BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Avoiding ATM and Credit Card Fraud

Posted June 3, 2010    Morey Haber

The local news is buzzing again about the Powerball (and yes, I play the state lottery). The odds are worse than Vegas and somehow I always fall victim to “you must play to win.” Every time I leave the supermarket I pick up a few tickets from the local vending machine and enter my debit card ATM pin to buy a few bucks worth.

I recently saw an article on ATM skimmers and wondered how safe my data is in a vending machine…let alone an ATM. Rumors abound that the next PCI DSS specification requires all devices that accept credit and debit cards are to be DSS compliant.

Let’s think about this a minute. How many places do you use your credit or debit card? Fast food, ATMs, vending machines, restaurants, merchants, online, bills, etc. How are these merchants and vendors going to assess these devices (endpoints) that take plastic for transactions? Better yet, for all the vendors putting these devices out there, can they scan these devices remotely and which operating systems do they contain? Can they even be patched?

I am aware of several vendors building kiosks on standard windows platforms and this should be easily accessible via a network vulnerability assessment scanner. Even if these devices are not online via a WAN or LAN, agent vulnerability assessment allows for controls that will help maintain DSS compliance.

What concerns me are the devices that cannot be assessed or can be physically manipulated using techniques like a skimmer. I guess every time I play the lottery, or insert my ATM card into a device, I am gambling on whether I will win and make money or whether I will be scammed due to a faulty device (hacked) that is siphoning off my personal information.

So here are three tips to protect yourself from losing your identity when using your card:

1. Never use your ATM or credit card in an unbranded ATM or vending machine. Try to use bank ATM machines or vending machines from larger corporations that will adopt PCI DSS standards more regularly.

2. Never use your ATM or credit card on any device that looks like it has a reader added on top of the normal slot. This is a dead giveaway for a skimmer. This link gives a great example.

3. Never use your ATM or credit card on a device that requires additional information beyond your zip code. Current standards require some machines, gas pumps for example,. request an additional piece of information like a billing code, but if the device asks for even more data, than something is definitely phishy.

Finally, if you are a vendor or merchant with devices deployed that accept electronic transactions, now is the time to be considering how you will perform vulnerability management for your systems. Kiosks connected via dial-up links, cellular service, and other networking technologies will not be immune to the new standards.

Tags:
, ,

Leave a Reply

Additional articles

skeletonkey3_713678_713680

Stopping the Skeleton Key Trojan

Posted June 29, 2015    Robert Auch

Earlier this year Dell’s SecureWorks published an analysis of a malware they named “Skeleton Key”. This malware bypasses authentication for Active Directory users who have single-factor (password only) authentication. The “Skeleton Key” attack as documented by the SecureWorks CTU relies on several critical parts.

Tags:
, , , , ,
webinar 2

On Demand Webinar: 10 Steps to Building an Effective Vulnerability Management Program

Posted June 26, 2015    BeyondTrust Software

In this on demand webinar, Cybersecurity Expert, Derek A.Smith will take you through his 10 steps for a successful vulnerability management program and how to get started now.

Tags:
, ,
AHHA_PRO.LOGO

Privileged Account Management – Another AH-HA in Cyber Security

Posted June 25, 2015    Nigel Hedges

I strongly believe that the Top 4 mitigation strategies don’t just simply apply to Australian organizations, it should be a global realization, a worldwide “ah ha!” for those still not quite understanding the importance here. Here’s a refresher (or intro) on the Top 4 mitigation strategies. Read on…

Tags:
, ,