Data at Risk
Once the device has been swapped, the amount of data to be stolen is related to the amount of time the compromised terminal is in place at the retail location. It also depends on the number of cards that transact during that time. It can run into thousands of cards.
In most of the POS terminal compromises Urban says he has seen in the U.S. that the data is stored on the POS terminal until the terminal is swapped back out. But there is a trend where card compromising devices will broadcast data via Bluetooth or other wireless protocols.
The Hancock Fabrics data breach continues to raise new questions about the security of point of sale (POS) devices at retail stores.
In March, the national fabric store chain publicly confirmed the breach it suffered last summer, sending an open letter to its customers, revealing: "PIN pad units at a limited number of Hancock Fabrics stores were stolen and replaced with visually identical, but fraudulent, PIN pad units. This may have allowed criminals to capture - or "skim" -- payment card data during transactions."
Hancock didn't reveal the locations or number of stores where point of sale scanners were compromised -- nor the number of customers who had their card data taken -- but at least 140 reports from customers in California, Wisconsin and Missouri show the pervasive nature of the fraud.
The lesson here: It is relatively easy for fraudsters to tamper with or even swap out POS PIN Entry Device (PED) pads, and these types of incidents are likely to increase, putting retailers, consumers and banking institutions at risk of future card-related fraud.
According to Bank Info Security, It is conceivable that the data captured can be Track 2 data plus the user's PIN, "which means the criminal may be able to manufacture fake debit cards," says Chuvakin. This data with full access to bank account withdrawal up to a daily limit of $500 could inflict real damage to individual victims - with banking institutions then footing the bill to replace cards and/or monitor accounts.
Prevention and Education
The Hancock Fabrics breach points to several steps that retailers can take to prevent this kind of crime from happening to them:
Ensure PCI Compliance -- Making sure all POS terminals are PCI compliant, using Derived Unique Key Per Transaction (DUKPT). Securely install terminals with unique hardware as a deterrent, and visibly inspect them along with the registers every day.
Educate Employees -- Security awareness training for all store employees would be a great start. Newer pin pads that have more built-in security measures like device tamper resistance can help, but it's important to keep spare PIN pads locked away, and employees should periodically check them while at work to make sure the device ID still matches.
Auditing the PEDs -- on a regular basis, recording them and cross checking the serial numbers. Chuvakin, who recommends retailers follow PED Security Guidelines and review the condition and placement of internal CCTV systems to cover all till areas.
Watch Your Staff -- The PCI Security Council's PIN Transaction working group also recommends performing background checks on employees, as well as keeping a complete record of any work done on the POS pads by service providers. If a service engineer arrives at the store unannounced to do work on the PEDs, the working group recommends that before any work is performed that their identity be confirmed by contacting the service company.