Attacks/Breaches
5/13/2011
03:05 PM
Connect Directly
RSS
E-Mail
50%
50%

Michaels Breach Evidence Of Growing POS Skimming Trend

Craft chain had Payment Application Data Security Standard (PA DSS)-certified POS terminals and PIN pads, but attackers swapped them with with rigged ones

As news spreads about the PIN-pad skimming breach that compromised data processed via 90 terminals across 20 states at arts and crafts outlets owned by Michaels Stores, security experts warn that this attack is symptomatic of point-of-sale (POS) vulnerabilities faced by many retail outfits today. No matter how much work these firms put into protecting credit card and customer databases, if their POS systems are compromised, then the bad guys can collect valuable information at the source of the transaction before it even reaches the protected bubble of the database.

"Skimmer technology just keeps getting better. It's so good even suspicious consumers and reasonably educated employees can't detect the devices," says 'TK' Keanini, CTO of nCircle. "This reality means every retail business relying on PIN-pad devices should be working side by side with equipment suppliers to put countermeasures in place against this type of threat."

In the case of Michaels, the chain has employed Payment Application Data Security Standard (PA DSS)-certified POS terminals and PIN pads. But the attackers involved got around this by somehow swapping out the compliant PIN pads with compromised pads set for stealing information. It is still unclear how the hackers accomplished this, but several security experts believe it was simply a matter of distracting the cashiers and switching the pads in a well-planned social engineering maneuver.

According to Alan Shimel, managing partner for The CISO Group, PIN pads are generally the weakest link in POS systems today. "It's not just a Michaels POS system issue. In all of these credit card systems, the PIN pad is the Achilles' heel," he says. "What happens is even if they get new machines in an upgrade or switch processors who give them new terminals, a lot of times they wouldn't go through the trouble of sending stores a new PA DSS-certified PIN pad as well. So, in general, there has been an issue with noncertified PIN pads."

Granted, the Michaels case was different due to the swap, but Shimel says this is a good warning that even with the right technology, organizations need to be educating employees and keeping a high level of awareness to prevent social engineering.

Of course, there are tools that can at least help keep an eye on PIN pads and POS terminals to prevent tampering, says Steve Elefant, CIO of credit card processor Heartland Payment Systems. "One of the best practices stores need to think about is keeping track of the devices they have through video and individual employees, and verifying that people aren't switching them out and putting a skimmer in," he says, explaining that Heartland helps its merchants through anti-tamper PIN pads that immediately discontinue service the second they're modified.

Elefant and Heartland are big proponents of end-to-end encryption -- a scheme that helps merchants partly by supplying anti-tamper PIN pads that immediately discontinue service the second they're modified. The end-to-end model also accounts for swap-outs, he says.

"We monitor on the back end the traffic from the device coming in, so if we see transactions that are unencrypted or are coming in a different way, we notify the merchant," he says.

Ultimately, though, some security experts believe that the only way to really prevent skimming is to change the way the retail industry accepts credit cards. This means eventually getting rid of magnetic=stripe technology in favor of chip and pin technology being rolled out in countries out of the U.S. today, says Robert Siciliano, CEO of IDTheftSecurity.com and a security consultant.

"Electronic funds transfers at the point of sale [EFTPOS] skimming is a relatively new scam that has become more prevalent over the past few years. POS machines are particularly vulnerable because the magnetic-stripe technology, which has been around for 40 years, is essentially defenseless against modern fraud techniques," Siciliano says. "Anyone can easily, and legally, purchase a skimming device for a couple hundred dollars. This problem will continue as long as the current system of accepting magnetic stripe cards is standard in the United States. Our system needs a serious upgrade."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0103
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVE-2014-0475
Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

CVE-2014-0889
Published: 2014-07-29
Multiple cross-site scripting (XSS) vulnerabilities in IBM Atlas Suite (aka Atlas Policy Suite), as used in Atlas eDiscovery Process Management through 6.0.3, Disposal and Governance Management for IT through 6.0.3, and Global Retention Policy and Schedule Management through 6.0.3, allow remote atta...

CVE-2014-2226
Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

CVE-2014-3020
Published: 2014-07-29
install.sh in the Embedded WebSphere Application Server (eWAS) 7.0 before FP33 in IBM Tivoli Integrated Portal (TIP) 2.1 and 2.2 sets world-writable permissions for the installRoot directory tree, which allows local users to gain privileges via a Trojan horse program.

Best of the Web
Dark Reading Radio