Hancock Breach Reveals New Trend

The Hancock Fabrics data breach continues to raise new questions about the security of point of sale (POS) devices at retail stores.

In March, the national fabric store chain publicly confirmed the breach it suffered last summer, sending an open letter to its customers, revealing: "PIN pad units at a limited number of Hancock Fabrics stores were stolen and replaced with visually identical, but fraudulent, PIN pad units. This may have allowed criminals to capture - or "skim" -- payment card data during transactions."

Hancock didn't reveal the locations or number of stores where point of sale scanners were compromised -- nor the number of customers who had their card data taken -- but at least 140 reports from customers in California, Wisconsin and Missouri show the pervasive nature of the fraud.

The lesson here: It is relatively easy for fraudsters to tamper with or even swap out POS PIN Entry Device (PED) pads, and these types of incidents are likely to increase, putting retailers, consumers and banking institutions at risk of future card-related fraud.

"These incidents are part of an ongoing trend where criminals are targeting non-PCI and PED-compliant point of sale terminals with devices installed to capture cardholder data," says Mike Urban, Sr. Director of Fraud Solutions at FICO.

How it Happens

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

Typically, this crime begins when criminals target a single store, or -- as in the case of Hancock Fabrics -- multiple stores in various locations.

Urban describes how a gang of these criminals will go into a store. "They will feign illness to draw people away from a point of sale terminal in order to make the switch. It is a brazen act - almost to the point of opening the cash register - to swap out a POS terminal during business hours. In these cases, the criminals work together to create a cover of the terminal swapping activity."

While some would think that a store clerk or other employees wouldn't be duped so easily, PCI expert Dr. Anton Chuvakin notes that it isn't a huge social engineering feat to do a swap. "It's fairly easy in many cases," he says. "They'll come in, distract personnel and replace the equipment."

Even a more likely scenario would be that the criminals replace the pad when people just aren't around. "How many times have you gone into a retail store later in the evening and no one was at the checkout area?" he asks.

An unsettling trend in this type of crime is that some criminals have resorted to collusion with employees, or even used threats of violence to get the PEDs replaced, says PCI and security expert Branden Williams, Director of the Security Consulting Practice at RSA, the security division of EMC.

While the swapping of POS devices is easy to do, it is not as scalable as remote hacking. "A small amount of research can yield a short term gain by capturing a few cards, or even long term gains if the merchant is not uniquely keying each device," Williams says.

The types of devices being targeted for this are the older PIN pads, which are very simple devices. "They're much like a peripheral (mouse, keyboard, etc.) and this is the same effect as inserting a PS/2 or USB keystroke logger," says David Shackleford, a security expert at Sword & Shield, a computer and network security firm in Atlanta, GA. Shackleford says he would not be surprised to see more of these incidents "at merchants with weak physical security and store policies that were still using older technology."

Data at Risk

Once the device has been swapped, the amount of data to be stolen is related to the amount of time the compromised terminal is in place at the retail location. "It also depends on the number of cards that transact during that time. It can run into thousands of cards," says FICO's Urban.

In most of the POS terminal compromises Urban says he has seen in the U.S. that the data is stored on the POS terminal until the terminal is swapped back out. "But there is a trend where card compromising devices will broadcast data via Bluetooth or other wireless protocols," he says.

In the case of Hancock Fabrics, the type of pad used wasn't clear. "It's likely that the pads included a swipe reader and numeric keys, which means they could capture full track data and PINs, says Shackleford. "The false pads would have a fair amount of physical storage, and could likely hold a good number of debit and credit card numbers," he says.