Skimming: Criminals' Tech ImprovingPCI's King Says Employee Training Is Best Line of Defense
King says skimming techniques are evolving. While anti-skimming solutions and security mandates, such as the PCI Data Security Standard, are having an impact, merchants and financial institutions have to focus on employee training. "The criminals tend to come in and target a particular store or gas station, and they'll target it very quickly," he says. "Good training of the staff has identified very quickly a new skimming attack. ... The training can work and does work."
During this interview, King discusses:
- International steps the PCI Council is taking to educate merchants, card issuers and networks about enhanced card-skimming protection and techniques;
- International payments and the possibility of a U.S. move to EMV or a chip-based mobile alternative;
- Future card-skimming trends.
King is the European regional director for the PCI Security Standards Council, leading the SSC's efforts to increase adoption and awareness of PCI security standards in Europe. King's responsibilities include gathering feedback from the merchant and vendor community, coordinating research and analysis of PCI SCC managed standards in European markets, and driving educational efforts and council membership through involvement in local and regional events. He also serves as a resource for approved scanning vendors and qualified security assessors. Before joining the council, King was the vice president of the Payment System Integrity Group at MasterCard Worldwide, where he played an integral role in developing payment terminal and chip-card security programs. He also spent more than 14 years working in the United Kingdom semiconductor industry and has a strong background in emerging technologies, including contactless cards, encryption and mobile payments.
The Global FightTRACY KITTEN: Card skimming is a growing global fraud concern, but industry leaders are taking steps to address card skimming in the U.S. and abroad. Jeremy King, European regional director for the PCI Security Standards Council, shares his views about skimming trends and the steps the PCI Council is taking to help merchants and financial institutions ensure better card security.
Jeremy, card skimming is not a new problem, but one that continues to plague the industry. What are some of the card skimming trends you're seeing in Europe and other parts of the world, and what steps is the PCI Council taking to address those trends?
KING: I think the interesting issue is that we are moving away from individual people trying to introduce card skimming devices into terminals, and moving toward organized crime. The impact organized crime is having is that they bring improved technology. So, we are seeing an increased use of high technology, both from the creation of the skimming devices and the implementation and use around the world, and it is a global problem.
Just a quick recap, card skimming is really a method of illegally collecting cardholder data in order to use that data to perform fraudulent transactions. In the past, we've seen this being used against various devices, both to point-of-sale devices, ATMs and unattended terminals. From the PCI's perspective, we've been tackling this threat in a number of ways, primarily with the introduction in 2005 of the first point-of-interaction/point-of-sale security standard, and that is all about improving the security of terminals to prevent criminals being able to gain access to insert skimming devices into these types of devices. In 2008, we widened that to include unattended terminals, so we have a standard for those sorts of devices.
The other area that we are using to help counter this challenge is that we released a guideline for merchants on anti-skimming best practices; although we can improve the actual security of the terminals themselves, improving the awareness of merchants and their staff on how to see and detect whether their terminals have been tampered with is of great importance when it comes to tackling the issue.
The Lingering Mag-StripeKITTEN: In the United States, the continued reliance on magnetic-stripe card technology has posed problems, not just for U.S. cardholders, but for cardholders the world-over. How has the lingering mag-stripe fed card skimming trends that you're seeing in other parts of the world?
KING: It is interesting that most cards do have magnetic stripes on them, and in Europe we have both the magnetic stripe and the chip card. We're seeing that it really depends on the market, when it comes to how criminals attack the card. Really, over the last few years we've seen incidents of skimming devices designed to skim the magnetic-stripe card as it is swiped through. But we've seen other attacks that have been designed to try and intercept the data as it passes from the terminal to the chip card. The criminals do tend to change their techniques and methods, depending on the region they are in. So, we are using our global standards to try and ensure that everybody is aware of how skimming devices can be inserted in the terminals they use, and how best to protect cardholders in their region. Again, we're trying to provide focused support in those particular areas, be that in the terminal or at the petrol station terminal.
Adoption of EMVKITTEN: And how has the adoption of the EMV chip standard in Europe and other parts of the world impacted card skimming?
KING: I think it is safe to say that in those particular countries that have adopted a secure EMV chip solution, we are seeing face-to-face fraud figures drop, and that is a positive. That is one of the benefits, the actual number of attacks have declined. However, what we do see is that criminals will look in other areas and other ways they can attack the transaction process; and, again, PCI has been tackling that with the latest version of the PCI-DSS. We see the criminals will move to other areas. What we're seeing now is use of improved technology spreading out in Europe; and we're seeing improvements in security and security-detection methods in those areas.
KITTEN: The adoption of EMV in the U.S. is something that has been talked about more and more often, but such a move would be costly as well as time consuming. In what direction do you see the U.S. moving, where the adoption of EMV or an EMV-like technology is concerned?
KING: I have reiterate that we are a global standards body. It is our process to be able to provide best security guidance for merchants, for vendors, for those involved in processing card transactions, regardless of the technology they want. Obviously, I do see in the press that there is some interest in EMV in the U.S.; but from a PCI perceptive, it's our duty to try and provide good global security standards that protect all cardholders and their data.
Mobile and EMVKITTEN: Now, a link between mobile and the EMV chip standard also is something many U.S. merchants have expressed interest in. What connection do you see between mobile and EMV? And if the U.S. were to move to a technology that relies on a chip within a mobile device, how might that impact payments in other parts of the world?
KING: That is a very interesting question, and more interesting in that I just returned from the Card Expedition in Paris, which is a major annual event for cards and payment technology. The method that was being shown the most was essentially enabling the mobile phone to become a sort of contactless card. So, they were adding capability to the mobile phone that would make it a contactless card. In that regard, then, the phone would work in exactly the same way as a contactless card, and the transaction would be processed in exactly the same way. From a PCI perspective, we have to look at it and see what is happening, and we're keeping ourselves abreast of this. But we don't see it having a major impact in terms of security; we don't see any negative security impacts. I think it is a technology that can work well.
KITTEN: And do you think, Jeremy, that 2011 will be the year the U.S. begins it migration away from the mag-stripe?
KING: If I had a crystal ball that would give me that information, then I would be using it to predict more than whether or not the U.S. will begin a migration away from mag-stripe. But, honestly, I don't know, and I will watch the news articles with interest.
Skimming and Pay-At-The-PumpKITTEN: Now, skimming is the ATM is No. 1 card-related fraud vulnerability. What about skimming at other devices, such as the POS and unattended self-service terminals like pay-at-the-pump. What types of trends and attacks is the industry battling when it comes to card fraud at those devices?
KING: It's the same sort of battle that has been going on for a number of years, and I've said that the criminals have just become very much better at it. So, it changes; it changes from the types of devices, where they either put something over the mag-stripe reader or over the card reader or the keypad, so it's very difficult for a cardholder to be able to see the terminal as being compromised. That is the same whether at an ATM or pay-at-the-pump device. But technology is fighting back. There are anti-skimming devices now becoming available that can detect the presence of a skimming device, because a lot of the skimmers these days they tend to transmit the data. So, the anti-skimming devices detect and then start trying to fill the skimming device with nonsense, with rubbish data. This has proven quite successful in ATMs and I know there are various manufacturers that are providing this. The fight back here is beginning, and we've been looking at it very closely with our PCI PTS standard, to see what we can do with our security guidance and merchants to try and make them understand the types of attacks that can happen and how these can be difficult to detect. We give them guidance on day-checks they should be doing.
Skimming TrendsKITTEN: What types of trends from that global perceptive stand out to you the most?
KING: It is always interesting to see how the criminals move with the new technology. So, a lot of the skimming devices now we see tend to use either Bluetooth technology so they can transmit stolen card data. The criminal wants to reduce his risk, so if he only has to go once to fit the skimming device, that reduces his risk of being caught. These days we tend to see skimming devices with transmission methods; so they can transmit the data to the criminal, using Bluetooth or even using GPRS technology. One of the other interesting trends that we're seeing is that the criminals are actually using encrypting graphic techniques to protect the data that their stealing. This makes it difficult for the law enforcement to be able to confirm that it actually is cardholder data, and it also gets very difficult to try and track what happens to the data. It is a global problem, it is a global threat, and we're seeing the use of international criminal organizations that not only collect the data, but transmit the data around the world, which makes it very difficult for law enforcement to track it down.
The other thing that we did see in the last year was that in some of the criminal organizations, they actually have some of their people obtain positions with companies that service the ATMs, and that enabled them to gain access to these terminals. They were then attacking it from the inside, and that makes it very difficult for cardholders to know when a terminal has been attacked. So, it is all about trying to increase awareness among the merchants, among the banks, so that they can understand what the threats are and then take appropriate actions, using the PCI documentation, using the anti-skimming guidance, to help them in that attack.
KITTEN: What technology and standards is the PCI Council promoting to fight some of those global card skimming trends?
KING: We're involved from the start to the finish of this. So, the obvious one is the PCI-PTS standard, which is a standard designed at improving the security of the actual devices -- be that a point-of-sale terminal or a fuel pump. And then we provide additional guidance about how to protect applications, and the guidance is aimed at preventing the criminals from trying to tap into the data that has been transmitted. We also provide guidance through our anti-skimming documents, which helps promote awareness for the merchants and their staff. So, we're aimed at providing everything that the merchant needs to increase awareness and increase security.
KITTEN: And, Jeremy, what skimming trends should the industry be watching most closely over the next year in your opinion?
KING: I think it is unfortunately going to be more of the same. The equipment that they use is very cutting edge, but their techniques are the same. They tend to try to either break in to the terminal to insert the skimming device, or try and put some overlay over the device itself. Mostly that can be at the ATM or the fuel pump. Our main defense is going to come from improving the awareness within the industry with the merchant staff; it's improving the awareness of what you can do to tackle it. Using the guidance from the council to help understand the types of techniques and the types of attacks that are going to be used against you is important. The criminals tend to come in and target a particular store or gas station, and they'll target it very quickly. So, it's undertaking a regular check, even though you know that the chances are that nothing will have changed. But I've seen clear cases of this, where good training of the staff has identified very quickly a new skimming attack -- a member of the staff comes in and highlights it to the supervisor when they thought something was wrong. When the person left they reported it to a supervisor. The supervisor called the police. The police came in and there was a skimmer that had been fitted to the terminal. The training can work and does work.