BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Avoiding ATM and Credit Card Fraud

Posted June 3, 2010    Morey Haber

The local news is buzzing again about the Powerball (and yes, I play the state lottery). The odds are worse than Vegas and somehow I always fall victim to “you must play to win.” Every time I leave the supermarket I pick up a few tickets from the local vending machine and enter my debit card ATM pin to buy a few bucks worth.

I recently saw an article on ATM skimmers and wondered how safe my data is in a vending machine…let alone an ATM. Rumors abound that the next PCI DSS specification requires all devices that accept credit and debit cards are to be DSS compliant.

Let’s think about this a minute. How many places do you use your credit or debit card? Fast food, ATMs, vending machines, restaurants, merchants, online, bills, etc. How are these merchants and vendors going to assess these devices (endpoints) that take plastic for transactions? Better yet, for all the vendors putting these devices out there, can they scan these devices remotely and which operating systems do they contain? Can they even be patched?

I am aware of several vendors building kiosks on standard windows platforms and this should be easily accessible via a network vulnerability assessment scanner. Even if these devices are not online via a WAN or LAN, agent vulnerability assessment allows for controls that will help maintain DSS compliance.

What concerns me are the devices that cannot be assessed or can be physically manipulated using techniques like a skimmer. I guess every time I play the lottery, or insert my ATM card into a device, I am gambling on whether I will win and make money or whether I will be scammed due to a faulty device (hacked) that is siphoning off my personal information.

So here are three tips to protect yourself from losing your identity when using your card:

1. Never use your ATM or credit card in an unbranded ATM or vending machine. Try to use bank ATM machines or vending machines from larger corporations that will adopt PCI DSS standards more regularly.

2. Never use your ATM or credit card on any device that looks like it has a reader added on top of the normal slot. This is a dead giveaway for a skimmer. This link gives a great example.

3. Never use your ATM or credit card on a device that requires additional information beyond your zip code. Current standards require some machines, gas pumps for example,. request an additional piece of information like a billing code, but if the device asks for even more data, than something is definitely phishy.

Finally, if you are a vendor or merchant with devices deployed that accept electronic transactions, now is the time to be considering how you will perform vulnerability management for your systems. Kiosks connected via dial-up links, cellular service, and other networking technologies will not be immune to the new standards.

Tags:
, ,

Leave a Reply

Additional articles

dave-shackleford-headshot

Tales from the Datacenter: Vulnerability Management Nightmares

Posted May 27, 2015    Dave Shackleford

Vulnerability scanning, threat management, risk analysis, patching, and configuration management are some of the major activities usually associated with vulnerability management, and none of these are new…so why are we failing so badly at many of them?

Tags:
, ,
Sudo_logo

Don’t Create a Different sudoers File for Each System

Posted May 20, 2015    Randy Franklin Smith

What if you have multiple Linux and/or Unix systems? Sudo management can become onerous and unwieldy if you try to manage a different sudoers file on each system. The good news is that sudo supports multiple systems.

password-safety

What Does Microsoft Local Administrator Password Solution Really Do?

Posted May 19, 2015    Morey Haber

LAPS is a feature that allows the randomization of local administrator accounts across the domain. Although it would seem that this capability overlaps with features in BeyondTrust’s PowerBroker Password Safe (PBPS), the reality is it is more suited for simple use cases such as changing the local Windows admin account and not much more.

Tags:
, ,