Know Your Enemy

At many tourist sites, you will often see warnings to protect your valuables against pickpockets. Criminals know that visitors’ attention will be focused on the attraction they came to see and they will be less aware of their surroundings and their personal belongings. This makes them easier targets. Another common tactic used by street criminals is to intentionally distract a potential victim. The victim is “turned” by a loud noise, a spilled drink, or similar distraction, and they momentarily lose awareness of their personal belongings, making them an easier mark.

When developing a strategy to protect your point of sale environment, it’s important to understand your adversaries. What are the tactics they might use to get skimming gear into your environment? Can you recognize their tactics and behavior, and more importantly, can your staff who are manning the POS?

Recent coverage of a skimming incident at a major retailer revealed that “criminals worked in groups so one person could distract the sales associate while another person surreptitiously attached a small capture device to the keyboard cable at the back of the register.” Devices were installed on 10 registers, and this activity was captured by the stores’ surveillance cameras. Despite this out-of-the-ordinary behavior, the incidents were not investigated until the attack was discovered via other means. The skimming devices remained in place for 52 days.

This incident gives merchants several important insights that can go into a successful skimming prevention program. First, know your enemy! Learn to spot the tactics that might be used by criminals to get skimmers into your environment, and make sure that floor staff and loss prevention teams can recognize them as well. This is why PCI DSS requirement 9.9.3 emphasizes employee education as a key tactic for skimming prevention. Second, develop a program to review visual evidence on a regular basis. Whatever you decide is the right interval, it can’t be anywhere near 52 days. Having a solution that makes the inspection process easy can make implementing a regular schedule easier. Finally, criminals who perpetrate skimming attacks are brazen – they executed this suspicious attack in view of surveillance cameras 10 times over. Do not underestimate your adversaries – instead, make them realize they underestimated you because you know how they operate and took appropriate countermeasures.

(Photo taken from this photostream and used with permission of a Creative Commons license.)