Sometime around the beginning of November, thieves managed to insert an additional circuit board into the self checkout Point of Sale (POS) machines Lucky’s stores in the San Francisco Bay Area. Since then, the company has collected more than 80 consumer and employee reports of fraudulent attempt to access bank account data. Unfortunately, there is nothing new or novel about this attack, only that it continues to happen in the age of smart embedded systems and PCI.
Skimming is the practice of copying the credit or debit card data as it is swiped at a POS. The copied data is then either radioed via SMS or cellular connection, or stored for later, physical pickup. Often the card holder is unaware the additional hardware exists—until law enforcement or the media report the compromise.
Gas pumps present the hardest problem, since they are often unattended and available twenty-four hours a day. Last Spring, the Los Angeles Sheriff’s Department concluded a three-year investigation into a credit card fraud and identity theft ring that was using "skimmers" to capture credit and debit card information, including PIN codes, at a number of computerized gas station pumps along the West Coast. The devices stored the card information until downloaded remotely by the thieves and re-encoded onto the magnetic strips of other cards. The criminals were then able to use the stolen card numbers–of which they had over 10,000 when arrested–to make purchases. Los Angeles authorities arrested three people in connection with the fraud ring and seized luxury vehicles as well as $40,000 in cash.
In the case of Michaels last Spring, law enforcement and bank authorities informed the art supply store of fraudulent activity traced back to approximately 70 terminals inside its stores. The frauds where generally multiple and unauthorized withdrawals of up to $500 made from ATMs on the West Coast against accounts first captured by the compromised systems at Michaels stores. For this scam, typically a network of organized criminals across the country somehow distract individual store personnel long enough to swap out the PIN pads at the cash register with compromised, look-alike devices.
The Lucky’s card-swipe stations were also located inside the stores. To add components to the self check out stations, employees may have been enlisted to install the additional hardware, however, the San Jose Mercury News writes that the company doesn’t believe it was an inside job. Either way, the attack was timed to coincide with busy holiday shopping.
In 2010, the Payment Card Industry (PCI) Security Standards Council did issue guidance around skimming attacks such as this. Recommendations include writing down the serial numbers of the PIN pads in the store, then periodically checking to make sure those devices remain in the store. The council also recommends inspecting each PIN pad for evidence of tampering. That happened at Lucky's: an alert employee noticed something was different about one compromised machine.
A better solution would be for the POS systems to authenticate the hardware being used for payment. New or otherwise compromised units would be rejected or at least flagged by the POS systems. Unfortunately, the additional costs to merchants to install these units is prohibitive.
Another proposal is EMV, an algorithm created by EuroPay, MasterCard and Visa that is embedded on a chip within a credit card and designed to combat face-to-face fraud. But, again this would not work with stand alone systems. In a talk at CanSecWest in March 2011 Researchers Andrea Barisani and Daniele Bianco, both of Inversepath, and Adam Laurie and Zac Franken, both of Aperture Labs, found specific ways to circumvent the real world POS security touted by EMV. In a subsequent presentation, they showed how EMV is also an ineffective defense online against what's called Card Not Present (CNP) fraud.
The US has yet to adopt EMV and with the launch of NFC-based Google Wallet and with similar initiatives expected from other financial services companies, it seems likely that NFC may soon replace both magnetic strip and EMV credit cards worldwide.
In the meantime, however, we're still left struggling against very low level skimming attacks on our magnetic cards.