With so much attention, rightfully so, paid to bank account takeovers at small businesses, churches, school districts, county and other local government agencies — all courtesy of the Zeus trojan — almost no focus has been given to a new type of flash attack that has hit several banks and payment processors I talked with over the last couple of weeks.
And this attack type is particularly worrisome since:
a) there aren’t any ‘security standards’ like PCI that aim to stop point-of-sale or ATM card reader tampering, and
b) the resulting cash transactions fly under the radar of existing fraud detection systems – they are typically small amounts that don’t raise any alarms.
Here’s how the attack works: (We heard something resembling this type of attack in the news re the recent hacks into Aldi grocery store point-of-sale systems in multiple states although details of that hack were lacking).
a) The crooks figure out how to put skimmers in a point-of-sale card reader at a given retailer or store.
b) They put the skimmer in the point-of-sale (POS) device, that will skim the magnetic stripe information on debit cards and record the user PIN.
c) They repeat step b above for all similar POS reader models for a given retailer or groups of retailers, across states and geographies.
d) the skimmed data is transmitted to a central drop location that the fraudsters have access to.
e) The fraudsters then take the data and use it to create hundreds or thousands of counterfeit debit cards, and scotch tape the PIN belonging to the card on the plastic card.
f) they line up their cronies (or mules) to all go to at least a hundred ATM machines all at the same time, and use a few of these cards (about five) in each of these machines, which are scattered across a country (e.g. the U.S. or Canada).
g) The mules withdraw small amounts on each card – and within ten minutes, simultaneous withdrawals at all these ATM machines add up to about $100,000 in proceeds.
g) They repeat this exercise a few times more over the course of the month. At the end of the month, the total heist can add up to $500,000.
h) The mules get their fair share and are happy to sign up for the next round.
What Can Be Done?
The only successful fraud mitigation strategy I’ve seen that works in practice today, is that once the first round of fraud is discovered, an acquiring processor or a payment network tries to figure out the point-of-compromise for these cards. If that is determined, then all cards that were used at that point of compromise (i.e. breached entity site) are put on a blacklist and are rejected for future use at a point-of-sale or ATM machine. This is obviously a costly measure, since new cards and accounts generally have to be reissued to the customers – plus it can jeopardize customer relationships – but the alternative is far less attractive, i.e. risk having the customer account drained.
And these crooks have a lot of staying power. They keep these numbers and accounts around for years and may use them one or two years after the initial breach (if the cards are still current). One banker just told me that his bank is still seeing fraud on cards allegedly stolen during the Heartland Payment Systems breach.
The long term solution: Stronger cardholder authentication, whether using Chip and PIN, dynamic PINs, mobile geolocation information, or other authentication alternatives.
Of course the long term is now, in this case.
View Free, Relevant Gartner Research
Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.Read Free Gartner Research
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.