The latest method of getting card information is a more sophisticated version of an older scheme. It’s a new attack targeting debit cards at ATMs. That doesn’t make a big bang for merchants because the bad guys go for cash but you can bet it’s going to hurt a lot of banks. Because the attacks are targeting debit cards with PINs, cardholders will be feeling the pain as well.
Earlier ATM skimming techniques involved installing a device over the legitimate card reader and also placing a camera near the reader to visually record the PIN as it was entered.
An article on ATM shimming in Networkworld makes it clear that this attack is not trivial but it is almost undetectable. A .1mm shim is inserted inside the existing card reader. According to the article, these devices are already being mass produced in Europe.
Once again, we’ve moved one step forward to the bad guys two.
US merchants, are you ready for an increase in fraud? It will happen after October when Chip and PIN becomes mandatory in Canada.
Here are some facts.
According to Visa Canada APACS reported a 35% reduction in fraud losses to UK merchants. If these things are as secure as the Association’s hype wants us to believe, why is there only a 35% improvement?
There’s more. Notice that the report says losses at UK retailers are down by 35% since 2005. They are talking about Card Present (CP) merchants. At the same time, there was a 43% increase in Card Not Present (CNP) transactions. And they are talking about UK merchants. Overseas CNP fraud on UK cards skyrocketed. “Overseas” from the UK perspective translates to a lot of US merchant victims.
Another section of the referenced website claims that, “fraud related to lost and stolen payment cards has decreased by more than half since the adoption of Chip & PIN in 2004. I think that’s significant because lost or stolen cards more frequently result in CP transactions. CNP fraud normally results from the data hacks so the on-line merchant sees no added benefit from the lost or stolen card protection.
I haven’t seen any recent articles in reference to the magnetic strip but, according to a 2008 article in SecureIDNews, the strip technology will be accepted until 2015. And the Visa Canada website does tell us that the readers will read both technologies.
Chip and PIN effect in the on-line fraud world.
In fairness to the Chip and PIN technology, it’s reasonably successful at doing what it was supposed to do; reduce CP fraud.
Unfortunately, it has pushed fraud to the CNP realm. In October, Canada goes totally Chip and PIN. A lot of their fraud will go to just about the only place it can. The US.
Stand by, US merchants. There’s more coming!
Debit card issuers are projecting a $5 Billion loss in revenue with the new laws expected to pass this week. Do you wonder who will make up those losses? Nobody seems to be saying but you can bet they’ll find a way and we shouldn’t be surprised if it isn’t the cardholder. That leaves the merchant holding the (money) bag again.
Never forget that the merchant is the path of least resistance because of the contractual relationship with the Association. Recent laws have made it tougher for the banks to stab us in the back but they still hold the knife.
A good analysis of what’s going on can be found here.
If you have a POS terminal with a PIN pad there’s another PCI that will affect you. It’s called PCI PTS – PCI PIN Transaction Security. It’s aimed at PIN pad devices but brick and mortar merchants need to know about it.
If you’re planning on buying a new PIN pad device between now and May of 2011, choose wisely. It may not be compliant when the new standards come into play.
For some details on this new problem, there’s a good article over at Evan Schuman’s Storefront Backtalk. It has some good references including where to find a list of approved devices.
Go on over and give it a read!
Think PCI compliance isn’t important? Dave & Busters restaurant chain got 20 years of ‘probation’ for being a non-compliant victim.
Dave & Buster’s is one of a long list of merchants that was hacked by Albert Gonzales. Gonzalez is currently spending 20 years in Federal prison for his part in a string of data breaches that resulted in the compromise of over 170 million credit and debit cards. Dave & Buster’s only had 130,000 card numbers stolen.
An article in Evan Schuman’s Storefront Backtalk reported this morning that, as a result of that breach, Dave & Buster’s must submit to no less than 20 years of scrutiny by the Federal Trade Commission.
You read that right. The FTC has ruled that the restaurant chain “engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its computer networks.” In other words, they were not PCI compliant. As a result, Dave & Buster’s will spend the next 20 years reporting their compliance standards to the FTC.
The price of being a victim of a crime.
