The Green Sheet Online Edition
July 22, 2013 • Issue 13:07:02
POS attacks on the rise
POS software vulnerability is to blame for numerous attacks exposing hundreds of thousands of credit cards per year. Some retailers in Louisville, Ky., have found this out the hard way.
Card issuers have been able to tie fraudulent transactions back to a number of merchants in the Louisville area who all have one thing in common: the same POS systems with remote access software, supplied locally to some Louisville merchants, according to BankInfoSecurity.com.
Given multiple links to Louisville, issuers at first thought the breach had involved a processor. The attacks may have begun in February 2013. The names of the stores that experienced a breach have not yet been revealed. The Kentucky Task Force Crimes Unit, which is part of the U.S. Secret Service, is heading up the investigation.
The attacks thus far discovered do not seem to have affected PIN debit transactions. However, Park Community Federal Credit Union of Louisville posted a fraud alert on its website on April 2, 2013, to notify people of a possible compromise that could affect a significant number of cardholders in the region.
Keeping cardholders vigilant against fraud
Park Community is active in keeping area citizens informed of various threats, including one hoax involving temporary debit card holds. The credit union's website warned that members received automated phone calls telling them that their cards were temporarily on hold or deactivated for security purposes.
The calls instructed cardholders to enter their card numbers via phone. "These calls were bogus and not from Park Community," the site stated. The credit union noted that it never contacts members to ask for debit card or checking account numbers.
POS breaches are on the rise. Card issuers have been the first line of defense in detecting system intrusions. They search for fraud patterns in localized areas. In March 2013, a St. Louis-based grocery store chain was alerted by card issuers to a possible breach.
Schnuck Markets Inc., which has 101 stores in five states, later stated that its computer forensic firm found evidence that malware had captured mag stripe data. Some 2.4 million credit and debit cards were exposed between Dec. 1, 2012, and March 29, 2013.
Detection lags intrusions
Financially motivated fraudsters are a key part of the 75 percent of incidents in Verizon's 2013 Data Breach Investigations Report, which analyzed 47,000 data security incidents over the course of a year.
This study also found that 37 percent of the security breaches occurred in financial organizations and retail environments, while restaurants suffered 24 percent of the reported incidents. In 66 percent of cases, the breach was not discovered for months, or even years. In 22 percent of cases, it took months to contain the breach.
"What's alarming is how long breaches took to spot, and how long they took to fix," the report stated. "And while sensitive data remains exposed, losses grow and reputations suffer further damage." Here are a few things you can do to make sure your merchants understand how to protect their POS systems.
- To guard against attacks, set administrative passwords early and change them often, at least every 30 days.
- Give access to only those employees who need it.
- Use a logging system that is easy to navigate and enables the quick piecing together of information.
- Avoid using POS systems that browse the Internet.
- Always stay compliant with the Payment Card Industry Data Security Standard. Do not use a device that is not compliant.
- At larger merchants or ones with multiple store locations, make sure the passwords are different at each location. Do not make it easy for a fraudster to attack other stores with the same credentials.
Nicholas Cucci is the Director of Marketing for Network Merchants Inc., a graduate of Benedictine University and a licensed Certified Fraud Examiner. Cucci is also a member of the Advisory Board and Anti-Fraud Technology Committee for the Association of Certified Fraud Examiners, as well as a member of the Electronic Transactions Association's Risk, Fraud and Security Committee. NMI builds e-commerce payment gateways for companies that want to process transactions online in real time anywhere in the world. Contact him at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.