15. Exemples de vols de claviers NIP Photographie Technique d’écrémage Un autocollant montrant les détails du produit et un numéro de série est apposé sous le terminal. La majorité des terminaux affichent également un numéro de série de façon électronique. Lors de votre vérification régulière, notez le numéro de série sous le terminal et comparez-le avec le numéro électronique. De plus, passez un doigt sur l’autocollant pour vérifier s’il ne dissimule pas une contrefaçon. Renseignements fournis par :
16. Exemples de vols de claviers NIP Les terminaux sont souvent dotés d’autocollants de sécurité ou d’étiquettes d’entreprise posés sur les orifices de vis ou les fentes, ce qui permet de déterminer si le boîtier a été ouvert. En général, les criminels retirent ces étiquettes pour contrefaire les terminaux et apposent parfois leurs propres autocollants. À la livraison du terminal, notez attentivement la position, la couleur et le matériau des étiquettes. De plus, inspectez le terminal pour détecter tout signe montrant que l’étiquette a été retirée ou trafiquée. Renseignements fournis par :
17. Exemples de vols de claviers NIP Photographie Technique d’écrémage Les dispositifs de clonage insérés dans le terminal sont invisibles, de façon à ce que ni le commerçant ni le personnel ne puisse soupçonner quoi que ce soit. Cette photo montre un dispositif de clonage inséré dans un terminal. Ce dispositif est normalement dissimulé par le couvercle de la carte SIM. Renseignements fournis par :
18. Exemples de vols de claviers NIP Dans cette situation, le criminel s’est fait passer pour un technicien auprès du personnel du commerce. Il a affirmé que pour prévenir la fraude par carte de crédit, le terminal devait être placé dans cette boîte de sécurité. Il a ensuite remis un feuillet d’instructions au personnel. La boîte contenait un dispositif de clonage de carte et une caméra miniature. Méfiez-vous des visites de technicien à l’improviste. Renseignements fournis par :
37. Questionnaire sur l’évaluation du risque Répondre au questionnaire en ligne sur l’évaluation du risque à halometrics.com/pinpad
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.
48.
49.
50. Protection du terminal de clavier NIP Les caméras numériques modernes servant à filmer le NIP du détenteur de carte sont minuscules une fois sorties de leur boîtier Par conséquent, elles sont faciles à dissimuler ou à camoufler dans un magasin. Ce type de caméra miniature peut être caché facilement dans un carreau de plafond au-dessus du terminal. Photographie Technique d’écrémage
51.
52.
53.
54.
55. Accessibilité du personnel et des fournisseurs de services aux terminaux de clavier NIP Dans cette situation, le criminel s’est fait passer pour un technicien auprès du personnel du commerce. Il a affirmé que pour prévenir la fraude par carte de crédit, le terminal devait être placé dans cette boîte de sécurité. Il a ensuite remis un feuillet d’instructions au personnel. La boîte contenait un dispositif de clonage de carte et une caméra miniature. Méfiez-vous des visites de technicien à l’improviste. Gracieusement fourni par :
56.
57.
58. Pour communiquer avec nous Ouest du Canada : 1.800.667.9199 Est du Canada : 1.800.667.3390
Notas do Editor
Good morning everyone. Thank you for taking the time to attend this session on PIN Pad Theft Prevention. My name is Ravinder Sangha and I am the Marketing Manager for Halo Metrics Inc.
You will notice that there was an envelope on your chair. It is a complimentary tool kit for you to take with you (items to help you prevent pin pad theft). As we go through the presentation I will explain more about what’s inside and how to use it. I will take questions at the end of presentation
And along the way we have become very knowledgeable about PIN Pad theft and how to deter or prevent it from happening. Hopefully I can pass along some helpful information today
The issue seems to be larger in Quebec and in BC based on the location of our customers requesting help for this issue.
There have been cases where an attack has happened and the criminals have not used the data for 60-90 days because they know that the surveillance video will be erased by then leaving little to no proof
This is a series of still pictures captured from a surveillance video. A two person team enters a store for the purpose of stealing a PIN Pad
They work as a team with one acting as a look out and the other starts the theft of the PIN Pad It is important to note the time as we go through these slides
His partner has moved over and looks like she is possibly distracting a customer
The PIN Pad has been removed from its display bracket
A display bracket is usually light gauge metal that easily bends and allows a PIN Pad to be removed. It provides minimal security.
Card readers and key bloggers (another type of equipment that records keys strokes – pin numbers) are easily available to purchase legally. Let me repeat that. It is not illegal to own this type of equipment
The things to notice are how the unit was tampered with (panel , screws etc) *Labels can be placed to hide a compromise to the PIN Pad – i.e. Removal of screw or panel or damage to an area during tampering attempt Match the serial numbers – electronic vs label Need to familiarize yourself with the equipment
In this example the criminal has placed their own label on the PIN Pad Again you need to familiarize yourself with the equipment including location of stickers the type of stickers attached
If you have not been diligent in recording the details of your PIN Pad equipment it can be difficult to catch a tampered unit.
We will review this example later in the presentation but it’s an example of how a criminal will pretend to be a service technician to gain access to PIN Pad equipment.
This aerial view shows how Wi-Fi signals can extend far beyond the walls of a store location Intro Identity Theft.info video explains how easy it is to download this data
Note: Banks will freeze debit cards used at a store with a tampered PIN Pad for up to 2 months This includes all bank cards a consumer owns not just the cards that have been compromised
Basically a person can be scarred by an identity theft crime and can severely affect their buying behaviour.
In BC there has been recent media coverage of some serious attacks in the Kelowna area and Saanich area. Here is an example of a media report
Time check – half deck left – should be at 25 min At the end of the day as a merchant you need to take some basic actions to help deter or prevent this type of crime.
Start with a risk analysis. This will give you a clearer indication if you are vulnerable to an attack.
This is included in your tool kit.
The idea is to capture as many accounts as simply and quickly as possible. Easier to attack one terminal with high activity than multiple terminals with low activity. We don’t get into much detail regarding ATM attacks in this presentation. The nature of the attacks are similar to PIN Pad attacks. Criminals try to capture debit card data and pin data by altering the ATM machines. Keyboard overlays, card readers etc.
Again, the intent is to capture as many accounts and PINs in as short a time as possible
Basically a vulnerability score will let you know if you are at high risk for a skimming attack
Moving on to best practices
Criminals will try to access terminal wiring and communication lines so that they can tamper with them and access data from your POS system
Criminals will try to access terminal wiring and communication lines so that they can tamper with them and access data from your POS system
Note the following: Time stamps – in case camera was switched off for a period of time Any blackouts Any period when CCTV image was blocked Any incidence when the camera is moved
Just to re-enforce the point – you must note your PIN Pad equipment information and keep it on file
Not only inspect the PIN Pad but the connections as well. A key blogger can be installed anywhere on a connection leading to a PIN Pad. This is why it is important to protect the cabling as mentioned before. Key bloggers record key strokes such as PIN numbers
Available in your tool kit
Security solutions for your PIN Pad equipment include: Tamper proof labels Security brackets Electronic alarms
Terminals must meet the PCI PTS Security Evaluation Program and the DSS Check model numbers, hardware revisions, and firmware revisions
Thieves will use “decoy” units temporarily when in the middle of swapping out PIN Pad terminals - A fraud investigator at a financial institution told me of a incident where thieves came in at the end of store hours stole a PIN Pad and replaced it with a non operating decoy. When the store opened up again they came back and switched the decoy with a tampered PIN Pad.
Criminals will try to capture PIN numbers by placing covert cameras in various areas around the cash till.
Staff members can be prime targets for criminals using either coercion or bribery especially in situations where there is only one or two people working Let staff know that how to report any incidents of bribery or coercion. Management needs to know and the Police will need to be involved. Store managers have been known to be coerced by criminals as well. There must be a way for staff to communicate to senior management or owners regarding these type of attacks
Always perform a background check whenever possible
Frank was speaking to me earlier about an experience in Winnipeg where a large franchise was attacked in this manner. A service technician came in and changed out all the PIN Pads and before it was noticed significant funds where stolen