should include them in their on-going monitoring plan.Helping improving your security posture is an incremental exercise – an ounce of prevention is worth a pound of cure. Determine which of these tips will work best for your organization and craft an implementation strategy.
AT&T
Networking Exchange : Topics : Security : How to be Crafty
How to be Crafty
Lessons Learned from Michael’s Breach
By Steve Levinson
Steve Levinson
PCI Practice Director, AT&T
Find me on:
As a precautionary measure, Michael’s has removed over 7,200 PIN pads from almost 1000 U.S. stores and will be replacing them in the near future. In addition, PIN pads in Michaels’ Canadian locations are being screened as well.
High volume retailers, food chains and other high-velocity transaction points are less likely to experience compromises at POS devices. This is due to the increased attention and coverage at the POS devices, where unattended payment terminals, lower volume locations, or locations where the employees must multi-task or are consistently drawn away from the POS devices (including craft stores, convenience stores and one-person retail operations), are susceptive to this type of fraud since device swapping can occur without observation.
These crimes typically occur at a single store, or in some cases if the criminals are well organized, at several locations. Often, teams of crooks will work together to distract employees away from the POS terminal, so that the swap can be made without the employee’s knowledge. Other times, the criminals simply replace the pad when staff leaves the terminals unattended. Some fraudsters use social engineering to make the swap, such as posing as a POS repair technician. Some criminals resort to collusion with employees, or even use threats of violence to get the devices replaced.
The PCI Security Standards Council has created PIN entry device security standards which require PIN pads to include technology that prevents tampering or makes tampering evident. Unfortunately, many companies do not have processes in place to ensure that employees are aware of how to check for tampering. In addition, fraudsters have learned to circumvent this control by completely swapping out the devices.
Even new technologies such as end-to-end encryption (which encrypts cardholder data at the swipe) and chip and PIN are not immune to this type of attack. For example, some fraudsters get around Europay, MasterCard and VISA (EMV) by disabling the part of the POS device that reads the chip, and then the customer is forced to swipe their card to make the transaction.
Lessons Learned
What can you do to help reduce the probability of unauthorized PIN pad swaps or to reduce the potential duration of such an attack?
Improving your security posture is an incremental exercise – an ounce of prevention is worth a pound of cure. Determine which of these tips will work best for your organization and craft an implementation strategy.
Networking Exchange Blog
Get the latest posts delivered right to your inbox. [+]
Receive our daily or monthly email updates and keep current on all the hottest networking trends, perspectives and reports.
Networking Exchange Blog
Thank you for subscribing. Your alerts will be sent to . Be sure to add networkingexchange@attbusiness.com to your safe contact list.
You Might Also Be Interested In...
Networking Exchange Blog
Get the latest posts delivered right to your inbox. [+]
Receive our daily or monthly email updates and keep current on all the hottest networking trends, perspectives and reports.
Networking Exchange Blog
Thank you for subscribing. Your alerts will be sent to . Be sure to add networkingexchange@attbusiness.com to your safe contact list.