Security Should Be Physical as Well as Virtual for Card Payment Machines

Tailwind Solutions explores why a priority for retailers will be ensuring card readers are physically secure at Point of Sale in 2014

The scandal at Target and Neiman Marcus stores over the 2013 Christmas period where up to 110,000,000 customers had personal and financial data stolen in Point of Sale skimming scams, has had long ranging consequences for the US card payment industry. EMV (Chip & PIN) adoption is now being accelerated and card issuers are changing the rules on how responsible a store is for data theft. From October 2015, instead of card issuers covering two thirds of any card related fraud, merchants will be liable for the full amount where an EMV-compliant card has been used in a payment terminal which is not EMV-compliant. However, card issuers will cover all fraud that results from the use of any card in any EMV-compliant terminal. But will EMV be a catch-all solution for Point of Sale card payment fraud? And would EMV have prevented the black Friday skimming at Target?

Malware known as ‘Kaptoxa’, part of the BlackPOS malware family is the culprit in the Target data theft, scraping data from the Windows based payment system after it’s been decrypted to be checked in a process called ‘transaction verification’. BlackPOS malware first appeared in early 2013 but the most successful new variations appeared in November 2013 and were designed to hide their network traffic within the business day and to intercept credit card information after data is decrypted by ‘scraping’ data from process memory. Both the Cyrillic character set and the signature ‘Kaptoxa’ suggest a Russian origin for the malware[i].

According to McAfee, the malware must be deployed onto a system which carries out external payment verification so although it is still not clear how the malware made it onto the EPOS systems of major retailers, it is likely to be through phishing or hacking rather than via the POS terminals or card reading machines. Because the data was stolen from the payment system, EMV would not have prevented the fraud, only better IT security which prevented the original malware infection could have achieved this.

It’s therefore easy to conclude that if retailers plug the holes in their IT security, criminals will no longer be able to access customer card data and the problem will be solved. However it is more likely that as IT security becomes tighter, criminals will turn their attention to the card payment machine itself where there are multiple opportunities for data theft and where ‘real world’ security is often much more lax than in the cybersphere.

The card reader itself is a hot target for criminals, who have a host of ways to steal customer data. This can be as simple as looking over the shoulder to see another shopper’s PIN (shoulder surfing), adding a chip to the card machine, installing malware onto the payment machine, to stealing and substituting the card reader itself.

At Blackhat 2012 two researchers, in a talk called PinPadPwn[ii], demonstrated how a malicious smart (Chip & PIN) card can be used to place malware onto a POS payment device and display a fake messages to the retailer. The researchers also highlighted that hardware manipulation where a chip is physically added to the terminal or where a payment machine is stolen and replaced with a machine which has been adapted by criminals, are live issues for retailers around the world.

So while IT network security is very important, protecting the hardware by ensuring no one can gain access to the back of the card payment machine or steal it should be just as high on a retailer’s priority list.

Ideally, a card payment machine should be secured in place with a mount which prevents criminals from gaining access to the rear of the machine when in situ and from stealing and replacing the machine. A lockable mounting device where the card machine can only be removed with considerable mechanical force lowers risk, and when combined with network management tools which allow the devices on the network to be monitored and each machine recognised, risk is minimised as far as possible for physical interference.

Determined criminals have been known to try colluding with store staff to get around these types of security measures. Merchants can prevent this by installing lockable bases for the card machines and limiting the number of staff who hold keys. Regular checks can help ensure that the correct number of machines are all present on the network and RFI technology can ensure they are the right machines. A hologrammed security sticker which shows clearly if the seal is intact can be useful to indicate the machine has not been tampered with and is still secure. Spare machines in storage should be securely locked away and accounted for, with care taken to ensure they are not accessible to casual staff or to the general public.

Fraud protection is not the only benefit of mounting a card payment device. Card machine manufacturers use sensitive security systems which shut the machine down and wipe data if they detect activity that could indicate a ‘tamper’. This is a valuable way to protect customer information from genuine attacks, but a false tamper can be costly to the retailer, as the machine generally needs to be replaced. Mounting the machine reduces handling by customer and checkout staff, and the incidence of false tampers. Mounting also reduces the wear and tear on the machine and its cable as it’s passed backwards and forwards to the customer and extends the life of the machines.

So, although criminals will always find new ways to target payments at POS, taking care with the physical security of your card payment technology by mounting your card reader as securely as possible, can be just as important to protecting your customer’s payment data as ensuring your IT network is secure. And the peace of mind you gain knowing you’re protecting your customers is just as important as the financial benefits gained from extending the lifespan of your payment technology.

The writer, Ailsa Bates, is Marketing Director at Tailwind Solutions, which supplies secure and lockable mounting solutions for all kinds of card reader equipment. For more information visit: www.tailwind-solutions.co.uk,

Follow Tailwind on LinkedIn: http://www.linkedin.com/company/tailwind-solutions-ltd?trk=top_nav_home or

Follow on Twitter: https://twitter.com/TailwindSolns

[i] See McAfee’s Threat Advisory for more information: “https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24927/en_US/McAfee_Labs_Threat_Advisory_EPOS_Data_Theft.pdf”>https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24927/en_US/McAfee_Labs_Threat_Advisory_EPOS_Data_Theft.pdf

[ii] For more information see:

http://www.securitytube.net/video/8833?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SecurityTube+%28SecurityTube.Net%29