Hancock Breach Reveals New TrendFraudsters Swapping Out POS Devices, Stealing Card Data
In March, the national fabric store chain publicly confirmed the breach it suffered last summer, sending an open letter to its customers, revealing: "PIN pad units at a limited number of Hancock Fabrics stores were stolen and replaced with visually identical, but fraudulent, PIN pad units. This may have allowed criminals to capture - or "skim" -- payment card data during transactions."
Hancock didn't reveal the locations or number of stores where point of sale scanners were compromised -- nor the number of customers who had their card data taken -- but at least 140 reports from customers in California, Wisconsin and Missouri show the pervasive nature of the fraud.
The lesson here: It is relatively easy for fraudsters to tamper with or even swap out POS PIN Entry Device (PED) pads, and these types of incidents are likely to increase, putting retailers, consumers and banking institutions at risk of future card-related fraud.
"These incidents are part of an ongoing trend where criminals are targeting non-PCI and PED-compliant point of sale terminals with devices installed to capture cardholder data," says Mike Urban, Sr. Director of Fraud Solutions at FICO.
How it Happens
Typically, this crime begins when criminals target a single store, or -- as in the case of Hancock Fabrics -- multiple stores in various locations.
Urban describes how a gang of these criminals will go into a store. "They will feign illness to draw people away from a point of sale terminal in order to make the switch. It is a brazen act - almost to the point of opening the cash register - to swap out a POS terminal during business hours. In these cases, the criminals work together to create a cover of the terminal swapping activity."
While some would think that a store clerk or other employees wouldn't be duped so easily, PCI expert Dr. Anton Chuvakin notes that it isn't a huge social engineering feat to do a swap. "It's fairly easy in many cases," he says. "They'll come in, distract personnel and replace the equipment."
Even a more likely scenario would be that the criminals replace the pad when people just aren't around. "How many times have you gone into a retail store later in the evening and no one was at the checkout area?" he asks.
An unsettling trend in this type of crime is that some criminals have resorted to collusion with employees, or even used threats of violence to get the PEDs replaced, says PCI and security expert Branden Williams, Director of the Security Consulting Practice at RSA, the security division of EMC.
While the swapping of POS devices is easy to do, it is not as scalable as remote hacking. "A small amount of research can yield a short term gain by capturing a few cards, or even long term gains if the merchant is not uniquely keying each device," Williams says.
The types of devices being targeted for this are the older PIN pads, which are very simple devices. "They're much like a peripheral (mouse, keyboard, etc.) and this is the same effect as inserting a PS/2 or USB keystroke logger," says David Shackleford, a security expert at Sword & Shield, a computer and network security firm in Atlanta, GA. Shackleford says he would not be surprised to see more of these incidents "at merchants with weak physical security and store policies that were still using older technology."
Data at Risk
Once the device has been swapped, the amount of data to be stolen is related to the amount of time the compromised terminal is in place at the retail location. "It also depends on the number of cards that transact during that time. It can run into thousands of cards," says FICO's Urban.
In most of the POS terminal compromises Urban says he has seen in the U.S. that the data is stored on the POS terminal until the terminal is swapped back out. "But there is a trend where card compromising devices will broadcast data via Bluetooth or other wireless protocols," he says.
In the case of Hancock Fabrics, the type of pad used wasn't clear. "It's likely that the pads included a swipe reader and numeric keys, which means they could capture full track data and PINs, says Shackleford. "The false pads would have a fair amount of physical storage, and could likely hold a good number of debit and credit card numbers," he says.
It is conceivable that the data captured can be Track 2 data plus the user's PIN, "which means the criminal may be able to manufacture fake debit cards," says Chuvakin. This data with full access to bank account withdrawal up to a daily limit of $500 could inflict real damage to individual victims - with banking institutions then footing the bill to replace cards and/or monitor accounts.
The Hancock Fabrics breach points to several steps that retailers can take to prevent this kind of crime from happening to them:
- Ensure PCI Compliance -- Making sure all POS terminals are PCI compliant, using Derived Unique Key Per Transaction (DUKPT). "Securely install terminals with unique hardware as a deterrent, and visibly inspect them along with the registers every day," recommends Urban.
- Educate Employees -- Security awareness training for all store employees would be a great start, says Shackleford. "Newer pin pads that have more built-in security measures like device tamper resistance can help, but it's important to keep spare PIN pads locked away, and employees should periodically check them while at work to make sure the device ID still matches."
- Auditing the PEDs -- on a regular basis, recording them and cross checking the serial numbers. Chuvakin, who recommends retailers follow PED Security Guidelines and review the condition and placement of internal CCTV systems to cover all till areas.
- Watch Your Staff -- The PCI Security Council's PIN Transaction working group also recommends performing background checks on employees, as well as keeping a complete record of any work done on the POS pads by service providers. If a service engineer arrives at the store unannounced to do work on the PEDs, the working group recommends that before any work is performed that their identity be confirmed by contacting the service company.