Pin Pad Theft Securing Your Pin Pad. Protect your customers. Protect your reputation

download Pin Pad Theft Securing Your Pin Pad. Protect your customers. Protect your reputation

of 54

  • date post

    15-Dec-2015
  • Category

    Documents

  • view

    215
  • download

    3

Embed Size (px)

Transcript of Pin Pad Theft Securing Your Pin Pad. Protect your customers. Protect your reputation

  • Slide 1

Pin Pad Theft Securing Your Pin Pad. Protect your customers. Protect your reputation. Slide 2 Pin Pad Theft Overview: Situational analysis Who, what, where, how, why Depth of problem Organized Crime details on the how Consequences Implications, Property loss, consumer confidence, media coverage POS company reaction Will new technology help? Chip/Pin Solutions Best practices Security product solutions Conclusion Pin Pad Theft Prevention Kit Slide 3 Halo Metrics Inc. Loss prevention solution provider for over 20 years Solutions include everything from security mirrors and counterfeit detectors to security peg hooks and display alarms Slide 4 Halo Metrics Inc. Slide 5 Over the last 3 years there has been a significant increase in PIN Pad thefts Our customers have asked us for a better and more stronger security solution to prevent these attacks We have developed the most extensive range of PIN Pad security solutions available in Canada Slide 6 What is the issue? Pin Pad terminals are being stolen, tampered with, and reinstalled for the purpose of stealing consumer banking information. This is commonly referred to as a skimming attack and leads to identity theft fraud. Slide 7 Is it a real problem? At Halo Metrics we have seen a significant increase in requests for PIN Pad security solutions over the last 3 years Industry sources state that in the last year there has been a 300% increase in arrests related to PIN Pad theft Slide 8 Who is involved? Skimming is a lucrative criminal activity that is challenging to detect and prevent. As a result it appeals to both ends of the criminal spectrum (organized crime & less sophisticated criminal elements) Slide 9 Who is involved? Theft of PIN Pads is usually an organized effort. This could include professional organized crime teams. A typical theft attempt can involve more than one person Slide 10 For example: Two person team enter a store Slide 11 For example: One partner looks out while the other starts the theft of the PIN Pad Note the time: 19:52:02 Slide 12 For example: Partner proceeds to distract customer Note the time: 19:52:09 Slide 13 For example: Note the time: 19:53:00 Slide 14 For example: Theft is complete Note the time: 19:53:00 Slide 15 How does it happen? In this incident the thief was able to remove the PIN Pad from a light gauge metal display holder in under 60 seconds A heavy gauge metal locking security bracket could have deterred this theft PIN Pads that are simply sitting on a counter can be removed in less than 3 seconds Slide 16 How are PIN Pads tampered with? Once PIN Pad terminals have been taken the criminals will tamper with the equipment and install a card reader The tampered PIN Pad is either reinstalled in the original store location or another store with the same model PIN Pad Slide 17 Examples of PIN Pad Attacks Information provided by: Slide 18 Examples of PIN Pads Attacks Information provided by: Slide 19 Examples of PIN Pads Attacks Information provided by: Slide 20 Examples of PIN Pads Attacks Information provided by: Slide 21 How is the data captured? The card reader captures banking information This information can either be downloaded wirelessly or manually via a data cable In the case of a manual download the thieves will come back for the PIN Pad Slide 22 Examples of PIN Pads Attacks Information provided by: Slide 23 How is the data captured? Slide 24 Consequences For the consumer Banking information compromised Vulnerable to Identity Theft crimes Monetary loss Hassle and frustration of have to change personal documents, banking cards, etc Note: Banks will freeze debit cards used at a store with a tampered PIN Pad for up to 2 months This includes all bank cards a consumer owns not just the cards that have been compromised Slide 25 Consequences For the owner / operator Loss of asset (PIN Pad) $300 - $500 Potential cost of forensics and system analysis Potential lawsuits Employee terminations Slide 26 Consequences Shopping behaviour can be severely affected by being a victim of a skimming attack. This can include: Change in buying patterns Change in shopping locations Move to alternative payment methods Less use of debit cards Slide 27 Consequences Media Coverage The media has been advising the general public to shop at retail businesses that have taken measures to protect PIN Pad equipment Slide 28 Consequences Slide 29 Will Technology Help? PIN Pad terminals are advancing I.E no touch pay terminals & Chip and PIN technology Technology advances help in the short term All retailers will have to move to the new chip & pin system within 5 years Its harder to make counterfeit copies of chip & pin cards Slide 30 Will Technology Help? UK has adopted chip and pin technology for several years now In May of 2006 Shell suspended the use of chip and PIN payments at 600 UK petrol stations There was a 1m chip and PIN fraud at a Shell petrol station Story URL:http://www.silicon.com/research/specialreports/idmanagement/0,3800011361,39158743,00.htm Slide 31 Will Technology Help? But a spokeswoman from Apacs told silicon.com criminals must have had easy access to PIN pads in order to modify them to enable the theft of PIN numbers and the copying of magnetic strip information - a task which will have taken time. As with any advancements criminals tend to catch up and the process becomes an ongoing cycle Slide 32 Best Practices Technologies will evolve but so will the criminals The following recommendations will help you create processes and awareness that will deter such crimes Slide 33 Risk Analysis A risk analysis process for skimming attacks and the POS should at minimum include the following: Identification of assets Identification of threats Review of probability of threats taking place Slide 34 Identification of Assets Slide 35 Threat & Probability Skimming attacks happen on a frequent basis It is one of three common threats the payment industry deals with Factors that contribute to probability of an attack include: Slide 36 Threat & Probability High transaction volume Criminals want to get as much account and PIN data as possible in the shortest amount of time Merchants that have significant number of payments for smaller dollar amounts (Gas Stations are an example of this) are at higher risk for a skimming attack Slide 37 Threat & Probability Terminals with heavy use A single payment terminal used for a large number of transactions may attract skimming attacks An example of this is an in store ATM Slide 38 Threat & Probability High Volume Sales Period Merchants that experience predictable increases in sales activity can be targeted for skimming attacks Examples are holidays, special events, promotions etc Slide 39 Best Practices Focus on three major areas Physical security of store PIN Pad terminal security Staff and service access to PIN Pad terminals Slide 40 Physical security of store Terminal Infrastructure Wiring and communication lines Limit exposed cable Make it difficult to access terminal wiring and cabling Protect telephone rooms, panels, routers etc. Slide 41 Physical security of store Terminal Infrastructure Wiring and communication lines Limit exposed cable Make it difficult to access terminal wiring and cabling Protect telephone rooms, panels, routers etc. Slide 42 Physical security of store Cameras and placement Make sure ATMs and cashier tills are well lit Locate cameras so that the area around the payment device is recorded without capturing people entering their PIN information Immediately examine terminals if a camera has been moved, damaged, or an image has been blocked Slide 43 PIN Pad terminal security Start with an inventory of all PIN Pad models that your store uses Courtesy: Slide 44 PIN Pad terminal security Note all connections to the terminal Courtesy: Slide 45 PIN Pad terminal security Create a daily process to check all pin pad equipment for tampering Courtesy: Slide 46 PIN Pad terminal security Secure your PIN Pad equipment Electronic Alarm Heavy Duty Security Bracket Tamper proof label Slide 47 PIN Pad terminal security Terminal upgrades Purchase terminals from an authorized distributor Make sure that the terminal meets all security evaluative criteria set out by industry Refer to www.pcisecuritystandards.org/pin for PCI approved terminalswww.pcisecuritystandards.org/pin Slide 48 PIN Pad terminal security Terminal Disposal Return old terminals to authorized dealers via secure shipping or direct pick up when new terminals are installed Clear all data Remove all business identifiers Do not throw out into publicly accessible trash containers Slide 49 PIN Pad terminal security Check for covert cameras False ceilings above PIN Pads Boxes used to hold leaflets Charity boxes next to PIN Pads Slide 50 Staff and service access to PIN Pad terminals Staff as targets Have a policy in place that covers issues of coercion or bribery Create a method for staff to communicate to senior management anonymously Train staff regarding the types of fraud and terminal attacks, debit equipment, and what to do when tampered equipment is found Slide 51 Staff and service access to PIN Pad terminals Hiring & Staff Awareness Background checks (criminal, financial, education etc) If it is not possible to get background checks: Full name / address / home phone number Date of birth Photo Previous work history SIN etc. Slide 52 Staff and service access to PIN Pad terminals Train staff regarding notification and escalation process to report skimming attack incidents Procedure for escalating concerns about a terminal Who to contact about these concerns How to contact Sr. Management regarding a compromise How management or staff contact the police Slide 53 Staff and service access to PIN Pad terminals Service access Agree to a specific time, date, and confirm name