A small point-of-sale attack in Kentucky points to a larger fraud trend impacting banking institutions and their customers.
"Micro attacks" is the term Gartner analyst Avivah Litan uses to describe this new scheme characterized by localized fraud incidents that are relatively small in nature, eluding detection and giving the fraudsters more time to drain accounts.
In the latest example of a micro attack, a Winchester, Ky.-based Mexican restaurant has been named as the source of a POS attack that has affected scores of credit and debit accounts and more than a dozen local banking institutions. Unauthorized charges against these accounts have been reported from as far away as Singapore.
Other institutions in different locations report similar stories: small attacks that affect a handful of card-issuing institutions, which often fail to have fraud-detection systems sophisticated enough to connect the dots to a single point of compromise.
"More and more banks are telling me they're seeing online account takeover decline and card fraud increase," says Litan, discussing the micro attack trend. "And most of the increases in card fraud they're seeing are linked to POS attacks, because the systems are so easy to break."
In Kentucky, the micro attack began to unfold in June, when fraudsters remotely breached the POS system of locally owned Puerta Grande, stealing magnetic stripe data to make counterfeit payment cards.
Soon after the breach, according to a local news report, banking institutions in the area began reporting separate incidents of card fraud, and authorities followed the trail back to Puerta Grande.
So far, the number of impacted cardholders remains small. But for a community the size of Winchester, population 18,000, fraud incidents linked to the breach are relatively high. Local authorities estimate between 50 and 100 accounts have been exposed, and Litan says one institution lost $30,000 to the scheme, a big hit for a small community bank.
Since mid-July, the affected banks have reported unauthorized purchases stemming from Singapore, Australia, the Dominican Republic and Brazil. All of the fraudulent transactions are now suspected of occurring in June and early July.
The Winchester Police Department, which could not be reached for comment, is reportedly still working to identify how the restaurant's POS system was breached. The Secret Service also is assisting with the investigation.
Since being notified of the breach, Puerta Grande has installed new POS equipment.
Small Businesses: Easy Targets
Litan says micro attacks, such as the one linked to Puerta Grande, are usually waged against a certain type of POS device or system model, which hackers hit through remote-access portals. It's been easy, Litan says, because many businesses - especially restaurants - fail to change the default passwords installed by the original equipment manufacturer, and so fraudsters find no resistance.
From what Litan has learned, that's exactly what happened in Winchester.
"No one yet knows how it happened and where it happened, but it appears that someone got into the store's system remotely and siphoned off the cards' magnetic-stripe data so that the criminals could make counterfeit cloned cards," Litan says.
Puerta Grande, which Litan says processes transactions through Heartland Payment Systems, has since upgraded its systems and is now using Heartland's E3 end-to-end encryption technology. The E3 POS system includes layers of Advanced Encryption Standard, better known as AES, security for software and hardware.
"This restaurant in Kentucky wanted help, and Heartland came in with a good solution to encrypt the transactions," Litan says.
But the greater challenge is how to help these businesses before micro attacks occur.
"These small businesses don't understand the security, and they don't want to worry about security," Litan says. "But they all need to get up-to-date, and they really have to rely on their vendors and processors for a lot of that."
How to Fight Back
Litan says customer education makes a difference when it comes to preventing and detecting micro attacks, but awareness can only go so far.
"I think trying to get the customer more engaged makes a difference, but institutions really should do more with mobile alerts," she says.
By using a mobile device's geo-location, for instance, institutions can correlate card transactions with an accountholder's mobile location. "If the transaction and the mobile device are really far apart, then send an alert," Litan says. "That's a great way to get the customer involved and take advantage of mobile interactions."
But the No. 1 step all institutions need to take is to invest in upgraded fraud-detection systems. "They need systems that catch the transactions first," Litan says.
Taken individually, these micro attacks may seem relatively insignificant. But add them up, and it's a different story, Litan says. "It's these small, localized incidents that are giving mega-banks and card issuers major headaches."