BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Avoiding ATM and Credit Card Fraud

Posted June 3, 2010    Morey Haber

The local news is buzzing again about the Powerball (and yes, I play the state lottery). The odds are worse than Vegas and somehow I always fall victim to “you must play to win.” Every time I leave the supermarket I pick up a few tickets from the local vending machine and enter my debit card ATM pin to buy a few bucks worth.

I recently saw an article on ATM skimmers and wondered how safe my data is in a vending machine…let alone an ATM. Rumors abound that the next PCI DSS specification requires all devices that accept credit and debit cards are to be DSS compliant.

Let’s think about this a minute. How many places do you use your credit or debit card? Fast food, ATMs, vending machines, restaurants, merchants, online, bills, etc. How are these merchants and vendors going to assess these devices (endpoints) that take plastic for transactions? Better yet, for all the vendors putting these devices out there, can they scan these devices remotely and which operating systems do they contain? Can they even be patched?

I am aware of several vendors building kiosks on standard windows platforms and this should be easily accessible via a network vulnerability assessment scanner. Even if these devices are not online via a WAN or LAN, agent vulnerability assessment allows for controls that will help maintain DSS compliance.

What concerns me are the devices that cannot be assessed or can be physically manipulated using techniques like a skimmer. I guess every time I play the lottery, or insert my ATM card into a device, I am gambling on whether I will win and make money or whether I will be scammed due to a faulty device (hacked) that is siphoning off my personal information.

So here are three tips to protect yourself from losing your identity when using your card:

1. Never use your ATM or credit card in an unbranded ATM or vending machine. Try to use bank ATM machines or vending machines from larger corporations that will adopt PCI DSS standards more regularly.

2. Never use your ATM or credit card on any device that looks like it has a reader added on top of the normal slot. This is a dead giveaway for a skimmer. This link gives a great example.

3. Never use your ATM or credit card on a device that requires additional information beyond your zip code. Current standards require some machines, gas pumps for example,. request an additional piece of information like a billing code, but if the device asks for even more data, than something is definitely phishy.

Finally, if you are a vendor or merchant with devices deployed that accept electronic transactions, now is the time to be considering how you will perform vulnerability management for your systems. Kiosks connected via dial-up links, cellular service, and other networking technologies will not be immune to the new standards.

Tags:
, ,

Leave a Reply

Additional articles

Dark Reading

2014: The Year of Privilege Vulnerabilities

Posted December 18, 2014    Chris Burd

Of the 30 critical-rated Microsoft Security Bulletins this year, 24 involved vulnerabilities where the age-old best practice of “least privilege” could limit the impact of malware and raise the bar of difficulty for attackers.

Tags:
, , , , ,
dave-shackleford-headshot

Looking back on information security in 2014

Posted December 16, 2014    Dave Shackleford

Dave Shackleford is a SANS Instructor and founder of Voodoo Security. Join Dave for a closer look at the year in security, and learn what you can do to prepare for 2015, with this upcoming webinar. 2014 has been one heck of an insane year for information security professionals. To start with, we’ve been forced…

Tags:
, ,
patch-tuesday

December 2014 Patch Tuesday

Posted December 9, 2014    BeyondTrust Research Team

This month marks the final Patch Tuesday of 2014. Most of what is being patched this month includes Internet Explorer, Exchange, Office, etc… and continues a trend of the greatest hits collection of commonly attacked Microsoft software. Probably the one thing that broke the mold this month is that for once there is not some…

Tags:
,