Tuesday, December 18, 2012

Skimming Cards at the POS

When I am named emperor of PCI, I will require every card merchant (including on every campus) to physically inspect each POS device regularly for evidence of tampering.  The PCI Council provides guidance and examples in its Skimming Prevention: Best Practices for Merchants information supplement (in the Information Supplements section).  Personally, I think it is possible that such physical inspections could be included in the revisions to PCI 3.0 and the SAQs in 2013.

In the meantime, there is no need to wait until it is required.  You can start doing it now.

I am reminded of this whole topic by the post in Brian Krebs' blog describing fake/compromised POS devices used by criminals to steal card data.  At least one criminal is selling compromised POS devices -- including top-of-the-line cellular-based wireless devices -- that capture the mag stripe, and print a receipt, but never actually complete the transaction.

This scam is not new.  I remember stories during my time at Visa about merchants who "sold" goods for the sole purpose of collecting payment card data.  Customers were surprised they never saw the charge for the t-shirt or other tchotchke on their account statements.  The reason was that the "merchant" never had any intention of charging their card -- they were just skimming the stripe.  Giving away the merchandise was a minor cost of doing business.

The difference today is that the scam is getting more sophisticated.

So some advice for everyone is:

  • Check your own POS devices for evidence of tampering regularly (monthly?  weekly?).  What is a good practice today may be required by PCI tomorrow.    
  • Contact your issuer if you buy merchandise and no charge appears on your statement (no, you didn't get a special deal...you possibly were scammed).  And if you used a debit card (eek!), get very, very worried.  
  • Never, NEVER get POS devices from anybody but your acquirer.
Oh, and I almost forgot.
  • Continue to monitor security websites other sources of information (like the list of blogs on the right) to stay current.  

Before You Leave for the Holidays...

There is an excellent post at the SANS Internet Storm Center on what IT departments and users (!) should do to remain secure over the upcoming holiday break.  That advice is reproduced in its entirety below:

With the holidays coming up, you might think it's time to stop thinking about security, malware and generally anything to do with work.  Unfortunately, in the area of security, the holidays are not the time to let your guard down.  It's always fun to see the up-tick in malware over significant holidays, because the malware authors plan for the time windows when their targets (that's you and yours) and the AV vendors are at reduced staff levels

So, what should Corporate IT folks be thinking about?

Before your users go home for the holidays, ensure that everyone has their Antivirus set up to auto-update over the web.  In some corporate setups, AV clients update from a corporate server.  If your user community is all offsite over the holidays, they won't get their updates when they need them the most.  Which means that some of your users will come back in January infected, and (likely) with their AV turned off by the malware they've picked up.

Similarly on the OS Side - if your users are using WSUS or some other central update service, you likely want them to either update over the internet, or force them to VPN in to get updates.  There's nothing like a zero day loose on your corporate network to make for an exciting January!
If you are on the security team, keep track of your system logs.  In particular, keep track of backup logs and IPS logs.  Even little stuff missed over the holidays does nothing but get worse over the two weeks we have off!
Think about spam.  We're all expecting a flood of e-cards in our mailboxes from friends, family, customers, vendors, and other people we do business with.  Mixed in with these expect to find some malware, and maybe even some new, ingenious malware.  It's a good idea to send a note to your users to let them know to look out for spam that might get past the filters.  Remind them that if a website or an email attachment tells them that "they might be infected", they should close that window or maybe even instruct them to reboot to kill it (you'd be surprised how many folks will press "OK" to close a window).

Think about new devices.  Off-brand picture frames have come with malware in the past, but you could just as easily see malware on cameras or those keychain picture frames.  Really, anything with a USB port that might be infected, even stuff you might not think about like USB powered remote control helicopters and cars - - yes, some of your users will plug these into their corporate laptops to charge, even if there's a charger in the box.

Your users will absolutely come to back to work with new tablets, mp3 players and phones - all of which "must" have a network connection.  If you don't already have a plan (and a written policy) for dealing with these, you may have an uphill battle ahead of you (or maybe it's a battle you might have already lost)

Whatever it is, if you're in IT, expect an evil present or two from your users in January.

What should you be thinking about if you're at home, and you're NOT in IT?

Well, all the same stuff.  Be sure that all the computers at your house are updated, and have up-to-date AV protection.  Think about e-cards and other holiday spam and malware when you open mail.  Think about USB and network attached devices after it gets unwrapped and eveyone wants to start plugging cables in.

And think about your extended family who might be calling you after "everything got really slow on our computer after Christmas, right after we uploaded our pictures to that new picture frame".

Because we all know that even if we're not in the IT department at work, we're certainly an "IT department of one" after we get home !

Have a good, safe holiday everyone !