Threat Landscape: Skimming In a Changing Environment

Similar documents
Third Party Risk Security Insights and Program Updates

Interlink Merchant Triple Data Encryption Standard (TDES) Compliance Webinar

Guarding Against Card-Not- Present Fraud

Visa s Future of Security Roadmap: Australia

Putting Card Fraud to the Fire. Diana Kern, AAP senior trainer

EMV Migration Update Latin America and Caribbean Region

EMV and Educational Institutions:

EMV Terminology Guide

The Future of Payment Security in Canada

U.S. EMV Migration Update. A joint presentation from Citizens Commercial Banking and Worldpay

Leveraging Data Security Technology. October 19 th 9:15 AM

EMV Just the Facts. Ozarks Association of Government Accountants

EMV Chip Cards. Table of Contents GENERAL BACKGROUND GENERAL FAQ FREQUENTLY ASKED QUESTIONS GENERAL BACKGROUND...1 GENERAL FAQ MERCHANT FAQ...

EMV THE DEFINITIVE GUIDE FOR US MERCHANTS AND POS RESELLERS

EMV FAQ S FROM A MERCHANT S PERSPECTIVE

PCI DSS Security Awareness Training. The University of Tennessee and The University of Tennessee Foundation. for Credit Card Merchants at

Crash Course: What are EMV and the EMV Liability Shift?

Is Your Organization Ready for the EMV Challenge?

Agenda. What is EMV. Chip vs Mag Stripe. Benefits of EMV. Timeframes & Liability Shift. Costs. Things to consider. Questions

Securing Our Future Growth Gord Jamieson Visa North America Risk Services. Visa Public

EMV Migration. What You Need to Know about the Technology, the Security Protection it Provides, and When to Implement

EMV Adoption in the U.S.

Chargeback Best Practices. September 7, 2016

Visa and MasterCard Drive Adoption of EMV Payment Technologies in the United States

EMV: Facts at a Glance

Understanding the 2015 U.S. Fraud Liability Shifts

EMV: Coming Soon to a Card Near You

Ignite Payment s Program on EMV

Unattended Payment Terminal

October is Here: Are Issuers, Merchants & Consumers Ready for EMV?

Deep Insert Skimming on Motorized Card Readers

MITIGATE THE RISK OF FRAUD AND COMPLIANCE COSTS with EMV mandates. An NCR white paper

Protecting Your Swipe Devices from Illegal Tampering. Point of Sale Device Protection. Physical Security

ATM Webinar Questions and Answers May, 2014

EMV IN THE U.S. HOW FAR HAVE WE COME AND WHERE ARE WE GOING? Andy Brown

Card Payment acceptance at Common Use positions at airports

Hot Topics in Payments Cornerstone CU League Small CU Committee July 9, 2014

EMV: The Race Is On! September 24, 2013

Merchant Considerations for U.S. Chip Migration. EMV Migration Forum/National Retail Federation September 2014

Merchant Considerations for U.S. Chip Migration. EMV Migration Forum/National Retail Federation September 2014

Merchant Services What You Need to Know. Agenda 6/5/2017. Overview of Merchant Services. EMV, Tokenization/Encryption, and PCI (Oh My!

PayPass M/Chip Requirements. 3 July 2013

PUTTING FRAUD TO THE FIRE

Semi-Integrated EMV Payment Solution

Visa Fuel Segment Update

EMV Beyond October 1, Kristi Kuehn VP, Compliance Heartland

Frequently Asked Questions

Getting Out of PA-DSS Scope and Eliminating the High Cost of EMV: What you need to know

Testing & Certification Terminology

EMV for Merchants and Merchant Acquirers: U.S. Migration Considerations. Smart Card Alliance Webinar October 6, 2011

Mobile POS and EMV Acceptance

EMV Frequently Asked Questions for Merchants May, 2015

EMV Basics and the market

Version 7.4 & higher is Critical for all Customers Processing Credit Cards!

E M V O V E R V I E W. July 2014

Frequently Asked Questions

The Changing Landscape of Card Acceptance

The Small Business Guide to Mastering EMV

Frequently Asked Questions for Merchants May, 2015

Target, the third largest retailer in the U.S., suffered a

EMV is coming. Here s how to stay ahead of the trend. Presented by CO-OP Financial Services

EMV & Fraud POS Fraud Mitigation Tips for Merchants First Data Corporation. All Rights Reserved.

It s Not Too Late for EMV What You Need To Do Now!

Mobile and Contactless Payments Requirements and Interactions

Changing Consumer Purchasing Patterns

CardConnect P2PE Merchant Instruction Manual

Protecting Your Future

Covering Your Assets: Payment Landscape and Technology

The Road to EMV on the Forecourt. May 7, 2015

Top 5 Facts Merchants Need To Know About EMV

Protecting Payments Throughout the Ecosystem. Emma Sutcliffe Senior Director, Data Security Standards PCI Security Standards Council

Straight Answers on PCI and EMV

EMV: Frequently Asked Questions for Merchants

PCI & Small Merchant Compliance: What Does the Future Hold? Presenter: Chris Bucolo, ControlScan, Inc.

EMV Migration Updates and Next Steps

EMV, PCI, Tokenization, Encryption What You Should Know for Presented by: The Bryan Cave Payments Team

Frequently Asked Questions

Cyber Security in Retail

EMV Migration Forum. How EMV Significantly Lessens the Impacts of Data Breaches. David Worthington, Principal Consultant// 12th March 2014

EARLY DETECTION OF ADVANCED PERSISTENT THREATS IN THE PAYMENTS SECTOR

Accepting EMV Chip Cards at the Fuel Pump. September 20, 2017

PCI COMPLIANCE PCI COMPLIANCE RESPONSE BREACH VULNERABLE SECURITY TECHNOLOGY INTERNET ISSUES STRATEGY APPS INFRASTRUCTURE LOGS

Why chip cards? HELP PREVENT FRAUD: HELP AVOID LIABILITY: ACCEPT MOBILE TAP & PAY TOO: DYNAMIC AUTHENTICATION: Contact us

Point-Of-Sale Device Tampering Training COMPLIANCE MANAGEMENT FINANCIAL SERVICES EAST CAROLINA UNIVERSITY

EMV Implementation Guide

A Merchant s Path to EMV Understanding Impacts To Your Business

See Your Customers, Not Payment

CHIP CARDS. Banks are issuing payment cards embedded with security chips to help protect you against fraud at the register. What is a Chip Card?

EMV Adoption. What does this mean to your ATMs?

State of Card Fraud: 2017

SellWise User Group. Thursday, July 16, Presenters. Will Atkinson, President CAP/Sellwise Mike Watkins, Member Care & Shared Services

EMV FREQUENTLY ASKED QUESTIONS (FAQs)

Introduction to EMV BEYOND PAYMENT

EMV Transition: What s Happened and What to Expect Next

The Evolution of Payments on Campus

Effective Communication Practices for U.S. Chip Migration. Communication & Education Working Committee June 2014

EMV A Chip Off the New Block

EMV: Strengthen Your Business Through Secure Payments

Fraud in an open, digital payments landscape

PCI BLOG. P2PE, EMV, Tokenization, Oh My!

Transcription:

Threat Landscape: Skimming In a Changing Environment Chris Forsythe, Sr. Risk Analyst, Visa, Payment Fraud Disruption & Intelligence Stoddard Lambertson, Director, Fraud & Breach Investigations 22 February 2017 Webinar: Skimming in a Changing Environment 1

Disclaimer The information or recommendations contained herein are provided "AS IS" and intended for informational purposes only and should not be relied upon for operational, marketing, legal, technical, tax, financial or other advice. When implementing any new strategy or practice, you should consult with your legal counsel to determine what laws and regulations may apply to your specific circumstances. The actual costs, savings and benefits of any recommendations or programs may vary based upon your specific business needs and program requirements. By their nature, recommendations are not guarantees of future performance or results and are subject to risks, uncertainties and assumptions that are difficult to predict or quantify. Assumptions were made by us in light of our experience and our perceptions of historical trends, current conditions and expected future developments and other factors that we believe are appropriate under the circumstance. Recommendations are subject to risks and uncertainties, which may cause actual and future results and trends to differ materially from the assumptions or recommendations. Visa is not responsible for your use of the information contained herein (including errors, omissions, inaccuracy or non-timeliness of any kind) or any assumptions or conclusions you might draw from its use. Visa makes no warranty, express or implied, and explicitly disclaims the warranties of merchantability and fitness for a particular purpose, any warranty of non-infringement of any third party's intellectual property rights, any warranty that the information will meet the requirements of a client, or any warranty that the information is updated and will be error free. To the extent permitted by applicable law, Visa shall not be liable to a client or any third party for any damages under any theory of law, including, without limitation, any special, consequential, incidental or punitive damages, nor any damages for loss of business profits, business interruption, loss of business information, or other monetary loss, even if advised of the possibility of such damages. 2

Agenda Global Data Compromise Landscape Modus Operandi of a Typical Skimming Attack Safeguarding Against Skimming Responding and Reporting a Skimming Incident Key Takeaways 3

Global Data Compromise Landscape 4

Fraud Transitioning to Other Channels Targeting of older systems such as automated fuel dispensers, and ATMs Fraud and attacks will continue in CNP / e- commerce channels Attackers will exploit insecure websites and mis-configured security settings Internet facing websites at-risk Scan for vulnerabilities Be aware of OWASP Top 10 www.owasp.org/index.php/category: OWASP_Top_Ten_Project AFD EMV liability shift in October 2020 Stations in remote locations often targeted Skimmers and overlays more sophisticated and harder to detect Regularly check pumps for devices Review POS for overlays Know who to contact if known or suspected attack ATM EMV liability shift in October 2017 Overlays and cameras are more sophisticated Remote locations at higher risk Regularly check ATMs Ensure software is kept up to date Know who to contact if known or suspected attack 5

Card Skimming: ATM Trends Skimming continues to be the #1 cause of fraud loss on ATMs Criminal techniques have grown increasingly sophisticated and diversified to avoid anti-skimming defenses An arms race: - Industrialization - Avoidance techniques - Sabotage - Side Channels 6

Rise in Skimming Attacks Criminals are targeting mag stripe data Criminals are shifting their attacks to skimming Increase in report skimming attacks in the news Criminals are targeting: Self-checkout terminals Automated fuel dispensers White-label ATMs Increasing in sophistication of attacks and technology All stores targeted regardless if they are 100% EMV enabled Overlays 3D printers leveraged by criminals Placed in seconds not minutes as with physical swaps Easier to deploy in large numbers 7

Modus Operandi of a Typical Skimming Attack 8

Overlay Examples 9

Shimmers 10

Shimmers Not the Makeup kind Easy to Deploy Targeting EMV data (static in nature) Issuers who do not use dynamic cryptogram are at risk of fraud/abuse (SDA vs. DDA) Shimmed data may be used fraudulently via non-traditional channels E-commerce fraud, social engineering, force posting fraud, offline posting, online banking password reset 11

Deep Insert Skimmers Peering into the ATM future Battery powered Wireless capable Targets mag-stripe data Pin hole camera separate Easily deployed 12

Indicators of Compromise AKA Indicators of a skimming device Sticking Buttons Stylus pen wont fit in its holder (due to skimming overlay) Tampering or damage to pumps Brute forcing of key locks to gain access Security tape is altered Hard to insert card into an EMV dip terminal 13

Staying ahead of the trends Keep in mind that most devices are Bluetooth, just because a device is recovered doesn t mean the risk is mitigated Allows devices to stay on longer, drive up; download data and drive away (recent cases support this) Placement of devices could have been placed prior, so further investigation is needed Video is key to identifying a WOE Remote wiping of data Cashouts using mobile phones Preservation of evidence Reporting of incidents to local working groups such as LE, Dept. of Agriculture, commerce groups. Know who to contact and when Awareness of risk is key Proximity to highways Poorly lit pumps Not manned 24/7 Use of lead lined bags. Inform LE of new trends and risk factors Thwarts fraudsters from deleting evidence remotely 14

Safeguarding Against Skimming 15

Device Inventory Management Daily checks of POS terminals Use teams when inspecting devices Maintain a log of devices and their locations within the business Use unique markings/stickers on your devices to quickly identify overlays Utilize tamper screws or cable locks Identify key risk areas where attacks may occur High volume Unattended Areas with limited visibility 16

Use of Contactless Card Readers to Minimize Skimming Risks Magnetic Stripe Vulnerabilities Contactless Security Benefits Markets that use magnetic stripe are more vulnerable to counterfeit EMV chip cards reduce the risk Card skimming still occurs in EMV markets, because the data can be used in non-emv markets Reduces the risk for card data to be skimmed since there is no dip or swipe Excellent migration properties Just one solution reduce the risk 17

Always Use PCI Approved Devices Follow Visa deployment requirements for use of only PCI approved PIN Entry Devices (PEDS) Go to www.visa.com/pin for Visa program rules As a best practice: Use PCI approved Unattended Payment Terminals (UPT) or other solutions with PCI approved modules Encrypting PIN Pad, Card Reader etc. Use devices that are PCI approved for Secure Reading and Exchange of Data (SRED) 813 various devices listed on the PCI PTS list 18

U.S. Automated Fuel Dispenser (AFD) Deadlines EMV and PIN Security Upgrade AFDs to meet EMV and PIN Encryption standards: 1. EMV Liability Shift for U.S. AFDs October 1, 2020 2. Proposed sunset of Single DES (SDES) at U.S. AFDs October 1, 2020 Visa policy allowing SDES at AFDs ends October 1, 2020 Visa announcing details in early March PIN Pads using SDES must be addressed by deadline May use either Triple DES or AES for PIN encryption Adopt a touch once approach to achieving compliance 19

New AFD Acceptance Best Practices Visa Payment Acceptance Best Practices for U.S. Retail Petroleum Merchants Geared toward the actions and decisions most pertinent to retail petroleum owners and operators in the U.S. Includes security best practices and on-the-job support tools for attending managers and employees www.visa.com 20

Responding and Reporting a Skimming Incident 21

Responding to a Skimming Incident What to do if a skimmer is found Do not approach or confront anyone who looks suspicious Might be installing or removing a skimming device May be armed and dangerous Document and take pictures of the skimming device as-is Document before and after removal Document date/time Use protective gloves to remove the device Criminals may leave DNA on device Keep in protective bag and store securely Review CCTV for surveillance of suspects Contact the local authorities and the U.S. Secret Service (U.S.S.S.) U.S.S.S is the law enforcement branch responsible for investigating these crimes Notify your acquirer who will coordinate the investigation with Visa 22

How to Report a Compromise to Visa Review Compromised Guidelines Complete Questionnaire Send to Visa / Acquirer 1. Complete Incident Questionnaire Issuers send to Visa Fraud and Breach Investigations Merchants send to Acquirer (who will forward to Visa) 2. Skimming incidents often involve the compromise of highly sensitive PIN data 3. Issuers must be notified of the potential at-risk accounts quickly 4. Try to determine the potential Window of Exposure of the event 5. Pulling at-risk accounts Issuers pull and send compromised accounts to Visa via CAMS* Acquirers pull and send in the compromised accounts on behalf of the merchant via CAMS 6. Visa will distribute the at-risk accounts to the affected Issuers via CAMS * Note Most Issuers are set up as CAMS receivers only, send email to VAA_VRM@Visa.com to be a submitter 23

Key Takeaways 24

Conclusion and Recap: What to Expect Recognize that criminals are targeting mag stripe data and transactions Skimming devices are becoming more sophisticated Understand how to identify different types of skimming devices Learn best practices for safeguarding against skimming attacks Conduct regular, ongoing training for current and new employees Know what to do if a skimmer is found and how to report a suspected compromise We expect these types of attacks to continue These attacks will not be limited to instore Key to mitigating and preventing additional data loss is having a strong response plan in place 25

Visa Security Alerts Information on the latest Skimming Attacks Visit www.visa.com/cisp for recent Skimming Security Alerts from Visa 26

Upcoming Events and Resources Resources PCI Standards Council: Skimming Prevention Visa s What To Do If Compromised guidelines Visa s New Payment Acceptance Best Practices for U.S. Retail Petroleum Merchants guidelines https://usa.visa.com/content/dam/vcom/global/support-legal/documents/visa-paymentacceptance-best-practices-for-us-retail-petroleum-merchants-vbs-26-jan-17.pdf Visa Data Security Website www.visa.com/cisp Alerts, Bulletins Best Practices, White Papers Webinars Monitor for Announcement of U.S. Automated Fuel Dispenser TDES / AES requirements early March Save the Date! March 29, 2017: Third Party Risk Webinar PCI Security Standards Council Website www.pcissc.org Data Security Standards PCI DSS, PA-DSS, PTS Programs ASV, ISA, PA-QSA, PFI, PTS, QSA, QIR, PCIP, and P2PE Fact Sheets ATM Security, Mobile Payments Acceptance, Tokenization, Cloud Computing, and many more 27

Questions? 28

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback