The Green Sheet Online Edition
December 23, 2013 • Issue 13:12:02
New POS skimmer threat exposed
Just in time for the holidays: a new type of skimming device designed to steal cardholder data at the POS. As reported Dec. 3, 2013, on security blog KrebsonSecurity, the new skimmer is a thin plastic overlay that fits over the PIN pad of standard POS terminals. A small battery and flash storage card affixed to the underside of the device records mag stripe data as cards are swiped through terminals and captures PINs as they are keyed in.
"Such a device would be an enticing buy for a crooked employee at a retail store," said security reporter Brian Krebs. "It might even be installed surreptitiously by thieves posing as customers at a retail establishment."
A video posted along with the blog demonstrated the skimmer on a VeriFone Inc. POS terminal. Krebs said the overlay is a "remarkably simple but brilliant POS skimming device that can be installed and removed in the blink of an eye." Krebs noted that the fraudster from whom he received the video sells the skimmer on underground web forums.
Overlay attack vector
VeriFone responded with a warning that the overlay, also called a shell, is not designed solely for its terminals. "This particular method of fraud, which is also known as an 'overlay attack,' can be used on any vendor's POS terminal or PIN pad," the manufacturer told The Green Sheet. "As with most skimming efforts, daily inspection of payment devices will quickly reveal such skimming efforts."
Karisse Hendrick, Industry Specialist at the Merchant Risk Council, said the skimming device is concerning because it would be harder to detect than other skimmers. "Historically, we have seen that some of the early skimming devices were fairly obvious, at least to the trained eye, and it was quite obvious that these were added to the terminal and not safe," she said.
The MRC, an association geared to helping retailers minimize fraud and other threats to business stability, has noticed that fraudsters are increasingly sophisticated in both the fraudulent devices they deploy and in their behavior, especially in the e-commerce realm.
"As merchants add tools and train employees to detect fraudulent transactions, fraudsters patiently study which transactions are flagged and which appear legitimate, and then develop elaborate ways to mask their behavior to 'fit in' with legitimate customer orders," Hendrick said.
Fraud for the holidays
Hendrick remarked that the holiday shopping season can be a particularly pernicious time for fraud attacks. "Fraudsters are opportunists at heart, so they will take advantage of any situation that they can to try to blend in with legitimate purchases and activity," she said. "While fraud is a year-round business, like with all payment fraud, when sales increase, fraud also increases."
Hendrick noted that during the holiday rush, it can be more challenging for merchants to detect fraud schemes because of higher than usual volumes of in-store and online transactions, as well as a greater amount of legitimate high-dollar transactions.
Hendrick said merchants can help guard against attacks by keeping abreast of current fraud threats through publications and communication with other merchants. Since fraudsters often specialize in specific retail sectors, it is worthwhile for merchants to establish open lines of communication with competitors, she added.
Fraudsters are apparently doing just that. "Most often we see that if a fraudster is successful once, they have shared this with others within their community, and your company no doubt will be a target for others," Hendrick said.
To combat fraudsters and their schemes, employee training is vital. "It is … critical to train all frontline staff, especially customer service employees, whether seasonal or permanent, to be on the lookout for suspicious or abnormal customer behavior, whether in person or in an online order," Hendrick said. "They are your first line of defense and your eyes and ears."
Hendrick believes it is the responsibility of all participants in the transaction value chain – from merchants to back-end payment processors – to collaborate to prevent fraud.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.