EMV (Europay, Mastercard and Visa) chip technology is a powerful step forward in protecting against credit card fraud. Unlike data contained on a magnetic stripe – which, once stolen, can be used over and over – the EMV chip’s unique transaction code for each use makes it highly secure for in-person purchases.
But with adoption finally widespread throughout much of the U.S., fraudsters are now employing workarounds. They do this using a variety of ways to access financial card data, from phishing attacks to Wi-Fi spoofing in unprotected public spots. This is why small business owners can get the feeling that they are playing a game of ‘Whac-a-Mole.’ Just when they thwart one attack, another can seemingly pop-up out of nowhere.
Just as the mole’s last hole doesn’t tell you where it will pop up next, fraudsters don’t always employ predictable techniques when attacking a business. Here are some of the ways fraudsters are getting creative in how they hack into payment and financial information systems – and what mallet, or method, business owners can employ to help defend against these attacks.
Point of Sale Fraud
- Skimming – A skimming device is a card reader which can be disguised to look like part of an ATM or point-of-sale (POS) terminal. As long as EMV chip cards also store data on the magnetic strip, skimming will continue. Today’s fraudsters make sophisticated skimmers using 3-D printers that are virtually indistinguishable from the parts of the terminal to which they are attached.
- Shimming – As skimming devices aim to steal credit card information via the card-swipe method, “shimming” devices are the next stage in card fraud evolution. Shimmers, which are thin enough to hide inside a card reader, can be used to stage a “man in the middle” attack by making a copy of the data on the EMV chip as it’s transmitted to the compromised machine.
Card-Not-Present Fraud
- Phishing – An old trick keeps getting more sophisticated. As seen with the recent Gmail scam[1], attackers disguised as a trusted contact are sending authentic-looking emails with seemingly relevant attachments, such as invoices, that can dupe even seasoned security savvy individuals into taking the bait.
- Spoofing – This is another type of attack that has been around for years – and continues to evolve. Mobile devices are constantly on the hunt for Wi-Fi networks, and most people are happy to join public networks to get a better connection and save on their data usage. Spoof attackers replicate Wi-Fi login screens to look and feel exactly like those used by familiar brands and service providers and steal sensitive data.
Often, criminals harvest payment card data to be sold on the DarkNet, an internet alternative that can be accessed only with specific software, configurations, or authorization, often used to conduct illegal business.
Vigilance and awareness of security practices can help protect you. Here are a few ways you can help ensure your business’ and customers’ vital information doesn’t get into the wrong hands:
Card-present environment
- Embrace secure technology. Investing in end-to-end encryption and tokenization can help protect data from the entry point through the authentication process and back.
- Check your hardware regularly. Point-of-sale terminals should be physically inspected for skimmers and shimmers on a regular basis, ideally at the start of each work shift.
- Here are some things to look for:
- Check for scratches of sticker residue. Scratches or sticker residue can be tell-tale signs that a terminal has been removed, replaced, or tampered with.
- Wiggle the terminal. If a skimmer has been placed over your terminal, wiggling the terminal may help loosen the adhesive holding the fraudulent device in place.
- Press the buttons. If a skimmer has been placed on top of your terminal, the buttons may be harder to press.
- Here are some things to look for:
Card-not-present environment
- Choose a payments processor wisely. Merchants should work with payments processor that not only offers end-to-end and point-to-point encryption – but one that stays on top of the rapidly evolving payment security landscape.
- Scale your fraud protection solution appropriately. Going overboard on security can cause false positives that result in unnecessary card declines and loss of sales. When it comes to security, one size does not fit all. There are a lot of resources and materials out there, so be sure to do your due diligence when it comes to finding the right choice for your business.
If you’re concerned about the integrity of your payment environment, know that you are not alone. If you stay informed, alert and disciplined, your business stands a good chance of beating the odds in the fight against fraudsters.