Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Fraud & Identity Theft

Skimming PIN Pads: Should PCI Standards Push Upgrades to Newer Technology?

In early May, the Michaels art supply chain reported that 90 PIN pads within some of its 995 stores nationwide had been compromised, with victims reporting fraudulent withdrawals of up to $500 made from ATMs on the West Coast against their credit and debit card accounts. While 90 units represents less than 1 percent of the total, Michaels took the extraordinary precaution of removing the approximately 7,200 comparable PIN pads from all its US stores. The company was also monitoring its Canadian stores. There are considerable costs involved.

In early May, the Michaels art supply chain reported that 90 PIN pads within some of its 995 stores nationwide had been compromised, with victims reporting fraudulent withdrawals of up to $500 made from ATMs on the West Coast against their credit and debit card accounts. While 90 units represents less than 1 percent of the total, Michaels took the extraordinary precaution of removing the approximately 7,200 comparable PIN pads from all its US stores. The company was also monitoring its Canadian stores. There are considerable costs involved.

PIN SkimmingPIN pads allow consumers the convenience of using their credit or debit cards at the cash register. The consumer swipes his or her card and then enters a PIN. The skimmers units capture both the magnetic card data as well as the keystrokes on the PIN pad. The compromised skimmers are designed to look exactly like the original, and in some cases may in fact be modified original units.

Last summer, the Payment Card Industry (PCI) Security Standards Council issued guidance around skimming attacks such as this. Recommendations from the council included writing down the serial numbers of the PIN pads in the store, then periodically checking to make sure those devices remain in the store. Since this doesn’t rule out tampering with the devices in situ, the council further recommends physically inspecting each PIN pad for signs of physical compromise.

This does this bode well for proponents of EMV, otherwise known as Chip and Pin in the UK. With Chip and PIN, the consumer has an RFID-enabled card that they insert into the terminal then type in their PIN; if the card matches the PIN, the transaction is allowed. Chip and PIN stops face-to-face fraud, where someone clones or skims card data and burns that onto another card. It does nothing for fraud over the phone or Internet, however, and researchers at the University of Cambridge have found various ways to compromise–and therefore skim the data from—the physical Chip and PIN terminals. So Chip and PIN seems to have the same problem.

Some newer POS systems in the US have built-in authentication systems designed to protect merchants against the addition of fraudulent PIN pads. This, of course, requires the merchant to purchase a new terminal, and often upgrade or replace their current POS software as well. Some mid-sized businesses might see the benefits and go ahead. Small businesses may not be able to absorb the costs. And, large businesses may chose to roll out such systems over a period of fiscal quarters or years.

Banks have dealt with skimming at ATMs by replacing their old units with new anti-skimming ATMs, perhaps forcing the skimmers into the retail space. Perhaps PCI should require now retail businesses to upgrade to newer and better technology (And while they are upgrading, make sure the new terminals include NFC payments as well). Otherwise, we’ll continue to see large-scale attacks at national chains like Michaels for the foreseeable future.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Software maker Adobe has rolled out its first batch of security patches for 2023 with fixes for at least 29 security vulnerabilities in a...

Application Security

After skipping last month, Adobe returned to its scheduled Patch Tuesday cadence with the release of fixes for at least 38 vulnerabilities in multiple...

Application Security

Video messaging giant Zoom has released patches for multiple security vulnerabilities that expose both Windows and macOS users to malicious hacker attacks.The vulnerabilities, in...