Easy €3.2 Million! Who doesn't want that?

Yesterday's incredible story from France! A card skimming gang stole 3M euros using ghost PoS terminals.

In my mind here are the highlights of the story:

  • The POS Terminals that were ghosted were in public
  • Certainly the POS Terminals were not working, which makes it slightly interesting
  • What's incredible about this is that (at least according to the story) it's just 12 humans - that's it! So, the average rate of return per human involved in the crime (assuming it took 6 months of effort)
    • 12 humans, 6 months, $3MM (nice round numbers, for the sake of simplicity)
    • $250,000 in 6 months!
    • Calculating it out for a regular salaried job; $500K/year
    • Oh, did I mention, this is net, it's unlikely they were paying taxes on it
    • So assuming regular US W2 income, that's well over $750K/year

I know what you are thinking, "Let's do EMV." Mind you EMV has been in Europe for close to a decade. This is not an EMV problem, let's not go there.

The point of the analysis: * Incredibly lucrative business! Who wouldn't want to get in on that action?

  • Let's not please ignore the fact that these guys all ended up in prison in the end!
  • So big bold disclaimer, if it wasn't incredibly obvious...
    This is illegal, don't try it! We don't encourage/endorse this.

However taking a page from one of my favorite books Freakonomics; there is a tremendous incentive for someone committing this crime. Put this in a Freakonomics perspective...

A drug dealer boss in Chicago makes about $250K. They need to endure constant threats to their lives from rival gangs and fend off people from their organization trying to climb up the ladder.

I highly doubt that the scenario exists here.

Inherently, I believe POS/ATM skimming crimes are easy. Yes there is sophistication with the recent 3D printers and such, but in the end, there is a huge advantage for the attacker...

Information Asymmetry

In normal life, this plays out every time you visit a mechanic. Consider going in for an oil change. You leave your car there, and wait in the "waiting room". The mechanic looks at the car, comes back and says "you need to replace your water pump and your timing belt/chain. It is in pretty bad shape, you really need to do it today." Unless you happen to be an expert mechanic, you have two disadvantages...

  • You really need to get out of there, so you need the car back
  • You have no way of validating the mechanic's claims.

Typically you overcome this disadvantage with a second opinion. Same applies there, but you get my point...

In the context of skimmers this plays out with consumers.

  • A consumer walking up to an ATM has absolutely no way of knowing if there is a skimmer on it at all.
  • Same for taxicabs which apparently were targeted as part of this attack and discount stores. That's unbelievable!

What can you do about it as an organization?

Sorry to say, there is no easy button. You have to get into the habit of inspecting your terminals regularly!
We have a product that can make this process easy. You can think about reducing the costs of your inspection by making it easy, reducing the expertise required etc., but...at the end of the day, you still have to do it.

PCI DSS addressed this exact responsibility in the form of requirement 9.9. If you don't know what that requirement is, or have questions, feel free to contact us. If you are unclear about the requirement, our friends at Coalfire are doing a webinar (in which I will be participating and presenting some of this information). Register for it here.

What can you do about this as a consumer?

Not much really at this point. You can be thankful for where you live. I know of many folks in different countries who have lost their entire life savings to a skimming attack. That's because banks in those countries are not responsible for the loss there! If you live in US and Europe, luckily for you the bank will eventually refund your money.

Header image photo credit to aranjuez1404 used under CC 2.0.