2015 is a year of major changes in the US credit card and payment industry. There are new regulations for PCI compliance and a liability shift for businesses that do not upgrade their payment system to CHIP technology. Halo Metrics has been working with retailers and business to protect POS terminals from attacks and fraud attempts. Review our presentation for more information about this crime and what you can do to prevent it. Visit our websites below as well:
www.halometrics.com | stopdatabreach.today
2. Overview
– Introduction to Halo Metrics
• Loss prevention solutions (Canada & US
• The Halo Metrics Experience
– POS Data Breach
• Malware attacks vs. Skimming
• How Data is taken
• Will EMV Chip technology help?
• Examples of PIN Pad tampering
• Liability Shift
• PCI Compliance
– Customised Solutions for POS Equipment
– Conclusion & Questions
6. What is Halo’s Experience Protection?
Is about protecting the
honest consumers
shopping experience
99% of consumers are
honest
Loss Prevention can
enhance and protect the
total consumer shopping
experience
This includes point of sale
7. Point of Sale
Point of Sale is an
important step in
the shopping
experience
A great experience
here involves
having quick
moving lines,
friendly service
and quick but
secure payment
processing
8. Data Breach is a Major Issue…
Many Retail businesses
have been hit by credit
card data breaches from
Point of Sale systems
9. How does it happen?
Two primary methods include:
1)Malware virus planted in payment servers or equipment
2)Tampering with POS equipment or “Skimming” attacks
*image courtesy of symantec.com
10. Malware on POS Equipment or Servers
POS malware exploits a
gap in the security of
how card data is
handled. While card
data is encrypted as it’s
sent for payment
authorization, it’s not
encrypted while the
payment is actually
being processed, i.e.
the moment when you
swipe the card at the
POS to pay for your
goods.
11. “Skimming” Attacks involve Theft &
Tampering of POS Equipment
EXAMPLE:
Two person team
about to steal a
POS card swipe
machine
12. Theft can happen to any business
One partner
looks out while
the other
starts the theft
of the POS
equipment
Note the time:
19:52:02
13. Gone in 60 seconds…
He has
removed
the device.
Note the
time:
19:53:00
20. The Data is Sold Online:
Data in Track 1 has less
value because it can only
be used online.
Source: http://www.symantec.com/connect/blogs/demystifying-point-sale-malware-and-attacks
Data in Track 2 is more
lucrative as it is used to
clone cards used in bricks
and mortar businesses
21. Will EMV (Chip) Technology Help?
Chip + PIN
enabled
technology does
make it more
difficult to
counterfeit cards
This is not new
technology! It
has been
implemented all
over the world
and fraud still
occurs
22. Liability Shift in October 2015
The party that is the cause of a chip-on-chip transaction not
occurring (i.e., either the issuer or the merchant’s acquirer)
will be financially liable for any resulting card-present
counterfeit fraud losses.
23. June 30, 2015 – Protect your POS Device
Current PCI Compliance
regulations require that
payment devices must be
protected from tampering
and substitution
Payment Card Industry
(PCI) Data Security
Standard
Welcome to Halo Metrics presentation on POS Fraud Prevention.
Here is a quick overview of what we are going to cover. Our goal is to spend 15 minutes on the presentation and leave 5 minutes for any questions you may have. The big topics we are going to cover include:
A bit of a quick overview of who Halo Metrics is
Discuss POS Data breach
Review Halo Metrics security solutions for POS equipment
Then we will wrap up with questions and remind you to take your POS Theft Prevention Kits with you
Halo Metrics is an established loss prevention security solutions provider based in Canada with two major offices. One is located on the West coast in Vancouver with the other in the East in Toronto. We are the exclusive distribution partners for several well known security brands including:
Checkpoint Systems EAS Solutions
Alpha High Shrink Solutions
Invue Display Alarm Solutions
We support these brands exclusively in Canada.
In a addition to these categories of security solutions we also offer a strong range of facilities security options as well. This includes POS Hardware security, Convex Mirrors, and Turnstile Crowd Control solutions.
For over 26 years Halo Metrics has been working with retailers of all sizes and geographical reach. Canada’s distance West to East is 5780 miles and Halo Metrics is able to reach all major points with product delivery within 48 hours of placing an order.
Halo Metrics tag line speaks to Experience Protection.
We understand that retail is all about the honest consumers shopping experience and not hindering the buying process.
We know that 99% of consumers that walk into a store are honest and simply want to access to merchandise free of constraints.
Loss Prevention can play a major role in protecting this experience by creating a secure environment that deters theft but allows customer interaction and purchasing to happen
We also understand that Point of sale is a major piece of the consumer shopping experience….
You can lose a customer at Point of Sale. If the lines are too long, if the staff are not polite, and if the payment process doesn’t look secure you can lose that customer in the last stages of buying.
Picture from: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
It is not a secret that Data Breach related to credit card fraud has been front page material recently. It is an international issue but several US retailers have been hit hard as well.
Sales transactions occur through a network of servers, POS hardware, and the Internet. Data can be breached at several points during the transaction. Criminals will simply pick the weakest areas and attack those points.
Two primary methods include:
Malware viruses planted on servers and POS equipment
Physically altering POS equipment to enable “Skimming” Attacks.
POS malware exploits a gap in the security of how card data is handled. While card data is encrypted as it’s sent for payment authorization, it’s not encrypted while the payment is actually being processed, i.e. the moment when you swipe the card at the POS to pay for your goods. Criminals first exploited this security gap in 2005 when a campaign orchestrated by Albert Gonzalez lead to the theft of data for 170 million cards.
Since then a market has grown in the supply and sale of malware, which reads Track 2 data from the memory of the POS terminal. Most POS systems are Windows-based, making it relatively easy to create malware to run on them. This malware is known as memory-scraping malware as it looks in memory for data, which matches the pattern of the Track 2 data. Once it finds this data in memory, which occurs as soon as a card is swiped, it saves it in a file on the POS, which the attacker can later retrieve. The most well-known piece of POS malware is BlackPOS which is sold on cybercrime forums.
Source: http://www.symantec.com/connect/blogs/demystifying-point-sale-malware-and-attacks
This is a series of still pictures captured from a surveillance video.
A two person team enters a store for the purpose of stealing a POS terminal
They work as a team with one acting as a look out and the other starts the theft of the POS terminal
It is important to note the time as we go through these slides
The POS terminal has been removed from its display bracket
POS equipment can be tampered with in several ways. In this short video we see that the entire faceplate has been duplicated on this Chip + Signature pad. This is actually a very well built decoy.
The internal components are modified to easily syphon credit card data, record PIN numbers ($20 key logger device), and transmit the data wirelessly to a criminal waiting outside of the store.
This aerial view shows how Wi-Fi signals can extend far beyond the walls of a store location. Once the data is in the hands of the criminal it can be easily manipulated. The next slide shows us how this can happen:
Intro Identity Theft.info video explains how easy it is to download this data
If full track (either Track 1 or Track 2, from the magnetic stripe, magnetic-stripe image in a chip, or elsewhere) data is stored, malicious individuals who obtain that data can reproduce and sell payment cards around the world. Full track data storage also violates the payment brands' operating regulations and can lead to fines and penalties. The above illustration provides information about Track 1 and Track 2 data, describing the differences and showi
Track 1 contains up to 79 characters and contains all fields of track 2. Track 2 is up to 40 characters and is used to provide shorter processing time for older dial-up transmissions
A=Format Code (1 alpha character – “B” implies track 1)
B= PAN (13-19 Characters – valid values are 0-9)
C=Separator (valid value is “^” in track one; “=” or “D” in track 2)
D=Name (2 – 26 alphanumeric and special characters; surname separated by “/”)
E=Separator (valid character is “^”)
F=Expiration Date (format is YYMM)
G=Service Code (3 numerics – differentiates cards; international interchanges; PiN requirements; etc.)
H=Reserved (CVV et al). (brand use – include Card Verification Values and Authentication Data)
I= PIN Block
J= CVV/CVC/CSC
k 1 contains up to 79 characters and contains all fields of track 2. Track 2 is up to 40 characters and is used to provide shorter processing time for older dial-up transmissions
ng the layout of the data as stored in the magnetic stripe.
However some sellers also offer the more lucrative “Track 2” data. This is shorthand for the data saved on a card’s magnetic strip. This data is more lucrative as it allows criminals to clone cards, meaning they can be used in brick-and-mortar stores or even ATMs if the PIN is available. The value of the data is reflected in the online sale price and these prices vary widely. CVV2 data is sold for as little as $0.1 to $5 per card while Track 2 data may cost up to $100 per card.
Source: http://www.symantec.com/connect/blogs/demystifying-point-sale-malware-and-attacks
EMV Chip technology is not new and has been around for years in Europe, Asia, and Canada. EMV technology does make it more difficult to counterfeit cards but the fact remains that can be defeated through sophisticated methods. Google the term “Pre-play attacks” and you see how this can happen.
As financial institutions have mandated a change to EMV Chip technology. They are using a liability shift policy to motivate businesses to make this a timely transition. Essentially if fraud occurs the entity that is using the weaker technology will be held liable.
The deadline for this changeover is October 2015
You may or may not be involved with this process
Usually it is the IT team and loss prevention that is involved with the overall strategy
The latest PCI DSS version 3.0 has several updates in its guidelines. Including a revision to point 9.9 which now makes it a requirement to physically secure your POS equipment from being physically being tampered with or being substituted.
About 6 or 7 years ago customers began coming to Halo Metrics and asking for POS security solutions. Canada has EMV CHIP and PIN technology but the Skimming attacks were on the rise. For us it started in Quebec where organized crime rings where stealing payment terminals so that they could modify the units and reinstall them to collect consumer banking information.
Today we have continued to evolve our solutions to protect a wide range of POS devices and as a security company our solutions are more robust and secure than most that you will find in the marketplace.
In our process you can scale the level of security you need. First pick the POS security platform you require. This will depend on your cash fixtures and if you need to allow for access for physically challenged customers.
In the many years we have been building POS security posts and brackets we have incorporated many security features. We can meet your customized needs. If you don’t see it we can build it.
We have deployed solutions in large grocery store chains to small regional businesses as well. Our product is manufactured in Toronto Canada and can easily be delivered to any point in the US. The advantage of working with Canadian partner right now includes a strong US dollar which helps reduce the costs of bringing in stock from Canada.