From The Editor | October 15, 2013

Stifling A Skimming Scam: Four Steps To Success

Matt Pillar

By Matt Pillar, chief editor

If you’re a criminal going to the trouble of stealing credit card data from retail, you might as well set your sights on cards with high spending limits. That was the intent of a group of fraudsters earlier this month when they invaded a Florida Nordstrom store and attempted a card skimming attack. Last weekend, Nordstrom revealed that it recovered six tiny skimming devices from POS registers at the store. Fortunately, proactive review of video surveillance footage helped the store and its local Aventura Police Department piece the case together in short order.

It was a simple scheme. Three men entered the store. Two of them distracted associates while the third conducted some covert reconnaissance, removing the back panel of a register and snapping a few photos. A few hours later, the fraudsters’ tech team moved in. Three different men entered the store. Two pulled the distraction routine while the third removed the back panels of six POS registers and installed devices that look like these, pictures courtesy of www.krebsonsecurity.com:

skimming devices from POS registers

Given the opportunity, the would-be data thieves planned to return to the store at a later date to collect the devices and the data they stored, with the intention to either sell cardholder data or create fraudulent credit cards themselves.

In his blog post on the story, noted security analyst Brian Krebs says these cheap, low-tech devices can be configured with wireless transmitters that make it even easier for criminals to gather stolen card data without having to return to the store.

In either case, this isn’t your father’s invasive, mag-stripe card skimming device. A color-matched Ps/2 connector looks like any other piece of network infrastructure connected to the POS. It looks like it belongs. But, while the size and physical attributes of these skimming devices make it hard to recognize them as out-of-place to the naked or untrained eye, there are steps retailers can take to detect them.

  • Physical POS Assessments. A POS associate is unlikely to notice a color-matched Ps/2 connector sticking out of the back of a POS terminal. If it’s plugged in behind a panel, as was the case at Nordstrom, there’s no way the skimming device would be apparent to a daily user. But if you’re proactive about IT maintenance—if you’re really paying attention to your hardware investment through routine physical assessment at the device level by a qualified technician—tampering should be fairly obvious. We tend to take the POS terminal for granted. Like a pack mule, it works day-in and day-out with a little care and feeding. We don’t tend to pull panels and inspect ports until something breaks. Proactive, routine (weekly, monthly) inspection of every device not only mitigates the downtime associated with some of those breaks—it uncovers parasitic, brand-crippling devices like these.
  • Wireless Network Monitoring. While the perps in the recent Nordstrom case would have had to return to the store to collect their pirated treasure, Krebs says he found examples of similar devices that feature built-in wireless support. With the aid of a local wireless network, fraudsters can simply have their booty e-mailed to them on demand. That’s why it’s imperative that retailers monitor their networks using intrusion detection systems, which collect and analyze information about network activity. In theory, the unauthorized wireless transmission of a large volume of credit card data should reveal itself as an anomaly, and it’s large volumes that most of these criminals are after. It takes a lot of patience and luck for data thieves to compile a valuable volume of credit card data on trickle feed.
  • Video Surveillance. Nordstrom caught the illicit behavior on camera. There are a host of shrink prevention and operational benefits associated with training cameras on all of your POS terminals. With modern video analytics, it’s not difficult to establish a “red zone” behind the POS terminal. If we can send real-time alerts to store managers when a customer dwells at a high-dollar end cap display, we can certainly alert LP when someone is detected squatting behind a register long enough to remove its back panel, take pictures, or plug in a skimming device. At the very least, video evidence helps catch the bad guys—even if it’s done reactively.
  • Encryption of credit card data. EMV is on its way, and if the skim-stopping success of the technology in other countries is any indication, the chip and PIN card will frustrate fraudsters. In Canada, where EMV is in place, skimming fraud was estimated at $38.5 million last year, down from a pre-EMV figure of $142 million in 2009. But even before EMV is widely adopted here in the U.S., P2PE (point to point encryption) of credit card data would render the Ps/2 devices used in the Nordstrom attack useless. When card data is encrypted at the point of interaction (swipe or PIN entry), the retailer is no longer storing, transmitting, or receiving via authorization credit card numbers that are of value to criminals.

Still, regardless of how encrypted and secure your terminals and network infrastructure, it’s disconcerting to find that your POS devices have been tampered with. The Nordstrom story illustrates that technology helps, but old-fashioned vigilance in the protection of people, infrastructure, and assets is irreplaceable.