Card-skimming attacks are on the rise this year as crooks devise relatively simple, inexpensive new ways to compromise payment terminals, the Payment Council Industry Security Standards Council’s top technology executive told attendees last week at SourceMedia Inc.’s ATM, Debit & Prepaid Forum.
“We are seeing a lot of attacks aimed at capturing PINs, ... and a lot of card-skimming goes under the radar,” Troy Leach, the council’s chief technology officer, told attendees at an Oct. 5 forum presentation in Phoenix. SourceMedia publishes ISO&Agent Weekly.
Many card-skimming attacks go undetected initially because merchants are losing “several hundred or a thousand” credit or debit card account numbers at a time, and it often is difficult to connect the attack with subsequent fraudulent transactions after the purloined data are sold to third parties, Leach said.
Going Rogue
Merchants and payment-services providers should immediately increase their awareness of rising terminal-fraud threats and take steps to minimize card-skimming exposure, Leach warned. Merchants may not be directly liable for card-skimming losses, but the “loss of trust from issuers, networks and customers” is a big risk to merchants, he noted.
Gasoline stations and other unattended payment terminals are most vulnerable to invasive card-skimming attacks, but staffed point-of-sale retail outlets also are becoming common targets, Leach said.
One of the fastest-growing areas of terminal fraud is implantation of “rogue” devices, which criminals install within a payment terminal to intercept card-account data, Leach said. Increasingly, the devices are so small they are difficult to detect within a terminal.
Clues that crooks have installed a rogue device include the application of a fake label or sticker, often as small as a dime, on the outside of the terminal. Such stickers often appear to carry legitimate product serial numbers and look reassuringly official, but their true purpose is to conceal drill holes or other criminal entry points in the terminal.
“Rogue devices typically have an invalid serial number, but merchants can always verify whether the [true] internal serial number matches the [fake] sticker on the back of the device,” Leach said. “Fraudsters can quite easily drill into a terminal, implant a rogue device and put a [bogus] sticker on the back, hiding the skimmer.”
Skilled card-skimming criminals can reconfigure a payment terminal in less than 60 seconds, Leach said.
Besides implanting bogus devices within terminals, criminals often install rogue devices near terminals, splicing them into payment terminal network connections. Criminals also are growing more adept at installing hidden cameras near payment terminals to capture PIN data, Leach said.
These various devices typically appear in retail establishments where staff members often are away from the point of sale, enabling criminals to install equipment to record and decrypt cardholder data.
To prevent such attacks, merchants should routinely inspect payment terminals to check for changes in the screws or seams and to ensure there have been no changes in serial numbers or other labels on the devices.
“Beware of unfamiliar gear appearing at night attached to terminals near cash registers or network equipment,” Leach said. “These devices are often lying there in plain sight next to the cashier, but no one at the store is educated as to what the legitimate point-of-sale equipment looks like,” so the rogue devices do not raise suspicions, he said.
Bogus “service” personnel are another source of rogue devices installed at retail locations to capture cardholder data, Leach said. “We are seeing a tremendous rise of fraud from [people impersonating] ‘service providers’ who come into retail operations to interfere with payment terminals,” he said.
In some cases, criminals claiming to represent a card-services provider have installed card-skimming devices in broad daylight, leaving behind bogus business cards and thick “instruction manuals” that fooled business owners and employees, Leach said.
To prevent such attacks, merchants should not admit any unverified service personnel and keep an inventory of the correct serial numbers of payment terminals handy and train personnel to monitor point-of-sale equipment, including cables leading to and from the terminals, for any changes, he said. “Employees should know the legitimate stickers, devices and cables and make managers aware of any changes they see,” Leach advised, adding it also would be wise to conduct background checks on employees, wherever possible, to help ensure they are not likely to cooperate with crooks to install bogus equipment.
Some Threats Not Obvious
Merchants also should ensure there is a “safe” process in place for employees to report suspicious internal activities. “Many staff members can be targeted [by crooks] with threats and bribery, and while most internal threats happen at the manager or senior-management level, detection usually occurs through a lower-level [employee],” so it is critical that employees feel secure in reporting suspicious activities, Leach said.
Telephone exchanges in shopping malls and Wi-Fi networks in heavy-traffic areas are another area of concern, Leach said. Crooks recently installed devices within telephone-network systems to capture cardholder data inside malls, he said.
“These are middleman attacks outside of a merchant’s direct control, but merchants should be aware that fraudsters can get into the walls of malls,” Leach said. Merchants may need help from third-party card-security firms to detect such telephone and network exposure, he added.
Unattended payment kiosks also are becoming vulnerable to crooks, which are discovering new ways to invade them.
“In malls where we are seeing more unattended kiosks with payment terminals, fraudsters are putting lines into the USB ports and compromising the firmware in order to capture card data,” Leach said, noting that providers should physically block access to such terminal data ports, where possible.
