3 Tips to Foil POS Attacks

Michaels Stores Are Fraudsters' Latest Targets
3 Tips to Foil POS Attacks
A select group of Chicago residents reported thefts from their bank accounts after debit cards were allegedly copied during recent transactions at area Michaels craft stores.

The U.S. Secret Service is now investigating the fraud incidents, which are likely linked to POS device tampering. Police in Bloomingdale, Ill., and two other Chicago suburbs, Vernon Hills and Naperville, also are investigating reports.

Michaels Stores Inc. was contacted about the breaches on May 2, according to a news release posted on its corporate site. The company is now working with authorities, but says the fraud may be related to PIN pad tampering in its Chicago-area stores.

Card details may have been skimmed as far back as December 2010, but fraudulent ATM withdrawals, typically for $500 each originating from California and Nevada, are just starting to hit.

News of the Michaels breach comes on the heels of a similar scam in Canada, which Waterloo police quickly foiled, after an observant customer reported seeing two men handling a checkout counter's card reader. On April 19, the customer of the unnamed retail location contacted Waterloo, Canada, police. The two men now face charges of theft, mischief, attempting to defraud the public, possession of instruments used to forge credit cards, and conspiracy to commit fraud. [See POS Skimming Scam Stopped.]

Despite Canada's migration away from the magnetic stripe on payment cards and toward the Europay, Mastercard, Visa chip and PIN standard, the so-called PIN pad "swap" scheme is still effective. "[Fraudsters] get around EMV by disabling the part of the POS device that reads the chip," says Jerry Silva, a financial-security consultant. "So, then the customer is forced to swipe the mag stripe to make the transaction."

After the customer swipes the card, the clerk realizes the reader is inoperable. But by then, it's too late; the card details have been captured.

Although swap attacks are relatively rare, Silva says, they are effective. The same method of attack was used a year ago against Hancock Fabrics, which led to card fraud that affected more than 140 Hancock customers in three states.

Easy Targets

It's no coincidence that Michaels and Hancock Fabrics are both linked to POS crimes.

Brian Riley, senior research director of bank cards at TowerGroup, says smaller craft stores like Michaels and Hancock are easy targets for POS-swap fraud.

"Big box retailers, food chains and other high-velocity transaction points are less likely to experience compromises at POS devices, because of the heavy traffic and usual level of security surveillance," Riley says. "Lower-volume locations, ranging from craft stores to one-person retail operations, are particularly sensitive to this type of fraud, because device swapping can occur without observation."

Typically, these crimes begin when criminals target a single store, or -- as in the case of Michaels and Hancock -- multiple stores in various locations.

Often, gangs of fraudsters will work together to distract employees away from the POS terminal, so that the swap can be made. Other times, the criminals simply replace the pad when staff leaves the terminals unattended. Occasionally, criminals even resort to collusion with employees, or even use threats of violence to get the devices replaced.

PIN entry device security requirements set by the Payment Card Industry Security Standards Council require PIN pads to include technology that makes tampering evident. But fraudsters get around that by completely swapping out the devices. So merchants have to be more vigilant.

"Merchants play an essential role in the global effort to curtail fraud," Riley says. "They also carry significant liability when breaches occur."

3 Tips

Riley points to three essentials that financial institutions should communicate to retailers regarding POS security:
  1. Be PCI Compliant - Retailers must ensure compliance with PCI standards for PIN entry devices. Compliance mandates that PIN pads be tamper-resistant, tamper-proof and tamper-evident.
  2. Hire Cautiously - Not only must merchants know their customers, but they also must know their employees better. During the hiring process, they must incorporate strategies that include background checks that might help eliminate candidates who could be in collusion with fraudsters.
  3. Assess the Risks - Retail chains are easy targets. "Multilocation operations may be at risk," Riley says. If one retail location is hit with a POS swap attack, take a risk assessment of all other locations in the chain. Consider hiring a third-party organization to perform the security review. You might unveil a pattern in which employees are routinely leaving POS devices unattended and open to theft or tampering.

Riley is quick to note that the Michaels breach highlights a much different fraud problem than the fraud exemplified recently by the large-scale data thefts announced by Epsilon and Sony. "In the instance of Michaels, the attacked data was in use and in motion, rather than reposing in a static file," he says, something relatively easy to avoid if merchants are paying attention to what's happening in their stores.


About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network