Freezing the Puck… Skimmers are Leveling Up
Recently, I had the opportunity to audit a retailer that has high Point-of-Interaction (POI) transaction volume daily using physical Pin Pad devices. This client has been the target of consistent attacks due to their volume of business. But what kind of attacks?
If you have been working with these POI devices for any length of time, you will know that they are difficult to break into and many of them have validated Point-to-Point Encryption solutions that most bad guys wouldn’t bother trying to figure out. However, whether it’s sports or war, every defense has its weakness and POI devices are no different.
Skimmer History
Scores of literature have been written over the years about how POI “skimmers” work and procuring them on the internet is a trivial effort if you know where to look. Even a quick internet search will land you lots of results on stories of how these hit the news. Krebs on Security had a fantastic article about the history skimmers some years ago that still has relevance today. It’s no wonder too. All you have to do is attach a skimmer to a payment terminal, route traffic to yourself over the internet, Bluetooth, or some other means, and voila, let the credit card data roll in. You can see the appeal for bad guys.
If you are a business, what do you do? The PCI Council mandates, as part of it’s Data Security Standard (DSS), that all personnel that have management over POI devices should be trained how to detect tampering with POI devices (9.5.1.3) and should perform periodic inspections of devices (9.5.1.2). As employees inspect devices and discover tampering, skimmers are found, and employees are made aware of attacks. This hasn’t deterred attackers, not by a wide mile. They simply find a more sophisticated way to make skimmers harder to detect.
Proper Defense
Bad actors see the ease of skimmer application and the amount of volume and can’t resist. The retailer I was working with has been very vigilant and the bad actors have repeatedly failed gathering even small amounts of data. This has only emboldened the bad actors and that brings us to the latest in skimming technology: the “puck” skimmer.
Look familiar? That’s because this is an almost perfect replica of a pin pad which you can find on many terminals across the nation. Given that installation of this skimmer takes seconds, purchasing these and implementing them could have bad actors access to thousands of card numbers in one day. Here’s another view:
It’s all but an exact match and, without proper training, it would be nearly impossible to tell in passing. So, how did my client spot it?
First, smart thinking. Second, faithful application. They also had a little help from a pretty cool 3-D printer. Puck skimmers can attach right on top of the keypad and be almost unrecognizable at first glance. But regardless of how advanced card skimmers are, even puck skimmers have to add a little size when placed on a standard POI device. My client created a 3-D printable widget that could measure the gap and tell with certainty whether a puck skimmer had been inserted onto the POI device (see an example here from another large retailer here). With that, it came down to multiple daily checks and faithful application. They have since thwarted multiple attempts to skim cardholder data. In addition, the client also placed some colored marking on both the pin pad and the POI device itself to identify quickly an addition made by a genuine employee. This way, they could tell rather quickly if a skimmer had been added.
Your Takeaway
Proper defense all starts with understanding your assets, risks, and performing a deep dive to discover how you could be a target. Constant vigilance and a commitment to the protection of your customer data will be key to responding to emerging threats against the industry. Just don’t be afraid to get a little creative.
