Three POS Skimmers

Posted on March 31, 2014
eric.milic@kubera.cc

 

What is a skimmer?

A Skimmer is a small electronic device used to steal credit or debit card information in a legitimate transaction.

You may have heard about card skimming in restaurants. Typically a victim’s card is taken out sight where it is scanned by a skimmer. Call centres and gas stations are also other areas where skimming could happen easily.

In this blog article we will be going over a few skimming scenarios that have been highlighted by Krebs on Security recently. Krebs has an amazing blog series on many common skimmers that is worth a read.

Our goal here is to educate our merchants and their customers on common skimming tactics so that credit card fraud can be detected and avoided.

Would you have spotted the fraud?

Krebs highlights this skimmer from 2009 that was attached to the front of a Citibank ATM in California and asks if we would be able to see the device.

Via Krebs on Security

Most people probably would have never noticed this skimmer. We are constantly on the go and wouldn’t even notice or think about looking at the device that is taking their credit card information. This is why it is our responsibility as merchants to routinely monitor devices as much as we possibly can.

via Krebs on Security

This device is quite sophisticated, it snaps on top of the ATM’s card reader and looks like part of the actual ATM. It even has a pinhole camera that is designed to capture the card victim’s PIN number as they enter it.

Skimmers like these can be homemade or bought online from criminal forums. Some are so sophisticated that they can send the victim’s card data by SMS message to a thief’s mobile number.

Simple But Effective Point-of-Sale Skimmer

This skimmer is very sophisticated and is for Verifone POS. It’s an easily installed overlay that is highly unnoticeable. Recently some fraudsters installed this system at a Nordstrom department store while the employee who operates the register was distracted. Nordstrom later discovered the skimming device on their POS.

As a merchant or a customer, would you have spotted that one?

Fake ATMs

Krebs’ blog has identified many interesting skimmers. This one however is probably the most interesting of them all. Credit & Debit card thieves went through the trouble of creating a completely fake ATM that stacks right on top of a legitimate ATM. IT was discovered in November 2013, when a customer at the Bank of Brazil tried using his ATM but was denied. The customer called the cops with suspicion and the police removed the skimmer from the machine. See what it looks like below:

via Krebs on Security

The skimmer was made from a disassembled laptop and skimmer pieces.

via Krebs on Security

Something that gives away these skimmers are spelling mistakes similar to the ones you would see in a phishing email or fraudulent popup window from a website.

Customers: Remember to take notice to the machine you are using every time you use a credit or debit card, especially when traveling.

Merchants: Pay attention to your hardware, regulate it for fraudulent technology and make your greatest effort to abide by PCI compliance standards. This will save you tons of money and can prevent you from loss of reputation.

Choosing A Secure Password

FacebookPasswordHacker2

As we continue to use technology we require more and more passwords to access things. You might already know these basic tips:

  1. Never reuse your old passwords. “One bad apple ruins the bunch”
  2. Don’t change your password unless you think it’s compromised.
  3. Consider two-factor authentication.

Although you might have a handle on the basics, below are a few password tricks you might not be familiar with, starting with a scenario for hacking a password.

Scenario for breaking a password:

Offline password-guessing attack

Attacker obtains a file of encrypted passwords like the LinkedIn breach in 2009. The attacker(s) would then unencrypt these passwords to authenticate themselves into the compromised accounts where more information can be stolen.

The attacker would do this by running a commercial program or hacker tool on their computer to guess as many passwords as possible. If correct (which often happens) then they would have access to your accounts.

With this method of guessing passwords, two factors are at play: efficiency and power.

Efficiency is how easily the program can guess a password. Some programs are so incredibly effective that they are able to guess common passwords first. They have special dictionaries that combine different words to guess common passwords. Common passwords typically have both a root and an appendage and do not have to be in any particular order. Example “passwords1234” or “p4s5w0rd12”

Modern password cracking programs will run common roots and appendages until they find a match. This is why using individual words and characters is no longer great for making passwords.

Password crackers will also feed in any information that may be related to the person’s compromised account. This includes names, addresses, postal codes, meaningful dates and any other meaningful information.  Some programs can even scan a target hard drive for clues and spend time scanning it for this information.

Obviously all of this work requires a good amount of processing capacity. Well, what helps password-cracking programs be so efficient? The processing power available to run these programs. As computers have developed over time and processing power has increased, these programs are able to process more and more passwords per second. In fact one program advertises eight million per second!

So what are some best practices for choosing a password?

Schneier scheme

Take a sentence and turn it into a password. Example: “Holy smokes! Would you look at that.” or hs!…wyl@t

Having a memorable sentence really makes it easy to create a password that is long and easy to remember. These are atypical, generally harder to crack but still not completely “fool proof” as software and hackers continue to get better with time.

Use a password managing service

Some password managers will generate new passwords for every app you use with a random password generation tool. This way your passwords are always different and always random.

While these tips might be useful, there’s certainly a positive correlation between Internet security and attacker sophistication.  If you aren’t able to go with a password manager, you’re always better off using two-factor authentication and using a randomly generated password.

 

Types of POS Malware part 2

Posted on February 25, 2014
eric.milic@kubera.cc

The aftermath of the Target breach has raised concern and hopefully greater awareness to the benefits of PCI Compliance.

To help increase awareness on POS Malware we’ve covered a few in our previous post, and will continue to cover more in today’s post. First up, Dexter:

Dexter

Dexter is another Windows-based POS Malware that has several active variants. Like BlackPOS, “”parses memory dumps of specific POS software related processes looking for Track 1 and Track 2 data” Track 1 data is cardholder name and account numbers and Track 2 is the credit card number and expiration date.

One of its variants, Stardust also extracts internal network traffic information from the company under attack. It’s possible that some of Dexter’s variants are delivered to POS systems via phishing emails or other malicious actors that can access systems remotely. Learn more about Dexter here. 

 

VSkimmer

http://blogs.mcafee.com/mcafee-labs/vskimmer-botnet-targets-credit-card-payment-terminals

A supposed successor to Dexter, VSkimmer also targets Windows-based systems. VSkimmer has nearly all the same functionality as Dexter however it is unique in that if the Internet is not available, it does not need to use the Internet to transfer data. In the case with no Internet, it collects all the data and waits for a USB device with a specific name to be connected to the infected machine. Once connected, it then transfers all the information to that USB. Want to learn exactly how it works? Check out McAfee’s blog on the Malware here.

We strongly recommend that businesses running POS systems should follow best security practices and maintain PCI Compliance. Please use strong passwords, multi-step authentication, update your applications when available and disallow remote access unless necessary.

Want more tips on how to beef up your payments security? Give us a call.

 

 

What Are Point of Sale Malware That Can Steal Credit Card Data?

Posted on February 12, 2014
eric.milic@kubera.cc

Malware

Malicious software also known as malware is software that steal sensitive information, interrupt computer operations and/or breach private computer systems. Malware can be any type malicious software – even the recent Flappy Bird fake android app. The majority of active malware however are generally worms or trojans instead of computer viruses or spyware.

The malware used in the recent breaches including Target breach are known as point of sale (POS) malware. These types of Malicious software specifically target point of sales systems are often used to steal credit and debit card data. Here are a few of the most common names of POS malware:

 

BlackPOS

Specifically designed to bypass firewall software and record all data from credit and debit cards when swiped at an infected POS device. BlackPOS affects Windows based POS and breaches information between the card reader and the POS device. At this point, “track data” or data that can replicate a physical card is obtained by the malware and uploaded to a remote server using an FTP. More here.

 

Trojan.POSRAM

This Trojan tool was used to compromise Target and other companies in a well-orchestrated operation now named Kaptoxa. The malware is a new variant of BlackPOS that was extremely customized to prevent detection from antivirus software. Trojan.POSRAM also identifies unencrypted track data when credit cards are processed at a POS terminal and extracts it.

The data is then stored on the point of sale system and then sends it over to an internal host in the compromised network where the cyber attackers can take the data using an FTP. More here.

As both these types of malware are not technically sophisticated it really supports the fact that retailers in Canada and the United States need to be extremely conscientious in protecting their credit card and networking ecosystem. Adhering to PCI-DSS prevents these disasters from happening.

Want PCI-DSS advice? Our experts can help you – contact us here.

 

Could Tokenization Have Prevented Recent Data Breaches?

Posted on January 29, 2014
eric.milic@kubera.cc

tokenization

Much controversy has been centered on the major data breaches at Target, Neiman Marcus and potentially Michaels, and affected millions of credit and debit cardholders.  Of this controversy and discussion lays the question – could tokenization have mitigated these attacks?

The data breaches had a very high level of sophistication and portray how vulnerable businesses can be to cardholder data theft. It truly is an eye opener to the importance of protecting cardholder data by maintaining and complying with Payment Card Industry Data Security Standards (PCI-DSS)

Regardless of the level of sophistication, EMV would not have prevented theft as the malware used in the Target breach was able to take customer data beyond the point of sale system.

In the case of this particular malware, encryption would have proven to be useless as well, depending on the location of the actual execution of encryption. If encryption occurs on the point-of-sale system, then this piece of malware would have been able to extract the track data prior to it being passed through the encryption method.”

Target’s best opportunity to have prevented the breach was if Target had tokenization and took action to adhere to PCI Data Security Standards through additional implementation of security controls.

Have a question on the breach or PCI Compliance? Contact an expert today.

Michaels reports a possible credit card data breach

Posted on January 27, 2014
eric.milic@kubera.cc

MICHAELS - Model of the Michaels stores
A third major retailer has reported another credit card data breach.

As of last Friday, the arts and craft giant has confirmed that it is working with Federal law enforcement and private security analysts to investigate a potential credit card data breach.

This breach could affect Canadians and Americans alike should there be an actual breach as the retailer has over 1,000 stores across North America.

At this point it is unknown whether the breach was from weak online security or old technology. Either way it’s likely that the company had not paid close attention to PCI Data Security Standards.

Although Michaels has not confirmed an actual breach yet, security expert Brian Krebs believes that Michaels should be concerned as “four different financial institutions traced hundreds of fraudulent purchases back to cards that had been used at Michaels”.

Michaels CEO, Chuck Rubin also wrote: “While we have not confirmed a compromise to our systems, we believe it is in the best interest of our customers to alert them to this potential issue so they can take steps to protect themselves, for example, by reviewing their payment card account statements for unauthorized charges.”

With good intentions, they are taking the next step by investigating whether or not a breach before finding out a few months down the road and letting their customers know well after they have been affected.

This wont stop the lawsuits from coming however. On January 27th, an Illinois customer sued the company for breaching their promise to protect customer data. In addition, both Target and Neiman Marcus have been sued by customers since their recent data security disclosures and it’s likely the lawsuits will continue.

If you have shopped at Michaels in-store or online, please check your credit card or debit card account statements fro suspicious activity.

If you are a business concerned about your security, consider contacting Kubera for guidance on credit card data security.

How is the U.S. behind the rest of the world in credit card security?

Posted on January 16, 2014
eric.milic@kubera.cc

emv-smart-card

Apart from the United Sates, “swiping and signing” when making a credit or debit card is no longer used. Canada, along with nearly every other developed company uses EMV Chip & PIN technology for both credit and debit card transactions.  In fact it’s ironic that the United States hasn’t adopted this technology, considering “the credit card is an American invention”.

 

What exactly is EMV Chip & PIN?

EMV Chip & PIN is a globally accepted answer to prevent credit and debit card fraud.

 

So, how does EMV Chip & PIN work?

EMV cards generate a unique code each time they are used. This code is sent to the processing host for verification.  When the host processor decodes the encrypted code and verifies the card, the cardholder must enter their PIN or personal identification number to verify the transaction. This is a form of 2-factor authentication, which makes it difficult to steal cardholder data and create counterfeit cards.

 

Here are four great reasons to use EMV at your business:

  • Visa announced it’s intent to begin EMV adoption in the US for POS terminals with a deadline of October 2015. After this date, liability for fraudulent charges on non-EMV POS terminals will be on the Merchant’s acquirer.
  • Improved security
  • More easily serve international clients who are used to using CHIP & PIN (Great for tourism focused business).
  • Prepare your business for the future.

 

Canada is also adopting NFC/Contactless or “tap and go” technology for faster and safe transactions. Want to learn more about NFC? Click here.

 

Want to upgrade to EMV or increase your customer satisfaction with faster payment options?

Contact us today by clicking here.

The 2013 Target Breach/Heist

Posted on December 22, 2013
eric.milic@kubera.cc

2013, Black Friday – The second-largest credit card data breach in the history of the United Sates resulted the compromise of over 40 million customer’s credit card information.  Any customers who made purchases by swiping a debit or credit card at Target between Nov. 27 to Dec. 28in the United States could have their card data stolen.

This included customer names, credit/debit card numbers, expiration dates and CVV codes. The stolen data is everything needed to make online payments.

“Annual losses from global credit and debit card fraud are on the rise. Last year, it reached $11.27 billion, up 11.4% from the previous year, according to The Nilson Report, which tracks global payments.” – USA Today

How did this happen?

KBW analyst Sanjay Sakhrani stated that the breach had nothing to do with their acquiring/processing partners. It’s likely that this was because of weak credit/debit card security – the use of magnetic strip swipe payments.

The magnetic strip uses the same technology as cassette tapes, making it very vulnerable to data theft.

Had Target used EMV Compliant Chip & PIN it’s likely that their customers could have been safer from credit card fraud. These digital chips generate a unique code every time they are used which makes it difficult for criminals to steal your information.

Additionally, Target may have been storing credit card data in a non-compliant format with the Payment Card Industry Data Security Standard (PCI-DSS).

Target is now facing a class action lawsuit, unhappy customers (who potentially will never shop at target again), a drop stock-prices and lower store traffic.

Is weak security worth the risk?

We don’t believe it is. Companies should work had to avoid breaches at all costs, maintain updated PCI Compliance standards.

Kubera has a team of security experts on hand to help your business avoid fraud stories like these. Contact us for more.

Canada ranks in the top 3 in cashless payment societies

Posted on December 18, 2013
eric.milic@kubera.cc

As the trend towards a cashless society continues, Canadians are among those leading the trend.

MasterCard recently released a report named “Cashless Journey” that ranked Canada as the third most cashless country in the world, with Belgium ranking first and France second.

“The increased adoption of electronic payments has propelled Canada to leapfrog other countries and secure a top spot as nearly cashless.  In other words, Canadian’s are comfortable with and prefer using other forms of payment and have been at it for years!” – said Betty K. DeVita, President, MasterCard Canada.

According to the report, Canadian non-cash payments make up a total of 90% of all consumer payments. In addition to cash only accounting for 10% of all payments, it also only accounts for about 40% of the number of transactions in Canada.

Much of this success can be attributed to our early adoption of EMV Chip & PIN, Contactless Payments like PayPass Tap & Go™ and Visa Paywave, our modern payments infrastructure including electronic funds transfer and NFC.

While canadians continue to adopt cashless forms of payments, many payments providers are currently testing new mobile payments solutions that are likely to be available in 2014. We think Canadians will be ready to adopt this technology, as smartphone usage increases in Canada.

 

 

We would be proud to earn your business

Contact Us