4 Ways to Fight Card Fraud

Secret Service: Payments Schemes, Card Fraud Need Attention
4 Ways to Fight Card Fraud

Erik Rasmussen of the U.S. Secret Service says attacks on payments systems have exploded in the past two years. But banking institutions and merchants continually fail to address the greatest security gap - the point of sale. As a special agent within the Cyber Intelligence Section of the Secret Service's Criminal Investigative Division, Rasmussen has investigated card fraud since 2004.

See Also: Digital Evolution and Fraud Evolution: How to Keep Up with the Changing Times

Card skimming is a problem, but it's not the only one, he says. Currently, most card fraud incidents stem from point-of-sale hacks, not skimming, says Rasmussen, who co-hosted The Faces of Fraud: An Inside Look at the Fraudsters and Their Schemes with BankInfoSecurity at RSA Conference 2012, held in San Francisco Feb. 27-March 2. "The No.1 way criminals are getting in is through remote access to the backhouse server," Rasmussen said.

POS hacks include the type that impacted customers of Michaels and Save Mart in 2011, as well as numerous self-service gasoline pump merchants since 2010.

The ubiquity of the Windows operating system is, in part, to blame. "And the number of points in the transaction chain also open cards to risk," he said. "Hackers have gotten around encryption, in some cases."

But hackers also have learned how to exploit vulnerabilities posed by a commonly used OS. Malware is the attacker; Windows is the target.

"POS systems need remote access for systems repair," Rasmussen said. "But if you're a retailer that is using all the defaults, for passwords, as an example, you can see how easy it is to compromise."

Malware is installed through a backend attack or a malicious link clicked and opened by an employee with administrative privileges. From there, fraudsters have three options: Establish an auto-export functionality through an FTP server embedded in the malware; e-mail data out via e-mail accounts embedded in the malware; or transfer data on a USB drive, if an insider is involved.

Nearly half of the card breaches investigated by the Secret Service involve malware, and the retail, food and beverage, and hospitality sectors are the most vulnerable. "Once the hackers get into the system, it's all become too easy for them."

Pointing to the $20 million card breach that recently hit 100 Subway locations and exposed 100,000 cardholders, Rasmussen described how easy it was for four Romanians to tap Subway's network and exploit the system for more than a year before striking. "They got in through a remote desktop, and they used keystroke logging to collect the card details."

Card issuers, acquirers, merchants, consumers and card brands were affected. More collaboration and information sharing among the payments parties would have helped.

"For Subway, beyond the humiliation of being hacked, they also got dinged for not complying with PCI [the Payment Card Industry Data Security Standard]," Rasmussen said. "Payments systems attacks are not going away; in fact, we expect them to grow, as more payments options, through PayPal and Google, for instance, hit the market."

The best way to mitigate risks: increase information-sharing and collaboration with law enforcement.

Tips for Banking Institutions

Rasmussen says financial institutions should focus on risk mitigation across numerous channels, including credit and debit.

For what should institutions be on the lookout?

  • Insider Threats. Have employees knowingly exposed or stolen cardholder or account information, or are employees vulnerable to socially engineered schemes, such as phishing?
  • Systems Vulnerabilities. Can your system be remotely accessed? If so, by whom, and have default passwords and logins been updated and regularly changed?

What can institutions and merchants do to mitigate risk?

  • Involve Law Enforcement. Investigators can install sniffers to monitor incoming and outgoing traffic, as well as images, to identify malware and the destinations to which stolen data is sent.
  • Outsource Forensics. Merchants should hire third-party forensics firms to evaluate their networks and systems, and then provide information to the Secret Service when breaches are discovered.
  • Stay Current. Regular risk assessments are the best ways to stay abreast of emerging fraud schemes.
  • Improve Education. Employees and customers need to know what the latest threats are and how to mitigate the risks those threats pose.

Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.


About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.