1 / 54

Pin Pad Theft

Pin Pad Theft. Securing Your Pin Pad. Protect your customers. Protect your reputation. Pin Pad Theft. Overview: Situational analysis Who, what, where, how, why Depth of problem Organized Crime – details on the how Consequences

myrrh
Download Presentation

Pin Pad Theft

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Pin Pad Theft Securing Your Pin Pad. Protect your customers. Protect your reputation.

  2. Pin Pad Theft • Overview: • Situational analysis • Who, what, where, how, why • Depth of problem • Organized Crime – details on the how • Consequences • Implications, Property loss, consumer confidence, media coverage • POS company reaction • Will new technology help? Chip/Pin • Solutions • Best practices • Security product solutions • Conclusion • Pin Pad Theft Prevention Kit

  3. Halo Metrics Inc. • Loss prevention solution provider for over 20 years • Solutions include everything from security mirrors and counterfeit detectors to security peg hooks and display alarms

  4. Halo Metrics Inc.

  5. Halo Metrics Inc. • Over the last 3 years there has been a significant increase in PIN Pad thefts • Our customers have asked us for a better and more stronger security solution to prevent these attacks • We have developed the most extensive range of PIN Pad security solutions available in Canada

  6. What is the issue? Pin Pad terminals are being stolen, tampered with, and reinstalled for the purpose of stealing consumer banking information. This is commonly referred to as a “skimming attack” and leads to identity theft fraud.

  7. Is it a real problem? • At Halo Metrics we have seen a significant increase in requests for PIN Pad security solutions over the last 3 years • Industry sources state that in the last year there has been a 300% increase in arrests related to PIN Pad theft

  8. Who is involved? • Skimming is a lucrative criminal activity that is challenging to detect and prevent. • As a result it appeals to both ends of the criminal spectrum (organized crime & less sophisticated criminal elements)

  9. Who is involved? • Theft of PIN Pads is usually an organized effort. This could include professional organized crime teams. • A typical theft attempt can involve more than one person

  10. For example: Two person team enter a store

  11. For example: One partner looks out while the other starts the theft of the PIN Pad Note the time: 19:52:02

  12. For example: Partner proceeds to distract customer Note the time: 19:52:09

  13. For example: Note the time: 19:53:00

  14. For example: Theft is complete Note the time: 19:53:00

  15. How does it happen? • In this incident the thief was able to remove the PIN Pad from a light gauge metal display holder in under 60 seconds • A heavy gauge metal locking security bracket could have deterred this theft • PIN Pads that are simply sitting on a counter can be removed in less than 3 seconds

  16. How are PIN Pads tampered with? • Once PIN Pad terminals have been taken the criminals will tamper with the equipment and install a card reader • The tampered PIN Pad is either reinstalled in the original store location or another store with the same model PIN Pad

  17. Examples of PIN Pad Attacks Information provided by:

  18. Examples of PIN Pads Attacks Information provided by:

  19. Examples of PIN Pads Attacks Information provided by:

  20. Examples of PIN Pads Attacks Information provided by:

  21. How is the data captured? • The card reader captures banking information • This information can either be downloaded wirelessly or manually via a data cable • In the case of a manual download the thieves will come back for the PIN Pad

  22. Examples of PIN Pads Attacks Information provided by:

  23. How is the data captured?

  24. Consequences • For the consumer • Banking information compromised • Vulnerable to Identity Theft crimes • Monetary loss • Hassle and frustration of have to change personal documents, banking cards, etc • Note: Banks will freeze debit cards used at a store with a tampered PIN Pad for up to 2 months • This includes all bank cards a consumer owns not just the cards that have been compromised

  25. Consequences • For the owner / operator • Loss of asset (PIN Pad) $300 - $500 • Potential cost of forensics and system analysis • Potential lawsuits • Employee terminations

  26. Consequences • Shopping behaviour can be severely affected by being a victim of a skimming attack. This can include: • Change in buying patterns • Change in shopping locations • Move to alternative payment methods • Less use of debit cards

  27. Consequences • Media Coverage • The media has been advising the general public to shop at retail businesses that have taken measures to protect PIN Pad equipment

  28. Consequences

  29. Will Technology Help? • PIN Pad terminals are advancing • I.E no touch pay terminals & Chip and PIN technology • Technology advances help in the short term • All retailers will have to move to the new chip & pin system within 5 years • Its harder to make counterfeit copies of chip & pin cards

  30. Will Technology Help? • UK has adopted chip and pin technology for several years now • In May of 2006 Shell suspended the use of chip and PIN payments at 600 UK petrol stations • There was a £1m chip and PIN fraud at a Shell petrol station • Story URL:http://www.silicon.com/research/specialreports/idmanagement/0,3800011361,39158743,00.htm

  31. Will Technology Help? • “But a spokeswoman from Apacs told silicon.com criminals must have had easy access to PIN pads in order to modify them to enable the theft of PIN numbers and the copying of magnetic strip information - a task which will have taken time.” • As with any advancements criminals tend to catch up and the process becomes an ongoing cycle

  32. Best Practices • Technologies will evolve but so will the criminals • The following recommendations will help you create processes and awareness that will deter such crimes

  33. Risk Analysis • A risk analysis process for skimming attacks and the POS should at minimum include the following: • Identification of assets • Identification of threats • Review of probability of threats taking place

  34. Identification of Assets

  35. Threat & Probability • Skimming attacks happen on a frequent basis • It is one of three common threats the payment industry deals with • Factors that contribute to probability of an attack include:

  36. Threat & Probability • High transaction volume • Criminals want to get as much account and PIN data as possible in the shortest amount of time • Merchants that have significant number of payments for smaller dollar amounts (Gas Stations are an example of this) are at higher risk for a skimming attack

  37. Threat & Probability • Terminals with heavy use • A single payment terminal used for a large number of transactions may attract skimming attacks • An example of this is an in store ATM

  38. Threat & Probability • High Volume Sales Period • Merchants that experience predictable increases in sales activity can be targeted for skimming attacks • Examples are holidays, special events, promotions etc

  39. Best Practices • Focus on three major areas • Physical security of store • PIN Pad terminal security • Staff and service access to PIN Pad terminals

  40. Physical security of store • Terminal Infrastructure • Wiring and communication lines • Limit exposed cable • Make it difficult to access terminal wiring and cabling • Protect telephone rooms, panels, routers etc.

  41. Physical security of store • Terminal Infrastructure • Wiring and communication lines • Limit exposed cable • Make it difficult to access terminal wiring and cabling • Protect telephone rooms, panels, routers etc.

  42. Physical security of store • Cameras and placement • Make sure ATMs and cashier tills are well lit • Locate cameras so that the area around the payment device is recorded without capturing people entering their PIN information • Immediately examine terminals if a camera has been moved, damaged, or an image has been blocked

  43. PIN Pad terminal security • Start with an inventory of all PIN Pad models that your store uses Courtesy:

  44. PIN Pad terminal security • Note all connections to the terminal Courtesy:

  45. PIN Pad terminal security • Create a daily process to check all pin pad equipment for tampering Courtesy:

  46. PIN Pad terminal security • Secure your PIN Pad equipment Heavy Duty Security Bracket Tamper proof label Electronic Alarm

  47. PIN Pad terminal security • Terminal upgrades • Purchase terminals from an authorized distributor • Make sure that the terminal meets all security evaluative criteria set out by industry • Refer to www.pcisecuritystandards.org/pin for PCI approved terminals

  48. PIN Pad terminal security • Terminal Disposal • Return old terminals to authorized dealers via secure shipping or direct pick up when new terminals are installed • Clear all data • Remove all business identifiers • Do not throw out into publicly accessible trash containers

  49. PIN Pad terminal security • Check for covert camera’s • False ceilings above PIN Pads • Boxes used to hold leaflets • Charity boxes next to PIN Pads

  50. Staff and service access to PIN Pad terminals • Staff as targets • Have a policy in place that covers issues of coercion or bribery • Create a method for staff to communicate to senior management anonymously • Train staff regarding the types of fraud and terminal attacks, debit equipment, and what to do when tampered equipment is found

More Related