Are Physical Attacks On POS PIN Pads On The Rise? Using Distance As A Defense

Written by Evan Schuman
April 21st, 2010

One of the oldest tenets in security is that professional thieves will always attack the perceived weak point of security. A burglar will hit the back door until it’s reinforced with multiple deadbolts and then he’ll turn to the window. If that’s replaced with bullet-proof glass with bars in front, he’ll ring the doorbell. If every door and window is perfectly protected, he’ll sledgehammer through the wall.

This reality is why we’re seeing a sharp increase in reported thefts of PIN pad units. Substantial efforts in recent years to protect the data within a split second of a card being swiped have done little beyond making PIN pads the victim of physical attacks. Units are replaced either with a skimmer attached or by a clone of the full device.

The attacks require more courage and brawn than a typical cyberthief displays. (Although with cyberthief extraordinaire Albert Gonzalez’s claims that he regularly performed 5,000 sit-ups per session, maybe he’d have been an exception.)

As BankInfoSecurity reported on Monday (April 19), an attack on Hancock Fabrics is an ideal example of this PIN pad trend. The chain confirmed that, last summer, “PIN pad units at a limited number of Hancock Fabrics stores were stolen and replaced with visually identical, but fraudulent, PIN pad units.”

The problem with Hancock’s statement is the four steps CEO Jane Aggers said the chain is taking to correct the issue. First, “upgrading the PIN pad units at the point of sale in all of our stores with new PIN pad units that were designed to meet the toughest security requirements.” Second, “working with forensic investigators to analyze the extent of any unauthorized access to customer information and to identify and address any issues that have been identified.” Third, “installing automated systems to monitor each of the PIN pad units daily to look for suspicious activity.” And fourth, “implementing new store-wide policies with respect to daily inspection of the PIN pad units.”

Upgrading the PIN pad units is a fine way to go. But anything short of soldering them to the wall and encasing the units with bullet-proof glass won’t address physical attacks. Although working with forensic investigators is a great thing, it won’t prevent similar attacks from happening again.

The “automated systems” that will “look for suspicious activity” sound an awful lot like video cameras, which are fine but also easily disabled. “Daily inspection” points sound like a good idea, but it’s something that will likely be relaxed within two weeks of being launched.

How about automating some of these tasks?

Or what about discreetly placing RFID tags in multiple locations around the POS area. They would constantly ping each other and loudly alert the store whenever the distance between any two tagged devices changes. The new lookalike devices would be easily detected, unless the thieves are able to remove the RFID tag and place it in the same place on the new unit.

That’s very difficult to do in a quick swap. Also, that tag can be affixed in such a way as to break the main device if it’s forcibly removed. If the units are working properly, a change in location would be detected the instant any tampering begins.

As for a skimmer being attached, perhaps a very sensitive weight verification mechanism could flag any devices that seem to gain a little mass overnight. (Good idea for PIN pads. Bad idea for columnists.)


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.