Are point-of-service attacks occurring more frequently? It would seem that way, given the continued media reports of ATM skimming and point-of-sale electronic device swap within the U.S. this year. Bankinfosecurity.com has been tracking this phenomenon and has pointed to more than 40 incidents this year alone.

In an article from Bankinfosecurity.com, it’s speculated that one of the reasons this type of attack has gained popularity, at least in the US, is because the use of standard magnetic strip technology is still the norm, whereas other countries have transitioned to newer technologies such as chip and PIN. This could in fact be a significant factor, as identity thieves tend to look for the weakest link, and exploit it to the best of their ability.

One type of attack that has been in the news due to recent data breaches is the point-of-service device swap. In this scheme, the card swipe machine is actually removed and replaced with a new device that collects data from the card as well as the PIN number entered by the customer. While it may seem strange to consider such a crime happening in a busy retail establishment, the POS device swap is actually easier to pull off than you might think: thieves utilize the tried and true practice of “social engineering,” to gain access to the equipment. This could take the form of distracting employees or posing as technicians to convince employees they are there to perform maintenance. Additionally, an employee could be involved in the scam, or the actual perpetrator. If all else fails, the thieves could simply wait until no one is watching the register.

So, what is the answer? Will new technology solve the problem? While retail businesses can’t feasibly stop accepting magnetic stripe cards as a form of payment anytime soon, there are some steps that can be taken to prevent this type of scam or, at the very least, catch it just a little earlier. Card swipes and PIN entry devices should be frequently checked for tampering and audits performed on a weekly or even a daily basis, to ensure serial numbers match what’s recorded. Perform background checks on employees as a preventative measure. Perhaps most importantly, train employees to have a basic understanding of POS attacks and to recognize the social engineering component of this scam.

by Charlotte Rose
CIPP 
Senior Investigator, Kroll Fraud Solutions

Tags: ATM skimming, attacks, point of service attacks, point-of-sales electronic device security, POS, scard swipe schemes

Categories: Consumer ID Security, Data Security Issues.