Forget Fancy Hacking, Card-Data Theft Is Now All About PIN Pads
Written by Frank HayesA ring of Canadian thieves who were caught with 30,700 stolen payment-card numbers is providing a view inside the process of tampering with PIN pads—and it’s not pretty. On November 9, Toronto police said a five-man gang arrested in September had tens of thousands of stolen card numbers on PCs and USB thumb-drives, along with at least a dozen stolen POS devices.
It’s the PIN pads that are disturbing. They make it clear this gang was regularly swapping compromised PIN pads for the legitimate versions on retailers’ counters. Even more disturbing: It wasn’t the PIN pads that got these thieves caught.
The gang members were arrested after a months-long investigation into a sudden rise in the use of fraudulent payment cards to buy transit passes at Toronto Metro kiosks. Once the spike in fake cards appeared, the transit agency worked with its card processor to match time stamps on fraudulent purchases with surveillance camera images. That made it possible to pick up the five members of the gang, headed by Umasangar Ramasamy, on September 27 after they had just bought 29 more monthly transit passes.
A search of Ramasamy’s condo the next day turned up more than 250 counterfeit debit cards, four computers, credit-card readers and writers, and at least a dozen PIN pads of several different models.
“Most of them have been ripped apart,” Toronto Police Detective Ian Nichol told a press conference a few days later. “They’re essentially used as a parts Christmas tree to build point-of-sale terminals, altered ones that are capable of capturing credit-card data and personal identification numbers.”
In other words, this gang was allegedly modifying several different models of PIN pads, then swapping them for legitimate PIN pads on retailers’ counters. That means they were doing it at multiple retailers, and doing it easily enough that they believed an assembly-line approach made sense.
Based on the volume of card numbers involved, police said they believe the operation wasn’t confined to Toronto. As of last week, the gang’s alleged fraudulent transactions identified so far totaled $350,000.
Police also didn’t identify any of the retailers, so it’s possible that the thieves collected 30,000 card numbers from PIN pads in mom-and-pop stores. Raise your hand if you think that’s likely.
Understand, there’s no reason to believe this gang was operating on the scale of those targeting U.S. chains in recent years—most recently Barnes & Noble, where 63 stores in several states across the country had compromised PIN pads. Or at least there’s no way of knowing right now. A similar group of U.S. thieves actually farmed out the work of getting cash from stolen card numbers to street-gang members. This Canadian gang seems to have done it all themselves.
It seems they didn’t need a sophisticated organization or highly sophisticated tools or skills. The retailers made it easy for them. The thieves just had to know how to tamper with a PIN pad and then deftly swap it in on the counter.
That wouldn’t have been possible if the merchants (or their processors) checked electronic serial numbers on the PIN pads with each transaction, or closely monitored network logs to make sure the connection to the PIN pad was never broken.
But never mind the complicated security techniques: It wouldn’t have been possible if the merchants hadn’t used free-standing PIN pads that anyone walking in off the street could disconnect and replace in seconds.
A few years ago, thieves like uber-hacker Alberto Gonzalez had to know how to tap a wireless connection, break into a network, plant a virus or hack into a database. Now, it’s typical for thieves not to bother with the network or the database at all. They just skim cards using compromised POS devices swapped in for PIN pads that the merchant didn’t bother to screw down.
That type of crime doesn’t take a lot of technical brilliance. But neither does defending against it. And all the expensive—and very useful—network encryption and database security that chains implement to satisfy PCI requirements doesn’t do much good when crooks can grab card numbers before they ever get that far.
Welcome to the state of the art in breaches: Five guys with quick fingers and a soldering iron.
-Marc
November 15th, 2012 at 9:53 am
Frank,
Thanks for the very interesting column and for raising a very important question about payment card skimming: Does PCI DSS care about skimming at the POS. This is a topic we both think is pretty important (see here: http://storefrontbacktalk.com/securityfraud/is-pci-skimping-on-skimming/)
While PCI DSS itself does not have much to say about skimming at present, that situation may be changing. The PCI Security Standards Council has an information supplement for retailers in its documents library (https://www.pcisecuritystandards.org/security_standards/documents.php). As your story points out, I wish more retailers would read it.
Another hopeful piece of evidence is the extensive merchant requirements — including checking the POS devices, maintaining an inventory, etc — in the P2PE Program Guide (http://storefrontbacktalk.com/securityfraud/p2pe-no-cakewalk-for-merchants-but-there-may-be-no-alternative-for-reducing-scope/).
I’m hoping that with PCI DSS v3 coming in 2013, we’ll see changes to the standard and the SAQs to have retailers inspect their POS devices regularly just like they conduct regular vulnerability scans now.
November 16th, 2012 at 10:25 am
Thanks to outsourcing, most of the latest model card processing and pin pad devices are sold white label through sites like Alibaba and can be bought in markets around Ghangzhou, China. It is my understanding that in Europe, they had organized crime rings operating this same card theft using white label POS devices for years. Obviously, there needs to be a way to detect a counterfeit card processing machine and I don’t know if that conversation has happened yet.
November 19th, 2012 at 1:06 pm
Thieves today are getting more brazen in their tactics. Because of this, it’s important that retailers remain vigilant in their efforts to keep their PIN pads secure. PIN pads should be locked down at all times. (Amazingly enough, there are still some retailers that choose not to spend the extra money on locking stands, but it’s really a small price to pay for peace of mind, in my opinion.). Make sure you know exactly who will be servicing the devices, if necessary. Did the field technician properly identify himself/herself? Did he/she have an appointment? Did he/she sign in or check in with the proper person? Online monitoring is another valuable tool for round-the-clock network security. Not only can retailers be alerted if a device comes off the network, but can take immediate action to prevent the crime from progressing.
November 19th, 2012 at 4:36 pm
One way to avoid POS tampering is use inventory barcode or security rfid stickers on the POS devices and scan on a regular interval. If they are using the security rfid sticker, then the security gate should sound an alarm.
December 11th, 2012 at 7:23 am
Not sure how other retailers do it but we (Debenhams) have a whitelisting app that knows what PEDs are in any given store and only allows those PEDS to be attached to tills in that store so stores can’t move them between stores and no PED that hadn’t been previously authorised would work.