In early May, the Michaels art supply chain reported that 90 PIN pads within some of its 995 stores nationwide had been compromised, with victims reporting fraudulent withdrawals of up to $500 made from ATMs on the West Coast against their credit and debit card accounts. While 90 units represents less than 1 percent of the total, Michaels took the extraordinary precaution of removing the approximately 7,200 comparable PIN pads from all its US stores. The company was also monitoring its Canadian stores. There are considerable costs involved.
PIN pads allow consumers the convenience of using their credit or debit cards at the cash register. The consumer swipes his or her card and then enters a PIN. The skimmers units capture both the magnetic card data as well as the keystrokes on the PIN pad. The compromised skimmers are designed to look exactly like the original, and in some cases may in fact be modified original units.
Last summer, the Payment Card Industry (PCI) Security Standards Council issued guidance around skimming attacks such as this. Recommendations from the council included writing down the serial numbers of the PIN pads in the store, then periodically checking to make sure those devices remain in the store. Since this doesn’t rule out tampering with the devices in situ, the council further recommends physically inspecting each PIN pad for signs of physical compromise.
This does this bode well for proponents of EMV, otherwise known as Chip and Pin in the UK. With Chip and PIN, the consumer has an RFID-enabled card that they insert into the terminal then type in their PIN; if the card matches the PIN, the transaction is allowed. Chip and PIN stops face-to-face fraud, where someone clones or skims card data and burns that onto another card. It does nothing for fraud over the phone or Internet, however, and researchers at the University of Cambridge have found various ways to compromise–and therefore skim the data from—the physical Chip and PIN terminals. So Chip and PIN seems to have the same problem.
Some newer POS systems in the US have built-in authentication systems designed to protect merchants against the addition of fraudulent PIN pads. This, of course, requires the merchant to purchase a new terminal, and often upgrade or replace their current POS software as well. Some mid-sized businesses might see the benefits and go ahead. Small businesses may not be able to absorb the costs. And, large businesses may chose to roll out such systems over a period of fiscal quarters or years.
Banks have dealt with skimming at ATMs by replacing their old units with new anti-skimming ATMs, perhaps forcing the skimmers into the retail space. Perhaps PCI should require now retail businesses to upgrade to newer and better technology (And while they are upgrading, make sure the new terminals include NFC payments as well). Otherwise, we’ll continue to see large-scale attacks at national chains like Michaels for the foreseeable future.