Earlier this week, one of our customer service managers shared a video that captures three men placing a card skimmer on a store machine. All they had to do was distract the cashier for a few seconds–bam, PoS attacks. The machine looks exactly the same even when the skimmer is placed on top, so it is unlikely for anybody to notice the change just by looking at it.
Typically, once a skimmer is placed on the point-of-sale (PoS) device, it captures users’ PIN numbers as well as the data on the magnetic stripe of users’ cards as they swipe them on the compromised machine. The data thieves will return later to get the skimmer back; then they can retrieve the stolen data and copy it onto the magnetic stripes of blank cards.
This isn’t something that just happens at little corner shops and gas stations, either. Brian Krebs wrote just last month about card skimmers found in the self-checkout lanes at some Walmart locations. It is only one of his many articles regarding found card skimmers.
Protecting Yourself from PoS Attacks
Recently, have you seen people inserting cards into the bottom of pin pads instead of swiping them at stores like Hannaford or Walmart? This is why; they’re using cards with EMV chips that are harder to counterfeit. They work by generating a unique code for every transaction, so stolen information can’t be used to make any more purchases. Unfortunately, not all card readers are chip-enabled in the US (for now; this will likely change in the next few years).
There are ways to possibly determine whether a skimmer has been placed on a pin pad. This video has some good tips, starting at 40 seconds in:
- If the card reader is protrudes from the machine, yank and twist it. If it’s loose, it may be a skimmer.
- Wiggle the keypad, too. Again, looseness can indicate a skimmer.
- Check if the color of the card reader matches the rest of the machine.
- Especially in the case of an unattended machine like an ATM or gas pump, look for hidden cameras and cover up the pinpad when you punch in your PIN.
That’s not to mention PoS malware. Retail companies are required to take certain measures in order to be PCI DSS (Payment Card Industry Data Security Standard) compliant. For example, PCI DSS requirement 3.2.1 prohibits companies from storing the full contents of the magnetic stripe, in order to make it more difficult for hackers to steal the information. Instead of gathering information from the PoS device itself with a physical device, hackers use them to get onto the company network. PoS devices don’t have much Internet connectivity, but they do have a connection to the internal network.
Once the hackers have breached the internal network, they can either infiltrate databases of customer data or they can use the malware as a memory scraper to hunt for credit card data as cards are swiped through PoS devices. The trick here is that the information is very briefly unencrypted; if the hackers can get a hold of it in the instant before it’s encrypted, however, they’ll be able to use the data for their own means.
It is essential that you be able to detect when PoS attacks occur–this type of attack directly affects your customers. Using a NetFlow traffic analyzer such as Scrutinizer is a great way to do this, which we’ve detailed in several past blog posts:
To start gaining visibility into every communication going through your network and detecting PoS attacks, check out our Scrutinizer free trial.