Why did we develop SpotSkim?
The idea for SpotSkim came from reading about two high profile skimming attacks at Level 1 merchants in 2011 and 2012. These attacks substituted POS equipment at high-traffic retail locations with compromised devices that illicitly captured large amounts of cardholder data. Skimming is not a new technique for compromising payment card data. But these incidents signaled a shift. In our minds, skimming had graduated from a fairly unsophisticated attack with limited, localized impact to an attack that was being utilized by sophisticated criminals on a broad scale.
We also recognized that, like many attacks, knowledge of how to perpetrate them successfully was certain to trickle down to a broader audience, who would in-turn seek to replicate the attacks. A theme that we will return to again and again in this blog is that criminals repeatedly target known vulnerabilities until it becomes unprofitable in terms of time, effort, or cost to do so.
We had the unfortunate realization that we were potentially at the beginning of a new wave of pervasive, sophisticated skimming attacks on POS devices. So we set out to develop a solution. We'll explore some of our thinking around what the product should be in the next series of posts.