Visa’s PIN-Entry Bulletin Asks For Bluetooth Signal/Pairing Scans
Written by Evan SchumanWhen Visa issued new security guidelines this month to deal with compromised PIN-entry devices, it asked that retailers “periodically scan for any unidentified Bluetooth signals and pairings at store locations,” a move that goes beyond current PCI requirements. Hints of a possible PCI 2.1 rule?
The September 1 Visa Bulletin was primarily to tell merchants that five VeriFone units (Everest Plus units P003-400-01, P003-400-02, P003-400-03, P003-400-12 and P003-400-013) have been ruled “susceptible to compromise” and were indeed “used in tampering and skimming attacks” in the U.S. The list had already included other VeriFone units plus one from Ingenico (the eN-Crypt 2400, also known as the C2000 Protégé) and two from Hypercom (S7S and S8).
“Visa has also received new reports regarding POS PED thefts from merchant locations. This type of fraud typically occurs in merchant locations operating after hours with minimal customer traffic or employee supervision over cash registers; however, any store may be affected by this scheme,” the bulletin said. “Recent evidence indicates that these devices were physically removed during business hours and replaced with modified devices designed to skim account and PIN data, which was then transmitted wirelessly to the fraudsters via Bluetooth. In most cases, surveillance footage showed that the suspects were able to remove and install a modified POS PED in seconds.”
Walter Conway, StorefrontBacktalk‘s PCI columnist and a QSA for 403Labs, said the Visa Bulletin is a good one, but he thought it was interesting because of what it did not say. “The bulletin points out what the merchant learned from the video. What they don’t say is how long it took someone to watch/monitor the video and find out what happened.”
Conway added that the Bluetooth scanning suggestion was wise. “I liked the part about scanning for rogue Bluetooth networks. PCI already requires similar scanning (Req 11) for Wi-Fi,” he said. “How long does it take a manager to walk around their POS looking for Bluetooth networks you don’t expect? How about using your smartphone? It’s not required by PCI, but who said PCI was your entire security policy?”
Mostly, though, the bulletin stated obvious security methods. And yet, the measures—which included weighing the equipment, checking for missing screws, altered seals or extraneous wiring, in addition to verifying the identities of any repair technicians—are worth a reminder or two.
“The onus remains on the merchant to be vigilant. You can’t outsource security in your store any more than you can outsource it at home. It’s part of your job,” Conway said. “POS staff—assuming they are not part of the bad guys’ plan—should be trained to observe and report when the POS looks ‘different.’ Automated systems should detect immediately when a device is removed or an unapproved one attached. It would be good if the system generated an alert, cut off the device and maybe even had somebody respond to/acknowledge the alert.”
-Marc
September 8th, 2011 at 2:10 pm
One simple, inexpensive method to prevent such theft by replacement is to secure the terminal or PED to the counter with a lock down device requiring a manager with a key to unlock the device for service or swap out. We recommend securing BOTH terminal and PED because customers have had terminal stolen resulting in the thieves loading prepaid cards by running credits through the stolen terminal deducting the monies from the merchant’s checking account.
September 8th, 2011 at 6:00 pm
A simple bolt and two nuts tightened against each other, requiring a minute under the counter with a pair of wrenches to release, is also a cheap and effective deterrent.
But this scenario continues to highlight why any card technology that requires trusting the merchant terminals is inherently flawed. Sealed, bank-issued personal payment devices in a credit card form factor with an on-board authentication device and an air-gapped authorization method are the only way this arms race will end well. Everything else, including chip and pin, is just kicking the can down the street until the next flawed “great idea” is hacked.
September 13th, 2011 at 8:48 am
I believe the main points are being missed here. If I’m capable of replacing your PEDs, most likely I’m the manager or in charge of security in your store or affiliated with them.
It does not take 2 seconds to swipe out a PED, these people, especially with the Aldi situation had plenty of time and access to accomplish their feat. So the physical solution is not going to work.
In addition, just as well as fake handbags can be cloned, it is really easy to clone PED device with PVC machines over in Asia that look exactly like the PED and can still be intercepted before the machine can encrypt the card number at the magnetic swipe.
The only real solution is a multi-factor that allows real-time access to transcations to compare against real-time sales in store to verification.