pin pad theft securing your pin pad. protect your customers. protect your reputation

Pin Pad Theft

Securing Your Pin Pad. Protect your customers. Protect your reputation.

Pin Pad Theft• Overview:

– Situational analysis• Who, what, where, how, why

– Depth of problem• Organized Crime – details on the how• Consequences

– Implications, Property loss, consumer confidence, media coverage– POS company reaction

• Will new technology help? Chip/Pin– Solutions

• Best practices• Security product solutions

– Conclusion• Pin Pad Theft Prevention Kit

Halo Metrics Inc.

• Loss prevention solution provider for over 20 years

• Solutions include everything from security mirrors and counterfeit detectors to security peg hooks and display alarms

Halo Metrics Inc.

Halo Metrics Inc.

• Over the last 3 years there has been a significant increase in PIN Pad thefts

• Our customers have asked us for a better and more stronger security solution to prevent these attacks

• We have developed the most extensive range of PIN Pad security solutions available in Canada

What is the issue?

Pin Pad terminals are being stolen, tampered with, and reinstalled for the purpose of stealing consumer banking information.

This is commonly referred to as a “skimming attack” and leads to identity theft fraud.

Is it a real problem?

• At Halo Metrics we have seen a significant increase in requests for PIN Pad security solutions over the last 3 years

• Industry sources state that in the last year there has been a 300% increase in arrests related to PIN Pad theft

Who is involved?

• Skimming is a lucrative criminal activity that is challenging to detect and prevent.

• As a result it appeals to both ends of the criminal spectrum (organized crime & less sophisticated criminal elements)

Who is involved?

• Theft of PIN Pads is usually an organized effort. This could include professional organized crime teams.

• A typical theft attempt can involve more than one person

For example:

Two person team enter a store

For example:

One partner looks out while the other starts the theft of the PIN Pad

Note the time: 19:52:02

For example:

Partner proceeds to distract customer


For example:


For example:

Theft is complete


How does it happen?

• In this incident the thief was able to remove the PIN Pad from a light gauge metal display holder in under 60 seconds– A heavy gauge metal locking security bracket

could have deterred this theft

• PIN Pads that are simply sitting on a counter can be removed in less than 3 seconds

How are PIN Pads tampered with?

• Once PIN Pad terminals have been taken the criminals will tamper with the equipment and install a card reader

• The tampered PIN Pad is either reinstalled in the original store location or another store with the same model PIN Pad

Examples of PIN Pad Attacks

Information provided by:

Examples of PIN Pads Attacks


How is the data captured?

• The card reader captures banking information• This information can either be downloaded

wirelessly or manually via a data cable• In the case of a manual download the thieves

will come back for the PIN Pad

Examples of PIN Pads Attacks


How is the data captured?

Consequences• For the consumer

– Banking information compromised• Vulnerable to Identity Theft crimes• Monetary loss

– Hassle and frustration of have to change personal documents, banking cards, etc

– Note: Banks will freeze debit cards used at a store with a tampered PIN Pad for up to 2 months

• This includes all bank cards a consumer owns not just the cards that have been compromised

Consequences

• For the owner / operator– Loss of asset (PIN Pad) $300 - $500– Potential cost of forensics and system analysis– Potential lawsuits– Employee terminations

Consequences

• Shopping behaviour can be severely affected by being a victim of a skimming attack. This can include:

– Change in buying patterns– Change in shopping locations– Move to alternative payment methods– Less use of debit cards

Consequences

• Media Coverage– The media has been advising the general public to

shop at retail businesses that have taken measures to protect PIN Pad equipment

Consequences

Will Technology Help?

• PIN Pad terminals are advancing– I.E no touch pay terminals & Chip and PIN

technology

• Technology advances help in the short term– All retailers will have to move to the new chip &

pin system within 5 years– Its harder to make counterfeit copies of chip & pin

cards


• UK has adopted chip and pin technology for several years now

• In May of 2006 Shell suspended the use of chip and PIN payments at 600 UK petrol stations

• There was a £1m chip and PIN fraud at a Shell petrol station

• Story URL:http://www.silicon.com/research/specialreports/idmanagement/0,3800011361,39158743,00.htm


• “But a spokeswoman from Apacs told silicon.com criminals must have had easy access to PIN pads in order to modify them to enable the theft of PIN numbers and the copying of magnetic strip information - a task which will have taken time.”

• As with any advancements criminals tend to catch up and the process becomes an ongoing cycle

Best Practices

• Technologies will evolve but so will the criminals

• The following recommendations will help you create processes and awareness that will deter such crimes

Risk Analysis

• A risk analysis process for skimming attacks and the POS should at minimum include the following:– Identification of assets– Identification of threats– Review of probability of threats taking place

Identification of Assets

Threat & Probability

• Skimming attacks happen on a frequent basis– It is one of three common threats the payment

industry deals with– Factors that contribute to probability of an attack

include:


• High transaction volume– Criminals want to get as much account and PIN

data as possible in the shortest amount of time– Merchants that have significant number of

payments for smaller dollar amounts (Gas Stations are an example of this) are at higher risk for a skimming attack


• Terminals with heavy use– A single payment terminal used for a large

number of transactions may attract skimming attacks

– An example of this is an in store ATM


• High Volume Sales Period– Merchants that experience predictable increases

in sales activity can be targeted for skimming attacks

– Examples are holidays, special events, promotions etc

Best Practices

• Focus on three major areas– Physical security of store– PIN Pad terminal security– Staff and service access to PIN Pad terminals

Physical security of store

• Terminal Infrastructure– Wiring and communication lines– Limit exposed cable– Make it difficult to access terminal wiring and cabling– Protect telephone rooms, panels, routers etc.

Physical security of store

• Cameras and placement– Make sure ATMs and cashier tills are well lit– Locate cameras so that the area around the payment device is

recorded without capturing people entering their PIN information– Immediately examine terminals if a camera has been moved,

damaged, or an image has been blocked

PIN Pad terminal security

• Start with an inventory of all PIN Pad models that your store uses

Courtesy:


• Note all connections to the terminal

Courtesy:


• Create a daily process to check all pin pad equipment for tampering

Courtesy:

PIN Pad terminal security• Secure your PIN Pad equipment

Electronic Alarm

Heavy Duty Security Bracket

Tamper proof label


• Terminal upgrades– Purchase terminals from an authorized distributor– Make sure that the terminal meets all security

evaluative criteria set out by industry• Refer to www.pcisecuritystandards.org/pin for PCI

approved terminals

http://www.pcisecuritystandards.org/pin

PIN Pad terminal security• Terminal Disposal

– Return old terminals to authorized dealers via secure shipping or direct pick up when new terminals are installed

– Clear all data– Remove all business identifiers– Do not throw out into publicly accessible trash

containers

PIN Pad terminal security• Check for covert camera’s

– False ceilings above PIN Pads– Boxes used to hold leaflets– Charity boxes next to PIN Pads

Staff and service access to PIN Pad terminals

• Staff as targets– Have a policy in place that covers issues of

coercion or bribery – Create a method for staff to communicate to

senior management anonymously– Train staff regarding the types of fraud and

terminal attacks, debit equipment, and what to do when tampered equipment is found


• Hiring & Staff Awareness– Background checks (criminal, financial, education

etc)– If it is not possible to get background checks:

• Full name / address / home phone number• Date of birth• Photo• Previous work history• SIN etc.


• Train staff regarding notification and escalation process to report skimming attack incidents– Procedure for escalating concerns about a

terminal– Who to contact about these concerns– How to contact Sr. Management regarding a

compromise– How management or staff contact the police


• Service access – Agree to a specific time, date, and confirm name

of service engineer – Unannounced visits by someone claiming to be a

service engineer must be denied access to terminals until credentials can be verified

– All work performed by an engineer must be written down in a report and kept on file for six months


Courtesy:

pin pad theft securing your pin pad. protect your customers. protect your reputation

Documents

pin pad theft slide

model pin pad slide

tampered pin pad

pin pad terminals

pin pad thefts

theft of pin pads

theft pin pads

store slide