advertisement
advertisement

Forget Fancy Hacking, Card-Data Theft Is Now All About PIN Pads

Written by Frank Hayes
November 15th, 2012

A ring of Canadian thieves who were caught with 30,700 stolen payment-card numbers is providing a view inside the process of tampering with PIN pads—and it’s not pretty. On November 9, Toronto police said a five-man gang arrested in September had tens of thousands of stolen card numbers on PCs and USB thumb-drives, along with at least a dozen stolen POS devices.

It’s the PIN pads that are disturbing. They make it clear this gang was regularly swapping compromised PIN pads for the legitimate versions on retailers’ counters. Even more disturbing: It wasn’t the PIN pads that got these thieves caught.

The gang members were arrested after a months-long investigation into a sudden rise in the use of fraudulent payment cards to buy transit passes at Toronto Metro kiosks. Once the spike in fake cards appeared, the transit agency worked with its card processor to match time stamps on fraudulent purchases with surveillance camera images. That made it possible to pick up the five members of the gang, headed by Umasangar Ramasamy, on September 27 after they had just bought 29 more monthly transit passes.

A search of Ramasamy’s condo the next day turned up more than 250 counterfeit debit cards, four computers, credit-card readers and writers, and at least a dozen PIN pads of several different models.

“Most of them have been ripped apart,” Toronto Police Detective Ian Nichol told a press conference a few days later. “They’re essentially used as a parts Christmas tree to build point-of-sale terminals, altered ones that are capable of capturing credit-card data and personal identification numbers.”

In other words, this gang was allegedly modifying several different models of PIN pads, then swapping them for legitimate PIN pads on retailers’ counters. That means they were doing it at multiple retailers, and doing it easily enough that they believed an assembly-line approach made sense.

Based on the volume of card numbers involved, police said they believe the operation wasn’t confined to Toronto. As of last week, the gang’s alleged fraudulent transactions identified so far totaled $350,000.

Police also didn’t identify any of the retailers, so it’s possible that the thieves collected 30,000 card numbers from PIN pads in mom-and-pop stores. Raise your hand if you think that’s likely.

Understand, there’s no reason to believe this gang was operating on the scale of those targeting U.S. chains in recent years—most recently Barnes & Noble, where 63 stores in several states across the country had compromised PIN pads. Or at least there’s no way of knowing right now. A similar group of U.S. thieves actually farmed out the work of getting cash from stolen card numbers to street-gang members. This Canadian gang seems to have done it all themselves.

It seems they didn’t need a sophisticated organization or highly sophisticated tools or skills. The retailers made it easy for them. The thieves just had to know how to tamper with a PIN pad and then deftly swap it in on the counter.

That wouldn’t have been possible if the merchants (or their processors) checked electronic serial numbers on the PIN pads with each transaction, or closely monitored network logs to make sure the connection to the PIN pad was never broken.

But never mind the complicated security techniques: It wouldn’t have been possible if the merchants hadn’t used free-standing PIN pads that anyone walking in off the street could disconnect and replace in seconds.

A few years ago, thieves like uber-hacker Alberto Gonzalez had to know how to tap a wireless connection, break into a network, plant a virus or hack into a database. Now, it’s typical for thieves not to bother with the network or the database at all. They just skim cards using compromised POS devices swapped in for PIN pads that the merchant didn’t bother to screw down.

That type of crime doesn’t take a lot of technical brilliance. But neither does defending against it. And all the expensive—and very useful—network encryption and database security that chains implement to satisfy PCI requirements doesn’t do much good when crooks can grab card numbers before they ever get that far.

Welcome to the state of the art in breaches: Five guys with quick fingers and a soldering iron.


advertisement

5 Comments | Read Forget Fancy Hacking, Card-Data Theft Is Now All About PIN Pads

  1. Walt Conway Says:

    Frank,

    Thanks for the very interesting column and for raising a very important question about payment card skimming: Does PCI DSS care about skimming at the POS. This is a topic we both think is pretty important (see here: http://storefrontbacktalk.com/securityfraud/is-pci-skimping-on-skimming/)

    While PCI DSS itself does not have much to say about skimming at present, that situation may be changing. The PCI Security Standards Council has an information supplement for retailers in its documents library (https://www.pcisecuritystandards.org/security_standards/documents.php). As your story points out, I wish more retailers would read it.

    Another hopeful piece of evidence is the extensive merchant requirements — including checking the POS devices, maintaining an inventory, etc — in the P2PE Program Guide (http://storefrontbacktalk.com/securityfraud/p2pe-no-cakewalk-for-merchants-but-there-may-be-no-alternative-for-reducing-scope/).

    I’m hoping that with PCI DSS v3 coming in 2013, we’ll see changes to the standard and the SAQs to have retailers inspect their POS devices regularly just like they conduct regular vulnerability scans now.

  2. ed Says:

    Thanks to outsourcing, most of the latest model card processing and pin pad devices are sold white label through sites like Alibaba and can be bought in markets around Ghangzhou, China. It is my understanding that in Europe, they had organized crime rings operating this same card theft using white label POS devices for years. Obviously, there needs to be a way to detect a counterfeit card processing machine and I don’t know if that conversation has happened yet.

  3. John Pruban Says:

    Thieves today are getting more brazen in their tactics. Because of this, it’s important that retailers remain vigilant in their efforts to keep their PIN pads secure. PIN pads should be locked down at all times. (Amazingly enough, there are still some retailers that choose not to spend the extra money on locking stands, but it’s really a small price to pay for peace of mind, in my opinion.). Make sure you know exactly who will be servicing the devices, if necessary. Did the field technician properly identify himself/herself? Did he/she have an appointment? Did he/she sign in or check in with the proper person? Online monitoring is another valuable tool for round-the-clock network security. Not only can retailers be alerted if a device comes off the network, but can take immediate action to prevent the crime from progressing.

  4. ed Says:

    One way to avoid POS tampering is use inventory barcode or security rfid stickers on the POS devices and scan on a regular interval. If they are using the security rfid sticker, then the security gate should sound an alarm.

  5. Mark A Says:

    Not sure how other retailers do it but we (Debenhams) have a whitelisting app that knows what PEDs are in any given store and only allows those PEDS to be attached to tills in that store so stores can’t move them between stores and no PED that hadn’t been previously authorised would work.

Newsletters

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
advertisement

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

StorefrontBacktalk
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.