POS Skimming Scam Stopped
Canadian Police Crack Down on PIN Pad SwapsThe scheme involves swapping legitimate PIN pads or card readers at merchant locations with bogus readers that have been manipulated to collect card numbers. When debit or credit cards are inserted or swiped, their card numbers are collected and stored on the reader. In some cases, numbers are actually transmitted wirelessly, to criminals who are waiting nearby.
The scheme is effective at compromising magnetic-stripe and EMV-compliant chip cards, says Jerry Silva, a financial-security consultant. "They get around EMV by disabling the part of the POS device that reads the chip," Silva says. "So, then the customer is forced to swipe the mag-stripe to make the transaction."
It's not until after the customer swipes the card that the clerk realizes the reader is inoperable. But by then, however, it's too late; the fraudsters have the card details.
In this case, Waterloo Regional Police stopped the attack before many cards were compromised. On April 19, a customer at an unnamed retail location contacted police, after seeing two men in the store handling the checkout counter's card reader. The two men now face charges of theft, mischief, attempting to defraud the public, possession of instruments used to forge credit cards, and conspiracy to commit fraud.
PIN Pad Swaps: Rare But Effective
The so-called "swap" attack is rare, Silva says, because it's risky for the criminal. "They have to walk in and manually swap out the device," he says. "This is something that a lower-level criminal would perpetrate. Big, organized crime groups are behind the social-engineering hacks that attack systems, place skimming devices on ATMs. This type of card skimming perpetrated by the card-reader swap is much more opportunistic."But card-reader or PIN-pad swap fraud is effective. The same method of attack was used over a year ago against Hancock Fabrics, which led to card fraud that affected more than 140 Hancock customers in three states. In March 2010, Hancock confirmed that its POS PIN pad units had been compromised. In a statement issued after the attack, Hancock said: "PIN pad units at a limited number of Hancock Fabrics stores were stolen and replaced with visually identical, but fraudulent PIN pad units. This may have allowed criminals to capture - or skim - payment card data during transactions."
Brian Riley, a card-fraud analyst at TowerGroup, says PIN entry device security requirements set by the Payment Card Industry Security Standards Council require PIN pads to include technology that makes tampering evident. "But even that would not help under this current scheme," Riley says. "This amplifies the importance of behavioral controls, like neural networks, that react to uncharacteristic transaction activity, and, by far, offer a stronger shield against risk than EMV."
Riley says enhanced payment cards, which rely on emerging technology such as dynamic authentication, "provide a far better line of defense" than EMV.
But Silva says a little vigilance on the part of the merchant could curb swap attacks. "Put a pink dot on the device someplace or something that makes the device recognizable, and then merchants would know if the device has been swapped, Silva says. "Of course, unless you make this characteristic obvious enough, it becomes a challenge for the employees to know what to see and recognize."