Is your business vulnerable to POS cyber criminals?
Published 02 August 2018
In one of the biggest credit card heists in recent history, on Wednesday 27 March 2018 notorious hacking syndicate JokerStash, also known as Fin7, announced it had stolen data from 5 million EFTPOS payment cards via transactions in some of America’s most well-known department store chains, Technology Decisions reports.
Preliminary analysis suggests that customer information was skimmed at Saks Fifth Avenue, Saks Off Fifth and Lord & Taylor stores across the entire network of operations from May 2017. The syndicate released a first offering of 125,000 credit card records for sale on the dark web.
How did the criminals install the skimming devices in so many stores? Just watch a criminal slip an overlay skimmer onto POS terminal under the cashier’s nose in an Aldi supermarket on closed circuit television footage. The skimmer looks exactly the same as the original device and nobody notices a thing. Some skimmers are placed inside the terminal, making them completely invisible.
Cyber security consultancy Gemini Advisory says the Saks-Lord & Taylor breach emphasises the importance of the more secure Europay, MasterCard and Visa (EMV) point of sale terminals in preference to the older models that read the card’s magnetic strip.
But devices that scan EMV chips can be vulnerable to interference also. The latest cyber crime trend in credit data theft is called ‘shimming’ and involves inserting a wafer-thin shim into the POS terminal to steal EMV chip data, electronic payment processor goEmerchant explains.
Skimming in Australia
Australians make close to $23 million retail purchases a day using credit or debit cards at in-store terminals, according to the Reserve Bank of Australia. Although card cloning is less prevalent in Australia than overseas it increased by 13% between 2016 and 2017, according to Fraud and Cybercrime Squad Commander Detective Acting Superintendent Matt Craft.
In June 2017 Craft headed an investigation into a spate of unauthorised ATM withdrawals using ‘cloned’ credit and debit cards with stolen data from the magnetic strip and personal identification information (PIN), classic skimming technology
Skimming works by either stealing data directly from a customer’s card or from the payment infrastructure at a merchant location. Techniques range from devices attached to or hidden inside terminals, including pinhole cameras or keypad tone recorders, tampering with terminal connections by substituting the cable, for example, to handheld skimmers used by corrupt staff members who on-sell the data they collect while processing your bill.
How can businesses protect themselves from skimming?
Working closely with representatives from the Australian Crime Commission, the Australian Federal Police and the NSW Police, the Australian Payments Network has designed and developed an industry education program for businesses on how to detect and prevent card skimming on their premises, highlighting what to look for and security measures.
Practical steps include
closely monitoring payment equipment for signs of tampering: broken seals, missing screws, decals, and checking network ports
record the serial and model numbers of your devices
check that your POS devices are Payment Card Industry Security Standard Council approved by visiting the PCI SSC website
mounting terminals securely and utilising cables or locking stands to secure the equipment
installing protection software on your POS terminals
consider installing security cameras
screening new hires by conducting background checks
The increasing use of ‘tap and go’ embedded EMV chip cards in Australia has grown in tandem with an upsurge in ‘card not present’ crime, using customer information obtained by infiltrating POS software.
Many POS systems are vulnerable to hacking through the business’s existing infrastructure, via the corporate network or by exploiting a vulnerability in an internet facing system – or by duping an insider into providing access, Australian law firm Colin Biggers Paisley warns. Third party service providers with remote access to the business’s network can also represent a potential point of entry.
The hacker’s target is the POS system’s random access memory (RAM) where card data is initially stored unencrypted. The hacker uses ‘memory scraper’ malware to find and reap customer card data.
How can businesses protect themselves from hacking?
He says restaurants are a case in point: “People [are] walking around scanning credit cards at the table and there is a wireless system that is picking up and transferring that data. You have got a potential breach there. With so many businesses offering free Wi-Fi, just getting a modem and plugging it in and putting a daily password in it, those plug-and-play systems are not built to withstand a professional attack.”
Having insurance cover is one element of protection but "part of any risk management plan should be having a strong, robust data security program in place," Faber advises. Particularly “if you are a business that is heavily dependent on a mature, web-based profile and you are heavily dependent on electronic point of sale and an integrated computer system. Because if you take away either of those things it could get very costly. For the premium it might cost to cover the insurance, you get paid back in truck loads if you do have to claim”.
Gallagher’s cyber insurance specialists can help tourism and hospitality businesses identify their operational exposures, advise on formulating a risk management plan and structure insurance cover to protect themselves against the fall-out from a customer data breach.