Pin Pad Theft
Securing Your Pin Pad. Protect your customers.
Protect your reputation.
Pin Pad Theft
• Overview:
– Situational analysis
• Who, what, where, how, why
– Depth of problem
• Organized Crime – details on the how
• Consequences
– Implications, Property loss, consumer confidence, media coverage
– POS company reaction
• Will new technology help? Chip/Pin
– Solutions
• Best practices
• Security product solutions
– Conclusion
• Pin Pad Theft Prevention Kit
Halo Metrics Inc.
• Loss prevention solution provider for over 20
years
• Solutions include everything from security
mirrors and counterfeit detectors to security
peg hooks and display alarms
Halo Metrics Inc.
Halo Metrics Inc.
• Over the last 3 years there has been a
significant increase in PIN Pad thefts
• Our customers have asked us for a better and
more stronger security solution to prevent
these attacks
• We have developed the most extensive range
of PIN Pad security solutions available in
Canada
What is the issue?
Pin Pad terminals are being stolen, tampered
with, and reinstalled for the purpose of
stealing consumer banking information.
This is commonly referred to as a “skimming
attack” and leads to identity theft fraud.
Is it a real problem?
• At Halo Metrics we have seen a significant
increase in requests for PIN Pad security
solutions over the last 3 years
• Industry sources state that in the last year
there has been a 300% increase in arrests
related to PIN Pad theft
Who is involved?
• Skimming is a lucrative criminal activity that is
challenging to detect and prevent.
• As a result it appeals to both ends of the
criminal spectrum (organized crime & less
sophisticated criminal elements)
Who is involved?
• Theft of PIN Pads is usually an organized
effort. This could include professional
organized crime teams.
• A typical theft attempt can involve more than
one person
For example:
Two person team
enter a store
For example:
One partner looks
out while the
other starts the
theft of the PIN
Pad
Note the time:
19:52:02
For example:
Partner proceeds
to distract
customer
Note the time:
19:52:09
For example:
Note the time:
19:53:00
For example:
Theft is
complete
Note the time:
19:53:00
How does it happen?
• In this incident the thief was able to remove
the PIN Pad from a light gauge metal display
holder in under 60 seconds
– A heavy gauge metal locking security bracket
could have deterred this theft
• PIN Pads that are simply sitting on a counter
can be removed in less than 3 seconds
How are PIN Pads tampered with?
• Once PIN Pad terminals have been taken the
criminals will tamper with the equipment and
install a card reader
• The tampered PIN Pad is either reinstalled in
the original store location or another store
with the same model PIN Pad
Examples of PIN Pad Attacks
Information
provided by:
Examples of PIN Pads Attacks
Information
provided by:
Examples of PIN Pads Attacks
Information
provided by:
Examples of PIN Pads Attacks
Information
provided by:
How is the data captured?
• The card reader captures banking information
• This information can either be downloaded
wirelessly or manually via a data cable
• In the case of a manual download the thieves
will come back for the PIN Pad
Examples of PIN Pads Attacks
Information
provided by:
How is the data captured?
Consequences
• For the consumer
– Banking information compromised
• Vulnerable to Identity Theft crimes
• Monetary loss
– Hassle and frustration of have to change personal
documents, banking cards, etc
– Note: Banks will freeze debit cards used at a store
with a tampered PIN Pad for up to 2 months
• This includes all bank cards a consumer owns not just
the cards that have been compromised
Consequences
• For the owner / operator
– Loss of asset (PIN Pad) $300 - $500
– Potential cost of forensics and system analysis
– Potential lawsuits
– Employee terminations
Consequences
• Shopping behaviour can be severely affected by
being a victim of a skimming attack. This can
include:
–
–
–
–
Change in buying patterns
Change in shopping locations
Move to alternative payment methods
Less use of debit cards
Consequences
• Media Coverage
– The media has been advising the general public to
shop at retail businesses that have taken
measures to protect PIN Pad equipment
Consequences
Will Technology Help?
• PIN Pad terminals are advancing
– I.E no touch pay terminals & Chip and PIN
technology
• Technology advances help in the short term
– All retailers will have to move to the new chip &
pin system within 5 years
– Its harder to make counterfeit copies of chip & pin
cards
Will Technology Help?
• UK has adopted chip and pin technology for
several years now
• In May of 2006 Shell suspended the use of
chip and PIN payments at 600 UK petrol
stations
• There was a £1m chip and PIN fraud at a Shell
petrol station
•
Story URL:http://www.silicon.com/research/specialreports/idmanagement/0,3800011361,39158743,00.htm
Will Technology Help?
• “But a spokeswoman from Apacs told
silicon.com criminals must have had easy
access to PIN pads in order to modify them to
enable the theft of PIN numbers and the
copying of magnetic strip information - a task
which will have taken time.”
• As with any advancements criminals tend to
catch up and the process becomes an ongoing
cycle
Best Practices
• Technologies will evolve but so will the
criminals
• The following recommendations will help you
create processes and awareness that will
deter such crimes
Risk Analysis
• A risk analysis process for skimming attacks
and the POS should at minimum include the
following:
– Identification of assets
– Identification of threats
– Review of probability of threats taking place
Identification of Assets
Threat & Probability
• Skimming attacks happen on a frequent basis
– It is one of three common threats the payment
industry deals with
– Factors that contribute to probability of an attack
include:
Threat & Probability
• High transaction volume
– Criminals want to get as much account and PIN
data as possible in the shortest amount of time
– Merchants that have significant number of
payments for smaller dollar amounts (Gas Stations
are an example of this) are at higher risk for a
skimming attack
Threat & Probability
• Terminals with heavy use
– A single payment terminal used for a large
number of transactions may attract skimming
attacks
– An example of this is an in store ATM
Threat & Probability
• High Volume Sales Period
– Merchants that experience predictable increases
in sales activity can be targeted for skimming
attacks
– Examples are holidays, special events, promotions
etc
Best Practices
• Focus on three major areas
– Physical security of store
– PIN Pad terminal security
– Staff and service access to PIN Pad terminals
Physical security of store
• Terminal Infrastructure
–
–
–
–
Wiring and communication lines
Limit exposed cable
Make it difficult to access terminal wiring and cabling
Protect telephone rooms, panels, routers etc.
Physical security of store
• Terminal Infrastructure
–
–
–
–
Wiring and communication lines
Limit exposed cable
Make it difficult to access terminal wiring and cabling
Protect telephone rooms, panels, routers etc.
Physical security of store
• Cameras and placement
– Make sure ATMs and cashier tills are well lit
– Locate cameras so that the area around the payment device is
recorded without capturing people entering their PIN information
– Immediately examine terminals if a camera has been moved,
damaged, or an image has been blocked
PIN Pad terminal security
• Start with an
inventory of all PIN
Pad models that
your store uses
Courtesy:
PIN Pad terminal security
• Note all
connections to
the terminal
Courtesy:
PIN Pad terminal security
• Create a daily
process to check all
pin pad equipment
for tampering
Courtesy:
PIN Pad terminal security
• Secure your PIN Pad equipment
Heavy Duty Security
Bracket
Tamper proof label
Electronic Alarm
PIN Pad terminal security
• Terminal upgrades
– Purchase terminals from an authorized distributor
– Make sure that the terminal meets all security
evaluative criteria set out by industry
• Refer to www.pcisecuritystandards.org/pin for PCI
approved terminals
PIN Pad terminal security
• Terminal Disposal
– Return old terminals to authorized dealers via
secure shipping or direct pick up when new
terminals are installed
– Clear all data
– Remove all business identifiers
– Do not throw out into publicly accessible trash
containers
PIN Pad terminal security
• Check for covert camera’s
– False ceilings above PIN Pads
– Boxes used to hold leaflets
– Charity boxes next to PIN Pads
Staff and service access
to PIN Pad terminals
• Staff as targets
– Have a policy in place that covers issues of
coercion or bribery
– Create a method for staff to communicate to
senior management anonymously
– Train staff regarding the types of fraud and
terminal attacks, debit equipment, and what to do
when tampered equipment is found
Staff and service access
to PIN Pad terminals
• Hiring & Staff Awareness
– Background checks (criminal, financial, education
etc)
– If it is not possible to get background checks:
•
•
•
•
•
Full name / address / home phone number
Date of birth
Photo
Previous work history
SIN etc.
Staff and service access
to PIN Pad terminals
• Train staff regarding notification and
escalation process to report skimming attack
incidents
– Procedure for escalating concerns about a
terminal
– Who to contact about these concerns
– How to contact Sr. Management regarding a
compromise
– How management or staff contact the police
Staff and service access
to PIN Pad terminals
• Service access
– Agree to a specific time, date, and confirm name
of service engineer
– Unannounced visits by someone claiming to be a
service engineer must be denied access to
terminals until credentials can be verified
– All work performed by an engineer must be
written down in a report and kept on file for six
months
Staff and service access
to PIN Pad terminals
Courtesy: