Point of Sale Skimming Attacks and PCI
In a previous post, we covered Ram Raids, PIN ID scams, Automated PIN Changes, SMS Attacks and ATM Malware or Malicious Software. In this post we cover Point of Sale (POS) skim.
The 3 Kinds of POS Skims
- Clerk skim; the most common is when a store clerk takes your card and runs it through a device that copies the information from the magnetic strip. Once the thief has the credit or debit card data, he or she can place orders over the phone or online or create a cloned card.
- POS swaps; a more advanced skim happens when criminals pose as POS technicians, enter a retail establishment and swap out the existing POS terminals with clones that allow the criminal remote access to the device. Thieves can completely replace a merchant’s point of sale terminal with a device that is rigged to record or divert card data wirelessly, or simply store the data until the criminal comes back and removes it.
- POS malware; the most sophisticated POS skim happens when the actual POS software is compromised remotely and hacked when malware is installed giving criminals complete control over the devices.
PCI Security Standards Council
The PCI Security Standards Council provides guidelines designed to help merchants securely store and transmit card account data and prevent it from falling into the hands of criminals. Retailers who fail to comply with PCI’s standards can be fined big bucks by credit card providers such as Visa and MasterCard. PCI constantly updates a series of recommendations for the prevention of skimming scams. “Skimming is becoming a widespread problem. These are guidelines for what retailers should be looking at with their reader devices”, says Bob Russo, general manager of the PCI SSC. “We discuss different techniques for protecting those point-of-sale devices.”
The PCI Council’s “Skimming Prevention: Best Practices for Merchants” guidelines include a risk assessment questionnaire and self-evaluation forms to gauge susceptibility to these types of attacks and to determine where they need to shore up their defenses. The guidelines cover how to educate and protect employees who handle the point of sale devices from being targeted, as well as ways to prevent and deter the compromise of those devices. They also detail how to identify a rigged reader and what to do about it, and how the physical location of the devices and stores can raise the risk.
How to Protect Yourself
- Scrutinize the ATM: This means every ATM, even ones from your bank. You also want to check any of the card sliders like ones at gas stations, etc, especially if you’re using your debit card. If the scanner does not match the color and style of the machine, it might be a skimmer. You should also “shake” the card scanner to see if it feels like there’s something attached to the card reader on the ATM.
- Cover the keypad when entering your PIN: In order to access your bank accounts, thieves need to have your card number and your PIN. By covering the keypad, you prevent cameras and onlookers from seeing your PIN.
- Check your bank and credit card statements often: If someone does get your information, you have 60 days to report any fraudulent charges to your credit card company in order not to be charged. For a debit card, you only have about 2 days to report any suspicious activity.
- Be choosy: Don’t use general ATMs at bars or restaurants. These are not usually monitored and therefore, can be easily tampered with by anyone.