23 April 2010

Are Physical #Attacks On POS PIN Pads Rising?

Written by Evan Schuman
April 21st, 2010

One of the oldest tenets in security is that professional thieves will always attack the perceived weak point of security. A burglar will hit the back door until it’s reinforced with multiple deadbolts and then he’ll turn to the window. If that’s replaced with bullet-proof glass with bars in front, he’ll ring the doorbell. If every door and window is perfectly protected, he’ll sledgehammer through the wall.

This reality is why we’re seeing a sharp increase in reported thefts of PIN pad units. Substantial efforts in recent years to protect the data within a split second of a card being swiped have done little beyond making PIN pads the victim of physical attacks. Units are replaced either with a skimmer attached or by a clone of the full device.
The attacks require more courage and brawn than a typical cyberthief displays. (Although with cyberthief extraordinaire Albert Gonzalez’s claims that he regularly performed 5,000 sit-ups per session, maybe he’d have been an exception.)
As BankInfoSecurity reported on Monday (April 19), an attack on Hancock Fabrics is an ideal example of this PIN pad trend. The chain confirmed that, last summer, “PIN pad units at a limited number of Hancock Fabrics stores were stolen and replaced with visually identical, but fraudulent, PIN pad units.”
The problem with Hancock’s statement is the four steps CEO Jane Aggers said the chain is taking to correct the issue. First, “upgrading the PIN pad units at the point of sale in all of our stores with new PIN pad units that were designed to meet the toughest security requirements.” Second, “working with forensic investigators to analyze the extent of any unauthorized access to customer information and to identify and address any issues that have been identified.” Third, “installing automated systems to monitor each of the PIN pad units daily to look for suspicious activity.” And fourth, “implementing new store-wide policies with respect to daily inspection of the PIN pad units.”
Upgrading the PIN pad units is a fine way to go. But anything short of soldering them to the wall and encasing the units with bullet-proof glass won’t address physical attacks. Although working with forensic investigators is a great thing, it won’t prevent similar attacks from happening again.
The “automated systems” that will “look for suspicious activity” sound an awful lot like video cameras, which are fine but also easily disabled. “Daily inspection” points sound like a good idea, but it’s something that will likely be relaxed within two weeks of being launched.
How about automating some of these tasks?
Or what about discreetly placing RFID tags in multiple locations around the POS area. They would constantly ping each other and loudly alert the store whenever the distance between any two tagged devices changes. The new lookalike devices would be easily detected, unless the thieves are able to remove the RFID tag and place it in the same place on the new unit.
That’s very difficult to do in a quick swap. Also, that tag can be affixed in such a way as to break the main device if it’s forcibly removed. If the units are working properly, a change in location would be detected the instant any tampering begins.
As for a skimmer being attached, perhaps a very sensitive weight verification mechanism could flag any devices that seem to gain a little mass overnight. (Good idea for PIN pads. Bad idea for columnists.)