Into the Breach
Data breaches: the hits just keep on coming. The Internet Crime Complaint Center (IC3), a partnership between the Federal Bureau of Investigation (FBI) and the White Collar Crime Center (NW3C), received 336,000 complaints about Internet fraud in 2009, representing $559 million worth of financial losses by consumers as well as a 22% increase over $265 million in losses recorded last year. The Financial Services Information Sharing and Analysis Center (FS-ISAC), a non-profit organization whose 4,200 members include financial service firm provider organizations (among them processors and ISOs); banks, and credit unions, gets 500 data breach incident reports per month, up from about 10 per month as was the case until September of 2010; such data compromises affect 1.5 to 2.5 million computers.
But what’s even scarier about these statistics is the increasing sophistication of the perpetrators who are behind them. For example, criminals have recently figured out a way to “hijack” checking account data from point of sale and other systems and use the Automated Clearing House (ACH) system to fund and replenish gift cards. Others are hacking into databases to generate ACH debits they then apply to gift card purchases. Both of these schemes are more difficult to track and uncover than those that involve “straight” hijacking of checking account data to turn it into illicit money.
In another twist, criminals have discovered a way to covertly replace merchants’ POS hardware with “rogue” equipment that can intercept credit and debit card data—and the size of the rogue devices is such that is difficult, if not impossible, to detect their presence within a terminal. To further pull the wool over operators’ eyes, “bad guys” will apply a small (usually dime-sized) fake label or sticker on the exterior of the “replacement” equipment. At first glance, these stickers may look like they are official and that they carry legitimate product serial numbers. But don’t be fooled: they’re there to hide drill holes or other criminal entry points in the terminal. Similarly, criminals are installing rogue devices near terminals and “splicing” them into payment terminal network connections, as well as setting up more hidden cameras near payment terminals to capture PIN data.
While PCI compliance is not a guarantee against data breaches that result from schemes like the ones described above, achieving it is a critical step towards minimizing problems in the future—and pcAmerica can help. One of the first companies of its kind to offer PCI-compliant point of sale solutions, pcAmerica has upgraded its PA-DSS-certified Cash Register Express retail point of sale and Restaurant Pro Express restaurant software to satisfy requirements set forth in the latest PCI standards. For more information, visit www.pcamerica.com.
Posted: November 30th, 2010 under Data Security, News, Point of Sale, POS, POS Hardware, POS System.
Comments: none