Attacks/Breaches
5/13/2011
03:05 PM
50%
50%

Michaels Breach Evidence Of Growing POS Skimming Trend

Craft chain had Payment Application Data Security Standard (PA DSS)-certified POS terminals and PIN pads, but attackers swapped them with with rigged ones

As news spreads about the PIN-pad skimming breach that compromised data processed via 90 terminals across 20 states at arts and crafts outlets owned by Michaels Stores, security experts warn that this attack is symptomatic of point-of-sale (POS) vulnerabilities faced by many retail outfits today. No matter how much work these firms put into protecting credit card and customer databases, if their POS systems are compromised, then the bad guys can collect valuable information at the source of the transaction before it even reaches the protected bubble of the database.

"Skimmer technology just keeps getting better. It's so good even suspicious consumers and reasonably educated employees can't detect the devices," says 'TK' Keanini, CTO of nCircle. "This reality means every retail business relying on PIN-pad devices should be working side by side with equipment suppliers to put countermeasures in place against this type of threat."

In the case of Michaels, the chain has employed Payment Application Data Security Standard (PA DSS)-certified POS terminals and PIN pads. But the attackers involved got around this by somehow swapping out the compliant PIN pads with compromised pads set for stealing information. It is still unclear how the hackers accomplished this, but several security experts believe it was simply a matter of distracting the cashiers and switching the pads in a well-planned social engineering maneuver.

According to Alan Shimel, managing partner for The CISO Group, PIN pads are generally the weakest link in POS systems today. "It's not just a Michaels POS system issue. In all of these credit card systems, the PIN pad is the Achilles' heel," he says. "What happens is even if they get new machines in an upgrade or switch processors who give them new terminals, a lot of times they wouldn't go through the trouble of sending stores a new PA DSS-certified PIN pad as well. So, in general, there has been an issue with noncertified PIN pads."

Granted, the Michaels case was different due to the swap, but Shimel says this is a good warning that even with the right technology, organizations need to be educating employees and keeping a high level of awareness to prevent social engineering.

Of course, there are tools that can at least help keep an eye on PIN pads and POS terminals to prevent tampering, says Steve Elefant, CIO of credit card processor Heartland Payment Systems. "One of the best practices stores need to think about is keeping track of the devices they have through video and individual employees, and verifying that people aren't switching them out and putting a skimmer in," he says, explaining that Heartland helps its merchants through anti-tamper PIN pads that immediately discontinue service the second they're modified.

Elefant and Heartland are big proponents of end-to-end encryption -- a scheme that helps merchants partly by supplying anti-tamper PIN pads that immediately discontinue service the second they're modified. The end-to-end model also accounts for swap-outs, he says.

"We monitor on the back end the traffic from the device coming in, so if we see transactions that are unencrypted or are coming in a different way, we notify the merchant," he says.

Ultimately, though, some security experts believe that the only way to really prevent skimming is to change the way the retail industry accepts credit cards. This means eventually getting rid of magnetic=stripe technology in favor of chip and pin technology being rolled out in countries out of the U.S. today, says Robert Siciliano, CEO of IDTheftSecurity.com and a security consultant.

"Electronic funds transfers at the point of sale [EFTPOS] skimming is a relatively new scam that has become more prevalent over the past few years. POS machines are particularly vulnerable because the magnetic-stripe technology, which has been around for 40 years, is essentially defenseless against modern fraud techniques," Siciliano says. "Anyone can easily, and legally, purchase a skimming device for a couple hundred dollars. This problem will continue as long as the current system of accepting magnetic stripe cards is standard in the United States. Our system needs a serious upgrade."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4231
Published: 2015-07-03
The Python interpreter in Cisco NX-OS 6.2(8a) on Nexus 7000 devices allows local users to bypass intended access restrictions and delete an arbitrary VDC's files by leveraging administrative privileges in one VDC, aka Bug ID CSCur08416.

CVE-2015-4232
Published: 2015-07-03
Cisco NX-OS 6.2(10) on Nexus and MDS 9000 devices allows local users to execute arbitrary OS commands by entering crafted tar parameters in the CLI, aka Bug ID CSCus44856.

CVE-2015-4234
Published: 2015-07-03
Cisco NX-OS 6.0(2) and 6.2(2) on Nexus devices has an improper OS configuration, which allows local users to obtain root access via unspecified input to the Python interpreter, aka Bug IDs CSCun02887, CSCur00115, and CSCur00127.

CVE-2015-4237
Published: 2015-07-03
The CLI parser in Cisco NX-OS 4.1(2)E1(1), 6.2(11b), 6.2(12), 7.2(0)ZZ(99.1), 7.2(0)ZZ(99.3), and 9.1(1)SV1(3.1.8) on Nexus devices allows local users to execute arbitrary OS commands via crafted characters in a filename, aka Bug IDs CSCuv08491, CSCuv08443, CSCuv08480, CSCuv08448, CSCuu99291, CSCuv0...

CVE-2015-4239
Published: 2015-07-03
Cisco Adaptive Security Appliance (ASA) Software 9.3(2.243) and 100.13(0.21) allows remote attackers to cause a denial of service (device reload) by sending crafted OSPFv2 packets on the local network, aka Bug ID CSCus84220.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report