The European ATM Security Team (E.A.S.T.) recently published its second European Fraud Update of 2014, covering ATM and other terminal fraud trends. EAST is a regional industry organization whose members are committed to sharing information about ATM attacks.
Members reported ATM card skimming attacks in 18 European countries...
Chip and Skim
While we tend to focus on physical attacks that capture cardholder data, there are other attacks on card transactions where physical access and tampering are essential. Some very interesting research was presented at the recent IEEE Symposium on Security and Privacy to reinforce this point...
Those Who do not learn from the past...
"Those who do not learn from the past are doomed to repeat it" or variations thereof is a profound and frequently cited quote. It's commonly attributed to Winston Churchill, but most authoritative sources attribute it originally to George Santayana in his work "Life of Reason, Reason in Common Sense."
Regardless of who the original author is, one of the reasons that it's so frequently cited is its applicability to so many situations. Even point of sale skimming, it turns out...
News - Distribution
This week we’re back in Las Vegas attending Transact 14 powered by ETA. We’re exhibiting with our good friends from Sysnet GlobalSolutions, with whom we just announced a worldwide distribution partnership for SpotSkim. We know it’s important to get our product in the hands of as many merchants as we can, and this announcement means that many of them can now get SpotSkim through one of their trusted partners for compliance solutions. If you’re attending, please come by and see us in booth #1006...
Taking Stock
It seems somewhat unnecessary right now to reinforce the fact that cardholder data compromises continue to harm businesses that accept payment cards. You can just open your favorite newspaper or news website.
This week, Verizon released their 2014 PCI Compliance Report. A companion piece to their essential Data Breach Investigation Report (DBIR), this report provides insight drawn from all of the PCI DSS assessments that they completed over the past year...
Know Your Enemy
At many tourist sites, you will often see warnings to protect your valuables against pickpockets. Criminals know that visitors’ attention will be focused on the attraction they came to see and they will be less aware of their surroundings and their personal belongings. This makes them easier targets. Another common tactic used by street criminals is to intentionally distract a potential victim. The victim is “turned” by a loud noise, a spilled drink, or similar distraction, and they momentarily lose awareness of their personal belongings, making them an easier mark...
In The News
We've been happily attracting some coverage in the media over the past several weeks.
We received a nice mention in Retail Reseller News. We were also covered in a recent issue of the Nilson Report, the leading publication covering payment systems worldwide.
I Hate To Say I Told You So...
An Unwelcome Trend
Analyst firm Gartner Group is out with their “Top 10 Strategic Technology Trends for 2014.” One of these is 3D printing, and this is bad news for merchants who need to protect against skimming attacks at the Point of Sale.
If you are not familiar with 3D printing, it is the process of creating a 3D copy of an object from a model. The model can be created using a CAD program or generated from a 3D scan of the object to be reproduced. Gartner expects worldwide shipments of 3D printers to grow 75 percent in 2014 followed by a near doubling of unit shipments in 2015.
So what does this have to do with skimming? 3D printers can make it easier for criminals to create high quality replacement parts to hide skimming devices installed on a point of sale. They can match colors and shapes of the case or housing of a POS device with a great deal of precision. They can create new parts that look like they are part of the factory design.
Community and the sharing of models on sites like MakerBotThingiverse is a big part of the 3D printing revolution. Unfortunately, criminals are very good at sharing what works in their own underground communities, and will also be able to share models of parts that they have used successfully.
Bad actors almost always find uses for revolutionary new technologies. Thinking about how to mitigate new risks that result is essential. It’s going to be more important than ever to know what your POS looks like in a “known good” state. Fortunately, there’s a solution for that.
Inspiration
The team is back hard at work after the PCI SSC North American Community Meeting. At the meeting, there was plenty of discussion about new requirement 9.9 in PCI DSS 3.0 that requires point of sale devices to be inspected periodically for tampering. While this is a new requirement in DSS, there have been similar requirements in the P2PE Solution Requirements since their release last year.
But our main takeaway was inspiration...