GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View flipbook of this issue

Care to Share?


Table of Contents

Lead Story

Payments 2013: Abuzz with bitcoin, mobile and prepaid

Patti Murphy
ProScribes Inc.

News

Industry Update

Cyber Monday sets online sales record

New POS skimmer threat exposed

China restricts bitcoin – for now

Features

The Mobile Buzz

Views

Multichannel shopping, payments struggle

Patti Murphy
ProScribes Inc.

Focus on your customers, not the Next Big Thing

Brandes Elitch
CrossCheck Inc.

Education

Street SmartsSM:
Gatekeepers are people too

Dale S. Laszig
Castles Technology Co. Ltd

Make every day count

Jeff Fortney
Clearent LLC

Bitcoin: Keeping the change

Tom Waters
Bank Associates Merchant Services

Shine as your merchants' technology integrator

Sean Berg
Harbortouch

Company Profile

First American Payment Systems L.P.

New Products

Taking mobile to new heights

linked2pay adds GPS

Inspiration

Welcome to another year

Departments

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

December 23, 2013  •  Issue 13:12:02

previous next

New POS skimmer threat exposed

Just in time for the holidays: a new type of skimming device designed to steal cardholder data at the POS. As reported Dec. 3, 2013, on security blog KrebsonSecurity, the new skimmer is a thin plastic overlay that fits over the PIN pad of standard POS terminals. A small battery and flash storage card affixed to the underside of the device records mag stripe data as cards are swiped through terminals and captures PINs as they are keyed in.

"Such a device would be an enticing buy for a crooked employee at a retail store," said security reporter Brian Krebs. "It might even be installed surreptitiously by thieves posing as customers at a retail establishment."

A video posted along with the blog demonstrated the skimmer on a VeriFone Inc. POS terminal. Krebs said the overlay is a "remarkably simple but brilliant POS skimming device that can be installed and removed in the blink of an eye." Krebs noted that the fraudster from whom he received the video sells the skimmer on underground web forums.

Overlay attack vector

VeriFone responded with a warning that the overlay, also called a shell, is not designed solely for its terminals. "This particular method of fraud, which is also known as an 'overlay attack,' can be used on any vendor's POS terminal or PIN pad," the manufacturer told The Green Sheet. "As with most skimming efforts, daily inspection of payment devices will quickly reveal such skimming efforts."

Karisse Hendrick, Industry Specialist at the Merchant Risk Council, said the skimming device is concerning because it would be harder to detect than other skimmers. "Historically, we have seen that some of the early skimming devices were fairly obvious, at least to the trained eye, and it was quite obvious that these were added to the terminal and not safe," she said.

The MRC, an association geared to helping retailers minimize fraud and other threats to business stability, has noticed that fraudsters are increasingly sophisticated in both the fraudulent devices they deploy and in their behavior, especially in the e-commerce realm.

"As merchants add tools and train employees to detect fraudulent transactions, fraudsters patiently study which transactions are flagged and which appear legitimate, and then develop elaborate ways to mask their behavior to 'fit in' with legitimate customer orders," Hendrick said.

Fraud for the holidays

Hendrick remarked that the holiday shopping season can be a particularly pernicious time for fraud attacks. "Fraudsters are opportunists at heart, so they will take advantage of any situation that they can to try to blend in with legitimate purchases and activity," she said. "While fraud is a year-round business, like with all payment fraud, when sales increase, fraud also increases."

Hendrick noted that during the holiday rush, it can be more challenging for merchants to detect fraud schemes because of higher than usual volumes of in-store and online transactions, as well as a greater amount of legitimate high-dollar transactions.

Hendrick said merchants can help guard against attacks by keeping abreast of current fraud threats through publications and communication with other merchants. Since fraudsters often specialize in specific retail sectors, it is worthwhile for merchants to establish open lines of communication with competitors, she added.

Fraudsters are apparently doing just that. "Most often we see that if a fraudster is successful once, they have shared this with others within their community, and your company no doubt will be a target for others," Hendrick said.

To combat fraudsters and their schemes, employee training is vital. "It is … critical to train all frontline staff, especially customer service employees, whether seasonal or permanent, to be on the lookout for suspicious or abnormal customer behavior, whether in person or in an online order," Hendrick said. "They are your first line of defense and your eyes and ears."

Hendrick believes it is the responsibility of all participants in the transaction value chain – from merchants to back-end payment processors – to collaborate to prevent fraud.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Super G Capital LLC | Humboldt Merchant Services | Impact Paysystems | Electronic Merchant Systems