Point-of-sale terminal fraud is significantly on the rise.
Following incidents in the US – where card data was harvested and sold by McDonald's employees, and debit card data collected from more than 80,000 Subway customers – warnings have been made that such activity is becoming more prolific.
Bill Farmer, CEO of Mako Networks, told SC Magazine that rogue terminals, separate from the main network, are a way of harvesting data out of a business and into the hands of cyber criminals.
He said: “The cyber criminal will modify the device to steal the information and transmit it out to be stored. It is not easily detectable as the compromised modules are transmitting data out for months at a time and are often in high-traffic places.
“They collect data, hold it for months and then use it for small transactions months later, and then use it at an ATM to withdraw a lot of money at once… the cost of the breach can be hundreds of pounds per card compromised.”
David Divitt, principal fraud consultant at Alaric International, said: “It doesn't surprise me that this would be on the rise, especially since Chip & PIN makes it more difficult to get the data that the fraudsters need.
“If you say they are taking data directly from terminals, it would indicate they have found a way to do a mini ‘data breach' in order to get details of cards. This means that even if the card was used in a chip transaction, they could still get the details and create a new card. I am a bit surprised, however, that the terminals would store the data at all, and unencrypt them. I thought terminals were supposed to purge their memory after each transaction?”