The Green Sheet Online Edition
June 14, 2010 • Issue 10:06:01
Skimming alert system
We tend to think of data thieves as cyber criminals punching away on some remote computer keyboard, working invisibly and anonymously. In the world of credit card data theft, "skimming" is a distinct type of crime, as it involves an act of physical intrusion. Often, terminal devices are moved from their legitimate origin and either put back some time later (with a skimmer built in) or sold to another buyer.
A new service from terminal manufacturer VeriFone Inc., called the VeriFone PED Authentication Service, aims to clamp down on such terminal tampering. The service monitors and tracks a number of VeriFone-issued terminals using something called the Unique Manufacturers Authentication Key (UMAK) - an electronic code embedded in PIN entry devices (PEDs) of certain VeriFone terminals.
The service is compatible with VeriFone's VX Series, MX Series, SC 5000 and Omni 3700 Series devices, which account for between 80 and 90 percent of VeriFone terminals in use, according to Paul Rasori, VeriFone's Senior Vice President of Marketing.
"The deadline for unapproved [PED] devices is [July] 2010, but devices that followed are going to be valid for use in the marketplace until 2014," Rasori said. "Those devices were built on security technology that's now 10 years old.
"The fact is that we're seeing the sophistication of criminal attacks growing quite a bit, with criminals exploiting these older devices in the marketplace. Without mandates for acquirers to remove those devices, we thought there was another layer of security that would be required here."
The UMAK is, in fact, a secret codification of information that's unique to each PED - including the device's serial number and precise location (that is, street address and, where applicable, the exact lane or counter where it is used at a given merchant outlet). Only VeriFone knows the UMAK on any one of its products.
The VPAS service uses the UMAK to detect anything out of the ordinary with a given PED. Merchants who subscribe to the service will have their terminals remotely programmed to send out a signal that VeriFone's monitoring system receives at regular intervals. That signal will contain the UMAK that's programmed into the device, indicating that it is locked down at its proper location.
If a device is removed from its location - as devices often are, even only momentarily, when they are tampered with - the UMAK signal is interrupted, alerting the company that the device is no longer in its proper place (or wasn't in its proper place for a certain stretch of time, but is now). VeriFone can then notify the owner of the terminal that there may be tampering; if the terminal isn't still missing, the merchant is advised to inspect it for damage or rogue attachments.
The presence of rogue devices with skimming capabilities is indicated by either the lack of a UMAK signal or the transmission of an aberrant one. In most cases, the replacement device won't send out a UMAK signal, and the absence of that signal will trigger an alarm.
A more sophisticated criminal who fraudulently programs a rogue terminal with address information will also trigger an alarm because the programmed information won't match the encrypted format of the UMAK, which is known only to officials at VeriFone. Anything other than the original code coming through would indicate that the device is fraudulent, Rasori said.
"The premise behind the VPAS service is we've developed a centralized database of all these devices and are able to track both the serial number of each device and also the location of the device right down to the lane it's installed in," Rasori said. "With UMAK, we're able to securely authenticate [that a device is in its proper place] using the secret code that VeriFone has which relates to each device. So it's impossible for criminals to spoof that system because they'd never be able to recreate that information."
Rasori added that the removal of the device for legitimate repairs can trigger a false positive emergency signal. But he added that "every merchant acquirer has access to a web portal where they can register different types of events like that, where they can say device with serial number such and such was taken out of service for repair. Then that device is basically put on hold, and when they want to put it back into service, they can go back in and say, 'This is where the device is going to be and where it should be.'"
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.