Skimming Security, What You Should Know

59A keyboard logger or skimmer captures every keystroke on a computer including credit card information.

What’s new is that scammers planted skimmers in Nordstrom’s.

 

A skimmer is a tiny device that you can install between a keyboard and a computer or between a keyboard and any USB device.

 

Keyboard skimmers can store 2 GBs of information or more.

 

You can purchase a skimmer online for as little as $20.

 

Anyone can install a skimmer in seconds. Since the device is so small, it is unlikely that anyone would know it was there.

 

Remove the skimmer and plug it into any other computer and you can see every keystroke entered as well as any credit card number that was scanned.

 

(Just a note, if you have a secure credit card reader that encrypts the information before it transmits to your computer, fortunately a skimmer is unable to obtain the unencrypted credit card information.)

 

Keyboard loggers and skimmers are not necessarily illegal. As a parent or as the owner of a company, you may want to monitor exactly what your employees or children are doing. For $20, you can satisfy your curiosity.

 

If you visit a hotel and use a public computer, you run the risk that someone has added a keyboard logger to the computer and has access to every keystroke you enter including passwords and credit card numbers (should you enter credit card information when using the public computer).

 

Anyone can learn to use a keyboard logger or skimmer.  It takes about 10 seconds. Please be watchful.

 

At some future time, remove the keyboard logger and attach it to any computer. You can see every keystroke that was used.

 

I’m certainly not advocating the use of a skimmer, but you need to be aware of them when using any public computer. You may also want to make sure that none of your employees have added a logger to any of your equipment.

 

To read about the recent Nordstrom’s incident on NBC News go to:

 

Shoppers getting ripped off by tiny, high-tech cash register skimmers

 

Read more about the Nordstrom’s incident and see more detailed photos at:

 

Nordstrom finds cash register skimmers planted in Florida store

 

How easy can you buy one?

 

Buy A Keystroke Logger

 

I actually found lots of places to buy skimmers and key loggers. Some were fairly inexpensive and highly sophisticated. I certainly don’t want you to go out and buy one. I do want you to know how easy it is to use and obtain. We are living in a scary world. SmartPay Merchant Services follows strict guidelines when it comes to PCI Compliance and making sure our customers are informed and train properly how to look out for potential security threats.

Mobile Processing and Security

The uniqueness of mobile devices introduces challenges in securing that environment. General-purpose mobile devices are often built with a goal of being easy to use by the consumer. These devices do not typically provide the same level of data security you would expect when using a payment card at a traditional retail store. Due to the design, almost any mobile application could access account data stored in or passing through the mobile device. This poses a challenge for merchants to demonstrate adherence to the PCI Data Security Standard.

The same PCI principles apply to mobile for secure coding best practices and protection of account data but the people doing the coding are often different. Developers writing applications for mobile devices may not be the same developers who were trained to code web applications or traditional POS applications. As such, they may not be aware of their responsibility to create a secure work environment with quality assurance for the security that others will rely on.

Users of those applications, such as a new merchant, may be unaware of their responsibilities for safely accepting payment cards. The more secure the solution is prior to entering the market, the less risk there is to the merchant accepting payments on mobile devices.

Security is about the people, processes, and technology. As you will see, this also holds true for mobile payment acceptance.

Processes

The business owner might use the mobile device both for accepting account data and for personal use; in which case, can the activities be segregated? What if the mobile device is owned by an individual and not the employer? This raises process challenges for updating the mobile device against malware and for other patch management as part of company procedure, as these processes may be deemed as invading the privacy of the device owner.

Similarly, applications may be downloaded for personal use, and an enterprise may be unable to prevent and/or monitor mobile activity leading to unauthorized access to the account data. These are just some examples of the processes introduced by mobile devices that previously may not have been an issue for merchants using traditional, trusted POS terminals.

Technology

Can the technology help detect fraudulent use of mobile devices? Can it also be designed to respond to tampering of the application or the mobile device? As the technology matures, solutions will emerge that provide confidence to merchants that they are securing their customers‘ data and preventing attacks against the powerful tool that they hold in their hand.

By following these guidelines, merchants can safely implement a mobile payment-acceptance solution that will enable mobile commerce to flourish. Allow us to instruct you on providing guidance to reduce security risks in otherwise noncompliant mobile devices.

BYOD: Bring Your Own Device

There is one scenario this document does not discuss, and that is the BYOD (bring your own device) scenario. This is the scenario where an employee brings a device to work that the employee (who is not the merchant) owns and controls. Since the BYOD scenario does not provide the merchant with control over the content and configuration of the device, it is not recommended as a best practice.

Mobile Security Risk

Any risk that exists on a standard desktop or laptop computer may also exist on a mobile device. In addition, mobile devices may have a broader set of functionalities than standard desktop and laptop computers, resulting in more security vulnerabilities. Along with the standard communication methods of traditional desktop and laptop computers, mobile devices may also include multiple cellular technologies (e.g., CDMA and GSM), GPS, Bluetooth, infrared (IR), and near-field communication (NFC) capabilities. Risk is further increased by removable media (e.g., SIM card and SD card), the internal electronics used for testing by the manufacturer, embedded sensors (e.g., tilt or motion sensors, thermal sensors, pressure sensors, and light sensors), and biometric readers. Furthermore, vendor and network operator-level logging and debugging configurations may introduce additional risks.

An inherent risk with mobile devices is the fact that they are mobile. A mobile device with wireless connectivity allows it to be removed from a merchant‘s location, which is usually assumed to be safe, and taken to a location that is convenient for the customer. This can provide benefits to the merchant but it also creates many security risks. One of the risks to the merchant is the ease for a criminal to steal such a terminal, modify it, and return it without anyone realizing it was gone. Since the mobile device has no fixed location, keeping track of it, a clear merchant responsibility, becomes more challenging. Remember, merchants are the first line of defense for POS fraud and are involved in the execution of the vast majority of controls suggested or required by PCI SSC.

For further information on Mobile Security and how to protect yourself please contact SmartPay Merchant Services. If other processors do not inform you on how to protect yourself, are they really interested in helping you?

• Prevent account data from being intercepted when entered into a mobile device.
• Prevent account data from compromise while processed or stored within the mobile device.
• Prevent account data from interception upon transmission out of the mobile device.
• Protect the mobile device from malware.
• Prevent unauthorized physical device access.
• Prevent unauthorized logical device access.
• Ensure the mobile device is in a secure state (No “Jailbreaking”).
• Inspect system logs and reports.