Attacks/Breaches
5/13/2011
03:05 PM
Connect Directly
RSS
E-Mail
50%
50%

Michaels Breach Evidence Of Growing POS Skimming Trend

Craft chain had Payment Application Data Security Standard (PA DSS)-certified POS terminals and PIN pads, but attackers swapped them with with rigged ones

As news spreads about the PIN-pad skimming breach that compromised data processed via 90 terminals across 20 states at arts and crafts outlets owned by Michaels Stores, security experts warn that this attack is symptomatic of point-of-sale (POS) vulnerabilities faced by many retail outfits today. No matter how much work these firms put into protecting credit card and customer databases, if their POS systems are compromised, then the bad guys can collect valuable information at the source of the transaction before it even reaches the protected bubble of the database.

"Skimmer technology just keeps getting better. It's so good even suspicious consumers and reasonably educated employees can't detect the devices," says 'TK' Keanini, CTO of nCircle. "This reality means every retail business relying on PIN-pad devices should be working side by side with equipment suppliers to put countermeasures in place against this type of threat."

In the case of Michaels, the chain has employed Payment Application Data Security Standard (PA DSS)-certified POS terminals and PIN pads. But the attackers involved got around this by somehow swapping out the compliant PIN pads with compromised pads set for stealing information. It is still unclear how the hackers accomplished this, but several security experts believe it was simply a matter of distracting the cashiers and switching the pads in a well-planned social engineering maneuver.

According to Alan Shimel, managing partner for The CISO Group, PIN pads are generally the weakest link in POS systems today. "It's not just a Michaels POS system issue. In all of these credit card systems, the PIN pad is the Achilles' heel," he says. "What happens is even if they get new machines in an upgrade or switch processors who give them new terminals, a lot of times they wouldn't go through the trouble of sending stores a new PA DSS-certified PIN pad as well. So, in general, there has been an issue with noncertified PIN pads."

Granted, the Michaels case was different due to the swap, but Shimel says this is a good warning that even with the right technology, organizations need to be educating employees and keeping a high level of awareness to prevent social engineering.

Of course, there are tools that can at least help keep an eye on PIN pads and POS terminals to prevent tampering, says Steve Elefant, CIO of credit card processor Heartland Payment Systems. "One of the best practices stores need to think about is keeping track of the devices they have through video and individual employees, and verifying that people aren't switching them out and putting a skimmer in," he says, explaining that Heartland helps its merchants through anti-tamper PIN pads that immediately discontinue service the second they're modified.

Elefant and Heartland are big proponents of end-to-end encryption -- a scheme that helps merchants partly by supplying anti-tamper PIN pads that immediately discontinue service the second they're modified. The end-to-end model also accounts for swap-outs, he says.

"We monitor on the back end the traffic from the device coming in, so if we see transactions that are unencrypted or are coming in a different way, we notify the merchant," he says.

Ultimately, though, some security experts believe that the only way to really prevent skimming is to change the way the retail industry accepts credit cards. This means eventually getting rid of magnetic=stripe technology in favor of chip and pin technology being rolled out in countries out of the U.S. today, says Robert Siciliano, CEO of IDTheftSecurity.com and a security consultant.

"Electronic funds transfers at the point of sale [EFTPOS] skimming is a relatively new scam that has become more prevalent over the past few years. POS machines are particularly vulnerable because the magnetic-stripe technology, which has been around for 40 years, is essentially defenseless against modern fraud techniques," Siciliano says. "Anyone can easily, and legally, purchase a skimming device for a couple hundred dollars. This problem will continue as long as the current system of accepting magnetic stripe cards is standard in the United States. Our system needs a serious upgrade."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5619
Published: 2014-09-29
The Sleuth Kit (TSK) 4.0.1 does not properly handle "." (dotfile) file system entries in FAT file systems and other file systems for which . is not a reserved name, which allows local users to hide activities it more difficult to conduct forensics activities, as demonstrated by Flame.

CVE-2012-5621
Published: 2014-09-29
lib/engine/components/opal/opal-call.cpp in ekiga before 4.0.0 allows remote attackers to cause a denial of service (crash) via an OPAL connection with a party name that contains invalid UTF-8 strings.

CVE-2012-6107
Published: 2014-09-29
Apache Axis2/C does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2012-6110
Published: 2014-09-29
bcron-exec in bcron before 0.10 does not close file descriptors associated with temporary files when running a cron job, which allows local users to modify job files and send spam messages by accessing an open file descriptor.

CVE-2013-1874
Published: 2014-09-29
Untrusted search path vulnerability in csi in Chicken before 4.8.2 allows local users to execute arbitrary code via a Trojan horse .csirc in the current working directory.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.