J.D. Harrison at the Washington Post has both an interesting and factually spot-on article (Ho Ho Hackers) about preventing card fraud this holiday season. I invite you to read it (after you read this!).
Harrison lists out four things the different parties involved in a purchase (merchant, customer, POS vendor) can do to help prevent card fraud and it’s this that I want to seize on for a moment, because card fraud, or card security, or however you want to categorize it, isn’t just one party’s responsibility–it’s everyone’s responsibility–so let’s take a moment and talk about that.
And if you’re wondering what any of this has to do with an onion, just bear with me here.
Responsible manufacturers of POS equipment, like VeriFone, are continually updating the hardware and software in their products to keep up with government and industry group regulations such as PCI-DSS. These updates have to be researched, designed, built, tested and certified prior to deployment in the wild.
In addition to keeping up with certification lifecycles, vendors also have to keep an eye on emerging technology. When a new innovation comes out, like NFC for example, a determination has to be made whether or not to support it and perhaps more importantly, how best to develop a secure version of the technology before there has even been proof of an exploit.
It is probably fair to say that the primary burden of security falls on the vendor to build secure products. However, there is substantial reason for merchants to be just as diligent. The average lifespan of a POS device is anywhere from 4-7 years. In that time, likely any certifications the device holds has been superseded by one or more revisions either on the software, the hardware or both. That doesn’t mean it’s no longer secure or that it suddenly needs to be ripped out and replaced; but, it does mean that since that device was developed, improvements have been identified in the manufacturing of the device and those improvements are being implemented in newer devices. A regular replacement schedule will help prevent a device’s security precautions being made irrelevant by improvements in the technology thieves use. It will also ensure that the burden of liability doesn’t fall on the merchant, should a compromise occur.
But regardless of how long a device has been sitting on a merchant’s counter, there are basic things that can and should be done to help prevent fraud. Some of them include:
1. Maintain a strict “maintenance log” and track the name and company information of anyone who comes in to perform work on the device(s).
2. Daily, verify that the serial number printed on the device’s sticker matches the electronic serial number.
3. Don’t buy POS devices off auction sites of from anyone other than a trusted reseller. This isn’t about vendors trying to make money…this is about ensuring that the device you receive hasn’t been tampered with; that the encryption keys are intact and that if you do ever need support for it, you know whom to call.
4. If the POS is attached in any way, to the Internet, ensure that it is located behind an up-to-date, secure firewall.
OK, so there’s a new fast-food joint that just went up in your neighborhood and you stopped by to grab something for dinner. Being a new store, the POS is probably brand new and holds all the latest certifications (that may not be true, but let’s pretend it is). There’s no reason to believe that handing over your credit card to the attendant will result in anything but quick payment and dinner in your hands in a matter of seconds.
Assumptions are bad. Especially when talking about cardholder information.
What you didn’t know was that the attendant had been approached by an individual who offered to pay her $3 for every credit card she scanned using this little skimming device. The attendant was told that it was perfectly safe–she’d never get caught and anyway, it’s not really costing the cardholder anything because the credit card company would cover the losses on the off-chance the cardholder noticed the additional charge and reported it. And so instead of paying for one meal that night, you paid for two or more.
Situations like this are why the 2011 Verizon Data Breach Report rated, “Use of unapproved hardware/devices” as the third most common type of breach.
Until every restaurant and retailer moves to a payment solution where your card never leaves your hand, there isn’t much you can do to stop someone from skimming your card. Especially in a situation where you’re in your car and the employee is sitting above you and his hands are hidden. But by being alert to how and where your card is being used, you can help reduce the risk.
In one of my previous lives, we used an “onion” as an analogy to explain how a layered approach to security, like what we’ve described here, works. Vendor protections, merchant tracking and cardholder alertness all make up a different layer and at the middle, is your personal information. This may not stop every threat, but it will certainly make it difficult for all but the most persistent.