Attacks/Breaches
5/13/2011
03:05 PM
50%
50%

Michaels Breach Evidence Of Growing POS Skimming Trend

Craft chain had Payment Application Data Security Standard (PA DSS)-certified POS terminals and PIN pads, but attackers swapped them with with rigged ones

As news spreads about the PIN-pad skimming breach that compromised data processed via 90 terminals across 20 states at arts and crafts outlets owned by Michaels Stores, security experts warn that this attack is symptomatic of point-of-sale (POS) vulnerabilities faced by many retail outfits today. No matter how much work these firms put into protecting credit card and customer databases, if their POS systems are compromised, then the bad guys can collect valuable information at the source of the transaction before it even reaches the protected bubble of the database.

"Skimmer technology just keeps getting better. It's so good even suspicious consumers and reasonably educated employees can't detect the devices," says 'TK' Keanini, CTO of nCircle. "This reality means every retail business relying on PIN-pad devices should be working side by side with equipment suppliers to put countermeasures in place against this type of threat."

In the case of Michaels, the chain has employed Payment Application Data Security Standard (PA DSS)-certified POS terminals and PIN pads. But the attackers involved got around this by somehow swapping out the compliant PIN pads with compromised pads set for stealing information. It is still unclear how the hackers accomplished this, but several security experts believe it was simply a matter of distracting the cashiers and switching the pads in a well-planned social engineering maneuver.

According to Alan Shimel, managing partner for The CISO Group, PIN pads are generally the weakest link in POS systems today. "It's not just a Michaels POS system issue. In all of these credit card systems, the PIN pad is the Achilles' heel," he says. "What happens is even if they get new machines in an upgrade or switch processors who give them new terminals, a lot of times they wouldn't go through the trouble of sending stores a new PA DSS-certified PIN pad as well. So, in general, there has been an issue with noncertified PIN pads."

Granted, the Michaels case was different due to the swap, but Shimel says this is a good warning that even with the right technology, organizations need to be educating employees and keeping a high level of awareness to prevent social engineering.

Of course, there are tools that can at least help keep an eye on PIN pads and POS terminals to prevent tampering, says Steve Elefant, CIO of credit card processor Heartland Payment Systems. "One of the best practices stores need to think about is keeping track of the devices they have through video and individual employees, and verifying that people aren't switching them out and putting a skimmer in," he says, explaining that Heartland helps its merchants through anti-tamper PIN pads that immediately discontinue service the second they're modified.

Elefant and Heartland are big proponents of end-to-end encryption -- a scheme that helps merchants partly by supplying anti-tamper PIN pads that immediately discontinue service the second they're modified. The end-to-end model also accounts for swap-outs, he says.

"We monitor on the back end the traffic from the device coming in, so if we see transactions that are unencrypted or are coming in a different way, we notify the merchant," he says.

Ultimately, though, some security experts believe that the only way to really prevent skimming is to change the way the retail industry accepts credit cards. This means eventually getting rid of magnetic=stripe technology in favor of chip and pin technology being rolled out in countries out of the U.S. today, says Robert Siciliano, CEO of IDTheftSecurity.com and a security consultant.

"Electronic funds transfers at the point of sale [EFTPOS] skimming is a relatively new scam that has become more prevalent over the past few years. POS machines are particularly vulnerable because the magnetic-stripe technology, which has been around for 40 years, is essentially defenseless against modern fraud techniques," Siciliano says. "Anyone can easily, and legally, purchase a skimming device for a couple hundred dollars. This problem will continue as long as the current system of accepting magnetic stripe cards is standard in the United States. Our system needs a serious upgrade."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6090
Published: 2015-04-27
Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) DataMappingEditorCommands, (2) DatastoreEditorCommands, and (3) IEGEditorCommands servlets in IBM Curam Social Program Management (SPM) 5.2 SP6 before EP6, 6.0 SP2 before EP26, 6.0.3 before 6.0.3.0 iFix8, 6.0.4 before 6.0.4.5 iFix...

CVE-2014-6092
Published: 2015-04-27
IBM Curam Social Program Management (SPM) 5.2 before SP6 EP6, 6.0 SP2 before EP26, 6.0.4 before 6.0.4.6, and 6.0.5 before 6.0.5.6 requires failed-login handling for web-service accounts to have the same lockout policy as for standard user accounts, which makes it easier for remote attackers to cause...

CVE-2015-0113
Published: 2015-04-27
The Jazz help system in IBM Rational Collaborative Lifecycle Management 4.0 through 5.0.2, Rational Quality Manager 4.0 through 4.0.7 and 5.0 through 5.0.2, Rational Team Concert 4.0 through 4.0.7 and 5.0 through 5.0.2, Rational Requirements Composer 4.0 through 4.0.7, Rational DOORS Next Generation...

CVE-2015-0174
Published: 2015-04-27
The SNMP implementation in IBM WebSphere Application Server (WAS) 8.5 before 8.5.5.5 does not properly handle configuration data, which allows remote authenticated users to obtain sensitive information via unspecified vectors.

CVE-2015-0175
Published: 2015-04-27
IBM WebSphere Application Server (WAS) 8.5 Liberty Profile before 8.5.5.5 does not properly implement authData elements, which allows remote authenticated users to gain privileges via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.