News & Insights

Is your business vulnerable to POS cyber criminals?

Published 02 August 2018


In one of the biggest credit card heists in recent history, on Wednesday 27 March 2018 notorious hacking syndicate JokerStash, also known as Fin7, announced it had stolen data from 5 million EFTPOS payment cards via transactions in some of America’s most well-known department store chains, Technology Decisions reports.

Preliminary analysis suggests that customer information was skimmed at Saks Fifth Avenue, Saks Off Fifth and Lord & Taylor stores across the entire network of operations from May 2017. The syndicate released a first offering of 125,000 credit card records for sale on the dark web.

How did the criminals install the skimming devices in so many stores? Just watch a criminal slip an overlay skimmer onto POS terminal under the cashier’s nose in an Aldi supermarket on closed circuit television footage. The skimmer looks exactly the same as the original device and nobody notices a thing. Some skimmers are placed inside the terminal, making them completely invisible.

Cyber security consultancy Gemini Advisory says the Saks-Lord & Taylor breach emphasises the importance of the more secure Europay, MasterCard and Visa (EMV) point of sale terminals in preference to the older models that read the card’s magnetic strip.

But devices that scan EMV chips can be vulnerable to interference also. The latest cyber crime trend in credit data theft is called ‘shimming’ and involves inserting a wafer-thin shim into the POS terminal to steal EMV chip data, electronic payment processor goEmerchant explains.
 

 

Skimming in Australia

Australians make close to $23 million retail purchases a day using credit or debit cards at in-store terminals, according to the Reserve Bank of Australia. Although card cloning is less prevalent in Australia than overseas it increased by 13% between 2016 and 2017, according to Fraud and Cybercrime Squad Commander Detective Acting Superintendent Matt Craft.

In June 2017 Craft headed an investigation into a spate of unauthorised ATM withdrawals using ‘cloned’ credit and debit cards with stolen data from the magnetic strip and personal identification information (PIN), classic skimming technology

Figures collated by the Australian Payments Network show that in 2016 the national cost of counterfeit cards/skimming fraud was $59.2 million, almost a 10% increase on the previous year. The Payment Card Industry Data Security council warns that EFTPOS terminals in taxis, restaurants and small businesses or skimming devices placed on ATMs are the most common locations for card skimming.

Skimming targets include

  • unattended or unmanned (self-serve) terminals
  • terminals with high volume use
  • merchants with periods of high volume sales
  • merchants with high transaction volumes
     

The hardware

Skimming works by either stealing data directly from a customer’s card or from the payment infrastructure at a merchant location. Techniques range from devices attached to or hidden inside terminals, including pinhole cameras or keypad tone recorders, tampering with terminal connections by substituting the cable, for example, to handheld skimmers used by corrupt staff members who on-sell the data they collect while processing your bill.
 

How can businesses protect themselves from skimming?

Working closely with representatives from the Australian Crime Commission, the Australian Federal Police and the NSW Police, the Australian Payments Network has designed and developed an industry education program for businesses on how to detect and prevent card skimming on their premises, highlighting what to look for and security measures.

Practical steps include

  • closely monitoring payment equipment for signs of tampering: broken seals, missing screws, decals, and checking network ports
  • record the serial and model numbers of your devices
  • check that your POS devices are Payment Card Industry Security Standard Council approved by visiting the PCI SSC website
  • mounting terminals securely and utilising cables or locking stands to secure the equipment
  • installing protection software on your POS terminals
  • consider installing security cameras
  • screening new hires by conducting background checks
     

The software

The increasing use of ‘tap and go’ embedded EMV chip cards in Australia has grown in tandem with an upsurge in ‘card not present’ crime, using customer information obtained by infiltrating POS software.

Many POS systems are vulnerable to hacking through the business’s existing infrastructure, via the corporate network or by exploiting a vulnerability in an internet facing system – or by duping an insider into providing access, Australian law firm Colin Biggers Paisley warns. Third party service providers with remote access to the business’s network can also represent a potential point of entry.

The hacker’s target is the POS system’s random access memory (RAM) where card data is initially stored unencrypted. The hacker uses ‘memory scraper’ malware to find and reap customer card data.
 

How can businesses protect themselves from hacking?

Businesses should never rely on shared systems, default settings or static passwords. Vigilance and staying on top of updates to apps, passwords and security software are all part of the mix for securing customers’ financial information.

Practical steps include

  • running your POS system on a separate network
  • not naming networks in a way that identifies your business
  • using strong passwords or – better yet – passphrases.
  • not using the same password for multiple accounts
  • consider using a password manager
  • regularly updating apps to take advantage of improved security features
  • installing an antivirus and keeping it updated
     

Data loss liability

“If you have systems that hold and store credit card data, that is an exposure for a business,” says Gallagher's Andrew Faber.

He says restaurants are a case in point: “People [are] walking around scanning credit cards at the table and there is a wireless system that is picking up and transferring that data. You have got a potential breach there. With so many businesses offering free Wi-Fi, just getting a modem and plugging it in and putting a daily password in it, those plug-and-play systems are not built to withstand a professional attack.”

Having insurance cover is one element of protection but "part of any risk management plan should be having a strong, robust data security program in place," Faber advises. Particularly “if you are a business that is heavily dependent on a mature, web-based profile and you are heavily dependent on electronic point of sale and an integrated computer system. Because if you take away either of those things it could get very costly. For the premium it might cost to cover the insurance, you get paid back in truck loads if you do have to claim”.

Along with understanding mandatory data breach reporting obligations, business operators need to be able to continue trading or, in a worst case scenario, pay the bills during an enforced closure.

Gallagher’s cyber insurance specialists can help tourism and hospitality businesses identify their operational exposures, advise on formulating a risk management plan and structure insurance cover to protect themselves against the fall-out from a customer data breach.
 

Connect with an expert

 

Further reading

Cyber insurance

Do I need cyber-liability insurance?
 


Professional profile: Queensland hospitality insurance specialist Justin Riseley
Hospitality & Tourism | Article

Professional profile: Queensland hospitality insurance specialist Justin Riseley

11 May 2021
Industry report: Managing the rising costs of building and property insurance for the food and beverage industry
Hospitality & Tourism | Article

Industry report: Managing the rising costs of building and property insurance for the food and beverage industry

11 February 2021
How would your restaurant or cafe stand up to a tax audit?
Hospitality & Tourism | Article

How would your restaurant or cafe stand up to a tax audit?

15 November 2019