Michaels Breach Evidence Of Growing POS Skimming TrendCraft chain had Payment Application Data Security Standard (PA DSS)-certified POS terminals and PIN pads, but attackers swapped them with with rigged ones
As news spreads about the PIN-pad skimming breach that compromised data processed via 90 terminals across 20 states at arts and crafts outlets owned by Michaels Stores, security experts warn that this attack is symptomatic of point-of-sale (POS) vulnerabilities faced by many retail outfits today. No matter how much work these firms put into protecting credit card and customer databases, if their POS systems are compromised, then the bad guys can collect valuable information at the source of the transaction before it even reaches the protected bubble of the database.
"Skimmer technology just keeps getting better. It's so good even suspicious consumers and reasonably educated employees can't detect the devices," says 'TK' Keanini, CTO of nCircle. "This reality means every retail business relying on PIN-pad devices should be working side by side with equipment suppliers to put countermeasures in place against this type of threat."
In the case of Michaels, the chain has employed Payment Application Data Security Standard (PA DSS)-certified POS terminals and PIN pads. But the attackers involved got around this by somehow swapping out the compliant PIN pads with compromised pads set for stealing information. It is still unclear how the hackers accomplished this, but several security experts believe it was simply a matter of distracting the cashiers and switching the pads in a well-planned social engineering maneuver.
According to Alan Shimel, managing partner for The CISO Group, PIN pads are generally the weakest link in POS systems today. "It's not just a Michaels POS system issue. In all of these credit card systems, the PIN pad is the Achilles' heel," he says. "What happens is even if they get new machines in an upgrade or switch processors who give them new terminals, a lot of times they wouldn't go through the trouble of sending stores a new PA DSS-certified PIN pad as well. So, in general, there has been an issue with noncertified PIN pads."
Granted, the Michaels case was different due to the swap, but Shimel says this is a good warning that even with the right technology, organizations need to be educating employees and keeping a high level of awareness to prevent social engineering.
Of course, there are tools that can at least help keep an eye on PIN pads and POS terminals to prevent tampering, says Steve Elefant, CIO of credit card processor Heartland Payment Systems. "One of the best practices stores need to think about is keeping track of the devices they have through video and individual employees, and verifying that people aren't switching them out and putting a skimmer in," he says, explaining that Heartland helps its merchants through anti-tamper PIN pads that immediately discontinue service the second they're modified.
Elefant and Heartland are big proponents of end-to-end encryption -- a scheme that helps merchants partly by supplying anti-tamper PIN pads that immediately discontinue service the second they're modified. The end-to-end model also accounts for swap-outs, he says.
"We monitor on the back end the traffic from the device coming in, so if we see transactions that are unencrypted or are coming in a different way, we notify the merchant," he says.
Ultimately, though, some security experts believe that the only way to really prevent skimming is to change the way the retail industry accepts credit cards. This means eventually getting rid of magnetic=stripe technology in favor of chip and pin technology being rolled out in countries out of the U.S. today, says Robert Siciliano, CEO of IDTheftSecurity.com and a security consultant.
"Electronic funds transfers at the point of sale [EFTPOS] skimming is a relatively new scam that has become more prevalent over the past few years. POS machines are particularly vulnerable because the magnetic-stripe technology, which has been around for 40 years, is essentially defenseless against modern fraud techniques," Siciliano says. "Anyone can easily, and legally, purchase a skimming device for a couple hundred dollars. This problem will continue as long as the current system of accepting magnetic stripe cards is standard in the United States. Our system needs a serious upgrade."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.