Low-Tech Scheme Targets Small MerchantsBlocking Satellite Transactions Foils Card Fraud Detection
Many merchant network breaches involve fraudsters intercepting unencrypted transactions as they're transmitted from the point of sale. But last month, fraudsters targeted a handful of small retailers in Kansas City, Mo., with a low-tech scheme designed to block transactions.
See Also: IoT is Happening Now: Are You Prepared?
Local merchants notified authorities that the satellite dishes they use to transmit payment card transactions, including authorizations, had been covered with aluminum foil to block transmission of credit card transaction data via satellite to card issuers, helping to pave the way for fraud.
The Kansas City Police Department explained in an alert how the scheme worked. Retailers routinely use the satellite dishes to send transactions to the card brands and payments processors, which helps detect fraud. When the dishes were covered, however, transmissions were blocked, allowing fraudsters to run countless transactions with credit card numbers that were counterfeit or stolen.
Over the course of a weekend, about four small businesses were compromised. In one case, fraudsters used the method to spend $1,665 on cigarettes with a fraudulent card number, police say. Police have now warned neighboring businesses to check their satellite dishes for tampering and to immediately notify authorities if they notice anything suspicious.
Security experts say merchant acquirers should be warning their retailers about this trend and taking steps to pick up on merchant transactions that appear to have gone dark for extended periods of time.
Foiling the Scam
Although this type of scam is rare, retailers should take some precautionary steps, Pascual says.
"Be wary of any customer using multiple cards to purchase large amounts of items that are easily fenced, such as liquor or cigarettes," he says. "With the merchant's terminal offline, a criminal can take advantage of any unexpired credit or debit card without worrying as to whether or not it was reported stolen or if it has an available balance. Small merchants should be very aware of this type of crime, if they weren't already."
Pascual also points out that other systems, such as those used for lottery sales, could go offline if they share the same satellite connection as those used to transmit data to the card networks and issuers, or if the criminals foil every satellite dish they find on the roof.
John Buzzard, who oversees FICO's Card Alert Service, says the risks posed by satellite transmission tampering are substantial because the payments presented to the merchant during the time of the attack cannot be properly authorized in real time.
"The risk is at the merchant level," Buzzard says. "The foil takes the payment authorization system offline and forces it into stand-in [without online authorization] mode that holds the authorizations until the system comes back online. You could literally take a closed payment card [such as a credit or debit card] into the store at that point and purchase $1,000 worth of cigarettes and the authorization would most likely appear to the merchant to go through."
Card issuing and acquiring banking institutions must be careful about the kind of advice they offer to merchants about how to thwart this kind of fraud, Pascual notes.
"It is certainly in the interest of merchant acquirers to educate their [retail] clients about these types of crimes, along with the red flags that they should be aware of," he says. "My concern there would be around liability. As an acquirer, I would be cautious about recommending that merchants regularly climb on roofs to check their satellite dishes."
But acquirers could be more proactive in identifying merchants that have been targeted by a satellite-foiling attack, Pascual adds. "They could be on the lookout for stores that went dark for an extended period of time, and, subsequently, contact those stores to confirm that the lull in activity is legitimate and not a product of a disabled satellite dish," he says.