Crooks are devising simpler, less expensive — and less obvious — methods of stealing card data from merchants.
Their technique, called skimming, has typically involved placing a camouflaged reader over a merchant's terminal. The reader records payment data during a card swipe and allows the data also to be read by the terminal. Newer methods hide skimming equipment inside the terminal, rendering the tampering nearly invisible.
Because fraudsters are refining their techniques, "a lot of card skimming goes under the radar," Troy Leach, the chief technology officer of the Payment Card Industry Security Standards Council, said in a presentation at SourceMedia Inc.'s ATM, Debit & Prepaid Forum in Phoenix. (SourceMedia also publishes American Banker.)
These new techniques involve deeper access to the payment terminals, so fraudsters sneak in by posing as service personnel.
"We are seeing a tremendous rise of fraud from [people impersonating] 'service providers' who come into retail operations to interfere with payment terminals," he said. They even leave behind bogus business cards and thick "instruction manuals" that fooled business owners and employees, Leach said during the Oct. 5 presentation.
Many card-skimming attacks go undetected initially because of the sheer scale of the theft — "several hundred or a thousand" credit or debit card account numbers are lifted at a time, which are then used at other merchants or sold online to third parties, Leach said, making it difficult to determine where the data was stolen.
Merchants and payment-services providers should immediately increase their awareness of rising terminal-fraud threats and take steps to minimize card-skimming exposure, Leach warned. The merchants whose terminals were compromised may not be directly liable for card-skimming losses, but the potential "loss of trust from issuers, networks and customers" is a big risk, he said.
Gasoline stations and other unattended payment terminals are most vulnerable to invasive card-skimming attacks, but staffed point of sale retail outlets also are becoming common targets, Leach said. Skimming devices are often paired with a hidden camera to steal the user's PIN as it is typed into the terminal's keypad, and criminals are growing more adept at installing these cameras.
One of the fastest-growing areas of terminal fraud is the use of "rogue" devices, the term for equipment installed within a payment terminal to intercept card-account data, Leach said.
Clues that crooks have installed a rogue device include the application of a fake label or sticker, often as small as a dime, on the outside of the terminal. Such stickers appear to carry legitimate serial numbers and look reassuringly official, but their true purpose is to conceal drill holes or other criminal entry points in the terminal.
"Rogue devices typically have an invalid serial number, but merchants can always verify whether the [true] internal serial number matches the [fake] sticker on the back of the device," Leach said. "Fraudsters can quite easily drill into a terminal, implant a rogue device and put a [bogus] sticker on the back, hiding the skimmer."
Skilled card-skimming criminals can reconfigure a payment terminal in less than 60 seconds, Leach said.
Besides implanting their own hardware in terminals, criminals often install rogue devices nearby, splicing them into payment terminal network connections.
These various devices typically appear in retail establishments where staff members often are away from the point of sale, enabling criminals to install equipment to record and decrypt cardholder data.
To prevent such attacks, merchants should routinely inspect payment terminals to check for changes in the screws or seams and to ensure there have been no changes in serial numbers or other labels on the devices.
"These devices are often lying there in plain sight next to the cashier, but no one at the store is educated as to what the legitimate point of sale equipment looks like," so the rogue devices do not raise suspicions, he said.
"Employees should know the legitimate stickers, devices and cables and make managers aware of any changes they see," Leach said.
Telephone exchanges in shopping malls and Wi-Fi networks in heavy-traffic areas are another area of concern, Leach said. Crooks recently installed devices to capture cardholder data within telephone-network systems inside malls, he said.
"These are middleman attacks outside of a merchant's direct control, but merchants should be aware that fraudsters can get into the walls of malls," Leach said. Merchants may need help from third-party card-security firms to detect such telephone and network exposure, he added.
Unattended payment kiosks also are becoming vulnerable to crooks as well.
"In malls where we are seeing more unattended kiosks with payment terminals, fraudsters are putting lines into the USB ports and compromising the firmware in order to capture card data," Leach said, stressing that providers should physically block access to such terminal data ports, where possible.