BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Avoiding ATM and Credit Card Fraud

Posted June 3, 2010    Morey Haber

The local news is buzzing again about the Powerball (and yes, I play the state lottery). The odds are worse than Vegas and somehow I always fall victim to “you must play to win.” Every time I leave the supermarket I pick up a few tickets from the local vending machine and enter my debit card ATM pin to buy a few bucks worth.

I recently saw an article on ATM skimmers and wondered how safe my data is in a vending machine…let alone an ATM. Rumors abound that the next PCI DSS specification requires all devices that accept credit and debit cards are to be DSS compliant.

Let’s think about this a minute. How many places do you use your credit or debit card? Fast food, ATMs, vending machines, restaurants, merchants, online, bills, etc. How are these merchants and vendors going to assess these devices (endpoints) that take plastic for transactions? Better yet, for all the vendors putting these devices out there, can they scan these devices remotely and which operating systems do they contain? Can they even be patched?

I am aware of several vendors building kiosks on standard windows platforms and this should be easily accessible via a network vulnerability assessment scanner. Even if these devices are not online via a WAN or LAN, agent vulnerability assessment allows for controls that will help maintain DSS compliance.

What concerns me are the devices that cannot be assessed or can be physically manipulated using techniques like a skimmer. I guess every time I play the lottery, or insert my ATM card into a device, I am gambling on whether I will win and make money or whether I will be scammed due to a faulty device (hacked) that is siphoning off my personal information.

So here are three tips to protect yourself from losing your identity when using your card:

1. Never use your ATM or credit card in an unbranded ATM or vending machine. Try to use bank ATM machines or vending machines from larger corporations that will adopt PCI DSS standards more regularly.

2. Never use your ATM or credit card on any device that looks like it has a reader added on top of the normal slot. This is a dead giveaway for a skimmer. This link gives a great example.

3. Never use your ATM or credit card on a device that requires additional information beyond your zip code. Current standards require some machines, gas pumps for example,. request an additional piece of information like a billing code, but if the device asks for even more data, than something is definitely phishy.

Finally, if you are a vendor or merchant with devices deployed that accept electronic transactions, now is the time to be considering how you will perform vulnerability management for your systems. Kiosks connected via dial-up links, cellular service, and other networking technologies will not be immune to the new standards.

Tags:
, ,

Leave a Reply

Additional articles

PowerBroker Password Safe Password Age Report

Reshaping Privileged Password Management with Password Safe 5.2

Posted July 21, 2014    Martin Cannard

Today, we’re pleased to unveil the latest edition of our privileged password management solution, PowerBroker Password Safe. I’ll start with a brief intro of what’s new and then tell you a little about the driving factors behind Password Safe development. New features for mitigating password risk and ensuring accountability enterprise-wide Here’s the 10,000-foot overview of…

Tags:
, , ,
PowerBroker for Windows tamper protection

PowerBroker for Windows 6.6 Tamper Protection

Posted July 18, 2014    Morey Haber

I have a bone to pick: Stopping an administrator from performing an action on a system is futile endeavor. As an administrator, there is always a way to circumvent a solution’s from tampered protection. Really! By default, Windows administrators have unrestricted access to the system – and even though an application, hardened configuration, or group policy…

Tags:
, ,
PowerBroker for Windows can be configured to automatically identify the end user’s language preference

Implementing Least Privilege Around the World with PowerBroker for Windows

Posted July 17, 2014    Morey Haber

BeyondTrust recognizes that international, multilingual businesses have unique operating challenges, especially when it comes to implementing enterprise software. PowerBroker for Windows is a least-privilege solution often deployed across thousands of systems spanning multiple geographies and protecting users of diverse backgrounds. Earlier this year, PowerBroker for Windows introduces new data privacy features for EMEA and APAC,…

Tags:
, ,