File Integrity Monitoring for PCI DSS: Card Skimmers Still Doing Business After All These Years

Card skimming: hardware or software?

Simpler is better, whether they are software-based (such as the so-called ‘Dexter’ or ‘VSkimmer’ Trojan; search Google for more information) or classic hardware interception devices, card skimming it is still a very effective means of stealing cards. data.

The hardware approach can be as basic as inserting an in-line card data capture device between the card reader and the EPOS or Till system. This sounds crude, but in more advanced cases, the card removal hardware is cleverly integrated within the card reader, often with a cell phone circuit to transmit the data to the waiting scammer.

Software skimmers are potentially much more powerful. First of all, they can be distributed globally and are clearly not physically detectable like equivalent hardware. Second, they provide access to both ‘card present’ transactions, i.e. POS, and ‘card not present’ transactions, for example, when accessing payments through an e-commerce website.

EMV or Chip and PIN – Cash up to a point

When implemented, which of course excludes the US Today, EMV technology (which supports ‘chip and PIN’ authorizations) has resulted in large reductions in ‘card-present’ fraud. A card skimmer would need not only the card details, but also the additional encryption PIN (Personal Identification Number) to unlock it. Integrated card skimming technology can also take the PIN as it is entered, hence the emphasis on requiring only approved PIN entry devices that have anti-tampering measures built in. Alternatively, just use a video camera to record the user entering the PIN and write it down!

By definition, the EMV chip security and PIN entry requirement is only effective for face-to-face transactions where a PED (PIN Entry Device) is used. As a result, “card not present” fraud continues to grow rapidly around the world, demonstrating that card theft remains a potentially lucrative crime.

In a global market, easily accessible via the Internet, software card skimming is a numbers game. It is also one that relies on a constantly renewing flow of card numbers, as card fraud detection capabilities improve at both acquiring banks and the card brands themselves.

Card Skimming in 2013: the solution is still here

Research recently published in SC Magazine suggests that businesses are subject to cyberattacks every 3 minutes. The source of the research is Fire Eye, a sandbox technology provider, and they are interested in emphasizing that these malware events are the ones that would bypass what they call legacy defenses: firewalls, antivirus, and other security gateways. In other words, zero-day threats, usually mutated or modified versions of Trojans or other malware, delivered through phishing attacks.

What is frustrating for the PCI Security Standards Council and card brands (and certainly software companies like Tripwire, nCircle, and NNT!) Is that 6-year-old PCI DSS advocates take perfectly adequate steps to prevent any of these newly discovered Trojans (and buying a Fire Eye scanner is not on the list!) All eCommerce servers and EPOS systems need to be hardened and protected by monitoring file integrity. While firewalls and antivirus are also required, FIM is used to detect malware that these devices do not detect, and as the Fire Eye report shows, it is as common as ever. A Trojan like VSkimmer or Dexter will manifest itself as file system activity and, on a Windows system, will always generate registry changes.

Other means of introducing skimming software are also blocked if PCI DSS is followed correctly. Card data storage systems should be isolated from the Internet whenever possible, USB ports should be disabled as part of the hardening process, and any network access should be kept to the minimum necessary for operational activities. Even then, access to systems should be logged and limited to unique usernames (not generic root or administrator accounts).

PCI DSS may be old in the Internet years, but fundamentally strong and well-managed security best practices have never been as relevant and effective as they are today.