While the investigation continues into how thieves managed to steal funds from consumers’ debit card accounts by tampering with PIN-pad terminals at 80 outlets of Michaels Stores Inc., payment-security experts say many merchants’ terminals probably remain exposed to similar sophisticated attacks.
The Irving, Texas-based national crafts-store chain revealed on May 5 that crooks had tampered with at least 90 of its payment terminals in stores in 20 states. The company also says some credit card account numbers may have been exposed in the attack.
The tampering reportedly began as early as February or March, and in early May law-enforcement authorities and banks contacted Michaels about unauthorized ATM withdrawals from accounts of consumers who had made purchases with debit cards in its stores earlier this year.
Michaels has released no details about how the breach occurred, but a spokesperson tells ISO&Agent Weekly that the number of affected customers’ debit accounts is holding steady at “fewer than 100.” The company says it is working to replace all affected terminals by the end of the month and believes all transactions conducted now at Michaels stores are safe.
But many questions remain for merchants whose payment terminals supposedly were designed to prevent such breaches.
All U.S. payment terminals certified by the Payment Card Industry Security Standards Council are designed to be tamper-resistant, the organization says. Moreover, the council’s PIN Transaction Security standard dictates that all payment terminals have strong physical and logical security, including elements to determine whether someone has tampered with terminals, a council spokesperson says.
The council in 2009 also released recommendations and guidelines to guard against illegally skimming card data from payment terminals, but the organization has acknowledged that thieves are pursuing new approaches to stealing data at various points in the payment cycle.
Advanced data-encryption systems and upgraded payment terminals are useless against criminals who have devised new ways to capture data in terminals as cards are swiped, Jose Diaz, director of technical and strategic business development for data-security firm Thales e-Security Inc., tells ISO&Agent Weekly.
And while it is impossible to protect against unknown new tampering schemes, many merchants still lack basic processes to determine whether terminal tampering has occurred, Diaz says.
“Fraudsters have become very sophisticated at taking payment terminals apart and figuring out ways to capture payment card data and PINs,” he says. And while no expert can imagine what these criminals will think of next, “there is a major gap in the fact that most merchants lack solid processes for securing terminals so thieves can’t get their hands on terminals in the first place.”
Some merchants have “locked down” terminals to make them difficult to remove from stores, Diaz says. But many merchants’ terminals are not securely bolted to counters, so they are relatively easy to remove from the store overnight without detection, he contends.
“A lot of the security surrounding payment terminals has to do with protecting access to terminals after hours and by the wrong people,” Diaz says. He suggests merchants could “do a lot more” to ensure no one tampers with their terminals.
“Payment-terminal security is a very comprehensive task, and it’s more than just assuming the terminal cannot easily be broken into,” Diaz says. “The challenge is installing terminals in such a way, and in locations, that they cannot be accessed by criminals. And the other element is installing terminals in such a way that if they are attacked, it will be detected somehow by cameras or other security or tracking systems.”
Merchants can secure equipment in their stores by creating routines to check terminals to search for signs of tampering and by training personnel to look for unusual activities surrounding payment terminals.
“It may be impossible to completely prevent fraud, but there is a lot merchants can do in their basic store setups and routines to prevent it,” Diaz says.
