Sometime around the beginning of November, thieves managed to insert an additional circuit board into the self checkout Point of Sale (POS) machines Lucky’s stores in the San Francisco Bay Area. Since then, the company has collected more than 80 consumer and employee reports of fraudulent attempt to access bank account data. Unfortunately, there is nothing new or novel about this attack, only that it continues to happen in the age of smart embedded systems and PCI.
Skimming is the practice of copying the credit or debit card data as it is swiped at a POS. The copied data is then either radioed via SMS or cellular connection, or stored for later, physical pickup. Often the card holder is unaware the additional hardware exists—until law enforcement or the media report the compromise.
In the case of Michaels last Spring, law enforcement and bank authorities informed the art supply store of fraudulent activity traced back to approximately 70 terminals inside its stores. The frauds where generally multiple and unauthorized withdrawals of up to $500 made from ATMs on the West Coast against accounts first captured by the compromised systems at Michaels stores. For this scam, typically a network of organized criminals across the country somehow distract individual store personnel long enough to swap out the PIN pads at the cash register with compromised, look-alike devices.
The Lucky’s card-swipe stations were also located inside the stores. To add components to the self check out stations, employees may have been enlisted to install the additional hardware, however, the San Jose Mercury News writes that the company doesn’t believe it was an inside job. Either way, the attack was timed to coincide with busy holiday shopping.
In 2010, the Payment Card Industry (PCI) Security Standards Council did issue guidance around skimming attacks such as this. Recommendations include writing down the serial numbers of the PIN pads in the store, then periodically checking to make sure those devices remain in the store. The council also recommends inspecting each PIN pad for evidence of tampering. That happened at Lucky’s: an alert employee noticed something was different about one compromised machine.
A better solution would be for the POS systems to authenticate the hardware being used for payment. New or otherwise compromised units would be rejected or at least flagged by the POS systems. Unfortunately, the additional costs to merchants to install these units is prohibitive.
Another proposal is EMV, an algorithm created by EuroPay, MasterCard and Visa that is embedded on a chip within a credit card and designed to combat face-to-face fraud. But, again this would not work with stand alone systems. In a talk at CanSecWest in March 2011 Researchers Andrea Barisani and Daniele Bianco, both of Inversepath, and Adam Laurie and Zac Franken, both of Aperture Labs, found specific ways to circumvent the real world POS security touted by EMV. In a subsequent presentation, they showed how EMV is also an ineffective defense online against what’s called Card Not Present (CNP) fraud.
The US has yet to adopt EMV and with the launch of NFC-based Google Wallet and with similar initiatives expected from other financial services companies, it seems likely that NFC may soon replace both magnetic strip and EMV credit cards worldwide.
In the meantime, however, we’re still left struggling against very low level skimming attacks on our magnetic cards.