Cloned credit or debit card information is hot property on the dark web. Here’s how to protect your customers.
High volume of transactions, unattended ATMs, terminals that are used extensively by customers, situations where a credit card is handed over: these are the conditions point of sale (POS) cyber criminals love. They are also conditions common to alcohol service, whether that’s over or in the bar, or in an attached restaurant or bistro.
Australians make close to 27 million retail purchases a day using credit or debit cards at in-store terminals, the Reserve Bank of Australia reports. Although card cloning is less prevalent in Australia than overseas it increased by 13% between 2016 and 2017, according to Fraud and Cybercrime Squad Commander Detective Acting Superintendent Matt Craft.
In June 2017 Craft headed an investigation into a spate of unauthorised automated teller machine (ATM) withdrawals using ‘cloned’ credit and debit cards with stolen data from the magnetic strip and personal identification information (PIN), classic skimming technology.
Skimming works by either stealing data directly from a customer’s card or from the payment infrastructure at a merchant location. Techniques range from devices attached to or hidden inside terminals, including pinhole cameras or keypad tone recorders, to tampering with terminal connections, to handheld skimmers used by corrupt staff members who on-sell the data they collect.
Crime in plain sight
Just watch a criminal slip an overlay skimmer onto POS terminal under the cashier’s nose in a supermarket on closed circuit television footage. The skimmer looks exactly the same as the original device and nobody notices a thing. Some skimmers are placed inside the terminal, making them completely invisible.
And if you think having more secure Europay, MasterCard and Visa (EMV) point of sale terminals in preference to the older models that read the card’s magnetic strip provides secure protection, think again. Devices that scan EMV chips can be vulnerable to interference too. There’s even a website called emvskimmer.com selling – you guessed it – EMV skimmers. The latest cyber crime trend in credit data theft is called ‘shimming’ and involves inserting a wafer-thin shim into the POS terminal to steal EMV chip data, electronic payment processor goEmerchant explains.
The increasing use of ‘tap and go’ embedded EMV chip cards in Australia has grown in tandem with an upsurge in ‘card not present’ crime, using customer information obtained by infiltrating POS software.
The inside job
Many POS systems are vulnerable to hacking through the business’s existing infrastructure, via the corporate network or by exploiting a vulnerability in an internet facing system – or by duping an insider into providing access, Australian law firm Colin Biggers Paisley warns. Third party service providers with remote access to the business’s network can also represent a potential point of entry.
The hacker’s target is the POS system’s random access memory (RAM) where card data is initially stored unencrypted. The hacker uses ‘memory scraper’ malware to find and reap customer card data.
Figures collated by the Australian Payments Network show that in 2016 the national cost of counterfeit cards/skimming fraud was $59.2 million, almost a 10% increase on the year before. The Payment Card Industry Data Security council warns that EFTPOS terminals in taxis, restaurants and small businesses or skimming devices placed on ATMs are the most common locations for card skimming.
Skimming targets include:
- unattended or unmanned (self-serve) terminals
- terminals with high volume use
- merchants with periods of high volume sales
- merchants with high transaction volumes.
How can businesses protect themselves from skimming?
Working with the Australian Crime Commission and the police, the Australian Payments Network has developed an education program for businesses on how to detect and prevent card skimming, highlighting what to look for and security measures.
Practical steps include:
- closely monitoring payment equipment for signs of tampering: broken seals, missing screws, decals, and check network ports
- record the serial and model numbers of your devices
- check that your POS devices are Payment Card Industry Security Standard Council approved by visiting the PCI SSC website
- mounting terminals securely and utilising cables or locking stands to secure the equipment
- installing protection software on your POS terminals
- consider installing security cameras
- screening new hires by conducting background checks.
How can businesses protect themselves from hacking?
Businesses should never rely on shared systems, default settings or static passwords. Vigilance and staying on top of updates to apps, passwords and security software are all part of the mix for securing customers’ financial information.
Practical steps include:
- running your POS system on a separate network
- not naming networks in a way that identifies your business
- using strong passwords or – better yet – passphrases.
- not using the same password for multiple accounts
- consider using a password manager
- regularly updating apps to take advantage of improved security features
- installing an antivirus and keeping it updated.
Data loss liability
“If you have systems that hold and store credit card data, that is an exposure for a business,” says insurance broker Gallagher’s David Lane, regional development manager in Western Australia.
Having insurance cover is one protection but part of any risk management plan should be having a strong, robust data security program in place, Faber advises. Particularly “if you are a business that is heavily dependent on a mature, web-based profile and you are heavily dependent on electronic point of sale and an integrated computer system. Because if you take away either of those things it could get very costly. For the couple of grand it might cost to cover the insurance, you get paid back in truck loads if you do have to claim”.
Gallagher’s cyber insurance specialists can help liquor service businesses identify their operational exposures, advise on formulating a risk management plan and structure insurance cover to protect themselves against the fall-out from a customer data breach.