The local news is buzzing again about the Powerball (and yes, I play the state lottery). The odds are worse than Vegas and somehow I always fall victim to “you must play to win.” Every time I leave the supermarket I pick up a few tickets from the local vending machine and enter my debit card ATM pin to buy a few bucks worth.
I recently saw an article on ATM skimmers and wondered how safe my data is in a vending machine…let alone an ATM. Rumors abound that the next PCI DSS specification requires all devices that accept credit and debit cards are to be DSS compliant.
Let’s think about this a minute. How many places do you use your credit or debit card? Fast food, ATMs, vending machines, restaurants, merchants, online, bills, etc. How are these merchants and vendors going to assess these devices (endpoints) that take plastic for transactions? Better yet, for all the vendors putting these devices out there, can they scan these devices remotely and which operating systems do they contain? Can they even be patched?
I am aware of several vendors building kiosks on standard windows platforms and this should be easily accessible via a network vulnerability assessment scanner. Even if these devices are not online via a WAN or LAN, agent vulnerability assessment allows for controls that will help maintain DSS compliance.
What concerns me are the devices that cannot be assessed or can be physically manipulated using techniques like a skimmer. I guess every time I play the lottery, or insert my ATM card into a device, I am gambling on whether I will win and make money or whether I will be scammed due to a faulty device (hacked) that is siphoning off my personal information.
So here are three tips to protect yourself from losing your identity when using your card:
1. Never use your ATM or credit card in an unbranded ATM or vending machine. Try to use bank ATM machines or vending machines from larger corporations that will adopt PCI DSS standards more regularly.
2. Never use your ATM or credit card on any device that looks like it has a reader added on top of the normal slot. This is a dead giveaway for a skimmer. This link gives a great example.
3. Never use your ATM or credit card on a device that requires additional information beyond your zip code. Current standards require some machines, gas pumps for example,. request an additional piece of information like a billing code, but if the device asks for even more data, than something is definitely phishy.
Finally, if you are a vendor or merchant with devices deployed that accept electronic transactions, now is the time to be considering how you will perform vulnerability management for your systems. Kiosks connected via dial-up links, cellular service, and other networking technologies will not be immune to the new standards.