Skimming Update - Past 12 Months

The infographic below was presented recently at the Verifone Retail Payments Conference in Florida during the "PCI 9.9 & Device Management" session by our CEO, Vasu Nagendra, and Verifone's Chief Security Officer, Joe Majka.

This covers the last 12 months from publicly available sources, extrapolating totals where some data was missing from reports.

At the highest level, the data shows is that skimming continues to be a global problem with the United States leading the world in number of incidents.

Easy €3.2 Million! Who doesn't want that?

Yesterday's incredible story from France! A card skimming gang stole 3M euros using ghost PoS terminals.

In my mind here are the highlights of the story:

  • The POS Terminals that were ghosted were in public
  • Certainly the POS Terminals were not working, which makes it slightly interesting
  • What's incredible about this is that (at least according to the story) it's just 12 humans - that's it! So, the average rate of return per human involved in the crime (assuming it took 6 months of effort)
    • 12 humans, 6 months, $3MM (nice round numbers, for the sake of simplicity)
    • $250,000 in 6 months!
    • Calculating it out for a regular salaried job; $500K/year
    • Oh, did I mention, this is net, it's unlikely they were paying taxes on it
    • So assuming regular US W2 income, that's well over $750K/year

I know what you are thinking, "Let's do EMV." Mind you EMV has been in Europe for close to a decade. This is not an EMV problem, let's not go there.

The point of the analysis: * Incredibly lucrative business! Who wouldn't want to get in on that action?

  • Let's not please ignore the fact that these guys all ended up in prison in the end!
  • So big bold disclaimer, if it wasn't incredibly obvious...
    This is illegal, don't try it! We don't encourage/endorse this.

However taking a page from one of my favorite books Freakonomics; there is a tremendous incentive for someone committing this crime. Put this in a Freakonomics perspective...

A drug dealer boss in Chicago makes about $250K. They need to endure constant threats to their lives from rival gangs and fend off people from their organization trying to climb up the ladder.

I highly doubt that the scenario exists here.

Inherently, I believe POS/ATM skimming crimes are easy. Yes there is sophistication with the recent 3D printers and such, but in the end, there is a huge advantage for the attacker...

Information Asymmetry

In normal life, this plays out every time you visit a mechanic. Consider going in for an oil change. You leave your car there, and wait in the "waiting room". The mechanic looks at the car, comes back and says "you need to replace your water pump and your timing belt/chain. It is in pretty bad shape, you really need to do it today." Unless you happen to be an expert mechanic, you have two disadvantages...

  • You really need to get out of there, so you need the car back
  • You have no way of validating the mechanic's claims.

Typically you overcome this disadvantage with a second opinion. Same applies there, but you get my point...

In the context of skimmers this plays out with consumers.

  • A consumer walking up to an ATM has absolutely no way of knowing if there is a skimmer on it at all.
  • Same for taxicabs which apparently were targeted as part of this attack and discount stores. That's unbelievable!

What can you do about it as an organization?

Sorry to say, there is no easy button. You have to get into the habit of inspecting your terminals regularly!
We have a product that can make this process easy. You can think about reducing the costs of your inspection by making it easy, reducing the expertise required etc., the end of the day, you still have to do it.

PCI DSS addressed this exact responsibility in the form of requirement 9.9. If you don't know what that requirement is, or have questions, feel free to contact us. If you are unclear about the requirement, our friends at Coalfire are doing a webinar (in which I will be participating and presenting some of this information). Register for it here.

What can you do about this as a consumer?

Not much really at this point. You can be thankful for where you live. I know of many folks in different countries who have lost their entire life savings to a skimming attack. That's because banks in those countries are not responsible for the loss there! If you live in US and Europe, luckily for you the bank will eventually refund your money.

Header image photo credit to aranjuez1404 used under CC 2.0.

INFOGRAPHIC - Skimming Update

Here at Termtegrity, we are passionate about skimming. Borderline obessed even. So when we looked at the data we had gathered over the past 13 months on skimming incidents, both here in the US and abroad, we thought it made for some pretty interesting statistics.

We compiled this data from all the publicly available news reports we've tracked over the last year and created the infographic below.

What it shows reinforces the statment that the PCI Security Standards Council made by adding requirement 9.9 to the Data Security Standard version 3.0, that skimming is a relevant fraud tactic that merchants should be protecting themselves against.

If you have any questions about the infographic or want to learn more about how our SpotSkim tool is helping merchants protect themselves and comply with requirement 9.9 contact us here or connect with us on Twitter at @Termtegrity.

Skimming Infographic

I’m Dreaming of a White(paper) Christmas

Christmas came a little bit early this year. Last Friday, our friends over at Coalfire published an excellent whitepaper titled “Complying with PCI-DSS Requirement 9.9 - A Qualified Security Assessor’s Perspective” that is a thought provoking and practical look at the implications the requirement will have on merchants.

If you're not aware of it yet, requirement 9 covers physical security of the point-of-sale (POS) terminals in a merchant environment. Requirement 9.9 is brand new and deals explicitly with the prevention of POS device tampering or substitution.

Collectively called “skimming,” these attacks are on the rise and can be easy to miss until it’s too late. But not if you have a good process and procedures in place for regularly, consistently inspecting your devices.

So between sips of eggnog and the “It’s a Wonderful Life” reruns (or my personal favorite – “A Christmas Story”) take a few minutes to read this short paper. – you can get it here.

When the deadline for complying with PCI DSS version 3.0 and all its changes hits on July 1, 2015, you’ll be glad you started thinking about it now.

And from all of us here at Termtegrity, have a safe and joyful holiday season! 

The Dark Knight Is Not Out There Fighting Skimmers

The Dark Knight Is Not Out There Fighting Skimmers

One of the biggest challenges we find when working with prospective users of our solution is getting them to actually commit to action to address their skimming risks.

They know skimming is a problem they face. It’s either happened to them or other companies in their industry. They read about it everyday.

It’s not hard to stop the majority of the attacks out there...

Those Who do not learn from the past...

Those Who do not learn from the past...

"Those who do not learn from the past are doomed to repeat it" or variations thereof is a profound and frequently cited quote. It's commonly attributed to Winston Churchill, but most authoritative sources attribute it originally to George Santayana in his work "Life of Reason, Reason in Common Sense."

Regardless of who the original author is, one of the reasons that it's so frequently cited is its applicability to so many situations. Even point of sale skimming, it turns out...

Know Your Enemy

Know Your Enemy

At many tourist sites, you will often see warnings to protect your valuables against pickpockets. Criminals know that visitors’ attention will be focused on the attraction they came to see and they will be less aware of their surroundings and their personal belongings. This makes them easier targets. Another common tactic used by street criminals is to intentionally distract a potential victim. The victim is “turned” by a loud noise, a spilled drink, or similar distraction, and they momentarily lose awareness of their personal belongings, making them an easier mark...

Introducing Termtegrity

Introducing Termtegrity

Hello! And welcome to the Termtegrity blog!

It seems appropriate for a first blog post to be an introduction. We’re very proud to be developing SpotSkim, the industry’s first visual point of sale monitoring solution. Skimming has been growing in popularity as a way for criminals to steal payment card information, and merchants need a solution that can help prevent this type of attack...