Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (12)
Similar to Data Breach Prevention - Start with your POS Terminal!
Similar to Data Breach Prevention - Start with your POS Terminal! (20)
Recently uploaded
Recently uploaded (20)
Data Breach Prevention - Start with your POS Terminal!
- 1. POS Fraud Prevention Securing Your POS. Protect your customers. Protect your reputation.
- 2. Overview – Introduction to Halo Metrics • Loss prevention solutions (Canada & US • The Halo Metrics Experience – POS Data Breach • Malware attacks vs. Skimming • How Data is taken • Will EMV Chip technology help? • Examples of PIN Pad tampering • Liability Shift • PCI Compliance – Customised Solutions for POS Equipment – Conclusion & Questions
- 3. Since 1988
- 4. Since 1988 POS Hardware Security Convex Mirrors Turnstile Crowd Control
- 5. Customers
- 6. What is Halo’s Experience Protection? Is about protecting the honest consumers shopping experience 99% of consumers are honest Loss Prevention can enhance and protect the total consumer shopping experience This includes point of sale
- 7. Point of Sale Point of Sale is an important step in the shopping experience A great experience here involves having quick moving lines, friendly service and quick but secure payment processing
- 8. Data Breach is a Major Issue… Many Retail businesses have been hit by credit card data breaches from Point of Sale systems
- 9. How does it happen? Two primary methods include: 1)Malware virus planted in payment servers or equipment 2)Tampering with POS equipment or “Skimming” attacks *image courtesy of symantec.com
- 10. Malware on POS Equipment or Servers POS malware exploits a gap in the security of how card data is handled. While card data is encrypted as it’s sent for payment authorization, it’s not encrypted while the payment is actually being processed, i.e. the moment when you swipe the card at the POS to pay for your goods.
- 11. “Skimming” Attacks involve Theft & Tampering of POS Equipment EXAMPLE: Two person team about to steal a POS card swipe machine
- 12. Theft can happen to any business One partner looks out while the other starts the theft of the POS equipment Note the time: 19:52:02
- 13. Gone in 60 seconds… He has removed the device. Note the time: 19:53:00
- 14. Out the door… Theft is complete Note the time: 19:53:00
- 15. How do they tamper with the POS? Here is an example of a POS terminal with a fake cover:
- 16. Modifying POS: Internal components modified to capture credit and debit card data. Data can be remotely accessed
- 17. Data is collected and downloaded Information provided by:
- 18. Data from Magnetic Swipe See this video and how easy it is to download banking data:
- 19. What Kind of Data is Being Taken?
- 20. The Data is Sold Online: Data in Track 1 has less value because it can only be used online. Source: http://www.symantec.com/connect/blogs/demystifying-point-sale-malware-and-attacks Data in Track 2 is more lucrative as it is used to clone cards used in bricks and mortar businesses
- 21. Will EMV (Chip) Technology Help? Chip + PIN enabled technology does make it more difficult to counterfeit cards This is not new technology! It has been implemented all over the world and fraud still occurs
- 22. Liability Shift in October 2015 The party that is the cause of a chip-on-chip transaction not occurring (i.e., either the issuer or the merchant’s acquirer) will be financially liable for any resulting card-present counterfeit fraud losses.
- 23. June 30, 2015 – Protect your POS Device Current PCI Compliance regulations require that payment devices must be protected from tampering and substitution Payment Card Industry (PCI) Data Security Standard
- 24. Customized Security Solutions for POS Halo Metrics offers customized security solutions for POS equipment
- 25. Pick Your POS Security Platform
- 26. Pick your Security Options We can custom build security options into your security stand
- 27. Satisfied POS Security Customers
- 28. Thank you
Editor's Notes
- Welcome to Halo Metrics presentation on POS Fraud Prevention.
- Here is a quick overview of what we are going to cover. Our goal is to spend 15 minutes on the presentation and leave 5 minutes for any questions you may have. The big topics we are going to cover include: A bit of a quick overview of who Halo Metrics is Discuss POS Data breach Review Halo Metrics security solutions for POS equipment Then we will wrap up with questions and remind you to take your POS Theft Prevention Kits with you
- Halo Metrics is an established loss prevention security solutions provider based in Canada with two major offices. One is located on the West coast in Vancouver with the other in the East in Toronto. We are the exclusive distribution partners for several well known security brands including: Checkpoint Systems EAS Solutions Alpha High Shrink Solutions Invue Display Alarm Solutions We support these brands exclusively in Canada.
- In a addition to these categories of security solutions we also offer a strong range of facilities security options as well. This includes POS Hardware security, Convex Mirrors, and Turnstile Crowd Control solutions.
- For over 26 years Halo Metrics has been working with retailers of all sizes and geographical reach. Canada’s distance West to East is 5780 miles and Halo Metrics is able to reach all major points with product delivery within 48 hours of placing an order.
- Halo Metrics tag line speaks to Experience Protection. We understand that retail is all about the honest consumers shopping experience and not hindering the buying process. We know that 99% of consumers that walk into a store are honest and simply want to access to merchandise free of constraints. Loss Prevention can play a major role in protecting this experience by creating a secure environment that deters theft but allows customer interaction and purchasing to happen We also understand that Point of sale is a major piece of the consumer shopping experience….
- You can lose a customer at Point of Sale. If the lines are too long, if the staff are not polite, and if the payment process doesn’t look secure you can lose that customer in the last stages of buying.
- Picture from: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ It is not a secret that Data Breach related to credit card fraud has been front page material recently. It is an international issue but several US retailers have been hit hard as well.
- Sales transactions occur through a network of servers, POS hardware, and the Internet. Data can be breached at several points during the transaction. Criminals will simply pick the weakest areas and attack those points. Two primary methods include: Malware viruses planted on servers and POS equipment Physically altering POS equipment to enable “Skimming” Attacks.
- POS malware exploits a gap in the security of how card data is handled. While card data is encrypted as it’s sent for payment authorization, it’s not encrypted while the payment is actually being processed, i.e. the moment when you swipe the card at the POS to pay for your goods. Criminals first exploited this security gap in 2005 when a campaign orchestrated by Albert Gonzalez lead to the theft of data for 170 million cards. Since then a market has grown in the supply and sale of malware, which reads Track 2 data from the memory of the POS terminal. Most POS systems are Windows-based, making it relatively easy to create malware to run on them. This malware is known as memory-scraping malware as it looks in memory for data, which matches the pattern of the Track 2 data. Once it finds this data in memory, which occurs as soon as a card is swiped, it saves it in a file on the POS, which the attacker can later retrieve. The most well-known piece of POS malware is BlackPOS which is sold on cybercrime forums. Source: http://www.symantec.com/connect/blogs/demystifying-point-sale-malware-and-attacks
- This is a series of still pictures captured from a surveillance video. A two person team enters a store for the purpose of stealing a POS terminal
- They work as a team with one acting as a look out and the other starts the theft of the POS terminal It is important to note the time as we go through these slides
- The POS terminal has been removed from its display bracket
- POS equipment can be tampered with in several ways. In this short video we see that the entire faceplate has been duplicated on this Chip + Signature pad. This is actually a very well built decoy.
- The internal components are modified to easily syphon credit card data, record PIN numbers ($20 key logger device), and transmit the data wirelessly to a criminal waiting outside of the store.
- This aerial view shows how Wi-Fi signals can extend far beyond the walls of a store location. Once the data is in the hands of the criminal it can be easily manipulated. The next slide shows us how this can happen: Intro Identity Theft.info video explains how easy it is to download this data
- If full track (either Track 1 or Track 2, from the magnetic stripe, magnetic-stripe image in a chip, or elsewhere) data is stored, malicious individuals who obtain that data can reproduce and sell payment cards around the world. Full track data storage also violates the payment brands' operating regulations and can lead to fines and penalties. The above illustration provides information about Track 1 and Track 2 data, describing the differences and showi Track 1 contains up to 79 characters and contains all fields of track 2. Track 2 is up to 40 characters and is used to provide shorter processing time for older dial-up transmissions A=Format Code (1 alpha character – “B” implies track 1) B= PAN (13-19 Characters – valid values are 0-9) C=Separator (valid value is “^” in track one; “=” or “D” in track 2) D=Name (2 – 26 alphanumeric and special characters; surname separated by “/”) E=Separator (valid character is “^”) F=Expiration Date (format is YYMM) G=Service Code (3 numerics – differentiates cards; international interchanges; PiN requirements; etc.) H=Reserved (CVV et al). (brand use – include Card Verification Values and Authentication Data) I= PIN Block J= CVV/CVC/CSC k 1 contains up to 79 characters and contains all fields of track 2. Track 2 is up to 40 characters and is used to provide shorter processing time for older dial-up transmissions ng the layout of the data as stored in the magnetic stripe.
- However some sellers also offer the more lucrative “Track 2” data. This is shorthand for the data saved on a card’s magnetic strip. This data is more lucrative as it allows criminals to clone cards, meaning they can be used in brick-and-mortar stores or even ATMs if the PIN is available. The value of the data is reflected in the online sale price and these prices vary widely. CVV2 data is sold for as little as $0.1 to $5 per card while Track 2 data may cost up to $100 per card. Source: http://www.symantec.com/connect/blogs/demystifying-point-sale-malware-and-attacks
- EMV Chip technology is not new and has been around for years in Europe, Asia, and Canada. EMV technology does make it more difficult to counterfeit cards but the fact remains that can be defeated through sophisticated methods. Google the term “Pre-play attacks” and you see how this can happen.
- As financial institutions have mandated a change to EMV Chip technology. They are using a liability shift policy to motivate businesses to make this a timely transition. Essentially if fraud occurs the entity that is using the weaker technology will be held liable. The deadline for this changeover is October 2015 You may or may not be involved with this process Usually it is the IT team and loss prevention that is involved with the overall strategy
- The latest PCI DSS version 3.0 has several updates in its guidelines. Including a revision to point 9.9 which now makes it a requirement to physically secure your POS equipment from being physically being tampered with or being substituted.
- About 6 or 7 years ago customers began coming to Halo Metrics and asking for POS security solutions. Canada has EMV CHIP and PIN technology but the Skimming attacks were on the rise. For us it started in Quebec where organized crime rings where stealing payment terminals so that they could modify the units and reinstall them to collect consumer banking information. Today we have continued to evolve our solutions to protect a wide range of POS devices and as a security company our solutions are more robust and secure than most that you will find in the marketplace.
- In our process you can scale the level of security you need. First pick the POS security platform you require. This will depend on your cash fixtures and if you need to allow for access for physically challenged customers.
- In the many years we have been building POS security posts and brackets we have incorporated many security features. We can meet your customized needs. If you don’t see it we can build it.
- We have deployed solutions in large grocery store chains to small regional businesses as well. Our product is manufactured in Toronto Canada and can easily be delivered to any point in the US. The advantage of working with Canadian partner right now includes a strong US dollar which helps reduce the costs of bringing in stock from Canada.