• No se han encontrado resultados

1. Card Skimming and EFTPOS Terminal Tampering

Consumer data breach at merchants comprises a huge problem for financial institutions, because merchants or their employees are outside the bank’s ‘perimeter’ and relatively unsupervised by banks (that is, the banks do not directly monitor them). Hence, according to Grabosky, Smith and Dempsey, ‘merchants or their employees are ideally placed to permit access to computer networks and to alter transaction details’.523

EFTPOS terminals at merchants are relatively protected from outsiders who are not authorised to have access (protected by the building, locked doors, and oversight by employees of the merchant). However, recently, skimmers have been found to break into shops more frequently and add skimming devices to legitimate EFTPOS terminals.524 Although relatively insulated from outside attack, EFTPOS terminals do not have protection from insiders (such as the retailers themselves, clerks, cashiers, sales personnel, and so on) who are authorised to have access to the terminals but have turned into fraudsters.

Dexter was targeting retailers, hotels and restaurants. Dexter exploited remote-access controls to infiltrate POS systems and capture screenshots of POS displays …. Once a terminal was infected, the malware stole transactional processing lists and parsed the memory for Track 1 and Track 2 data stored on payment cards’ magnetic stripes. [at 2].

521 Interviews with various bank officers responsible for ATM operations: BO-1; BO-2; BO-3; and BO-4. 522

Edward Pangabean, Modus yang Dipakai si Pembobol Kartu Kredit di Gerai Body Shop [Modus Operandi Employed by Credit Card Theft Perpetrator in Body Shop Merchant] (31 May 2013) Liputan6.com <http://bisnis.liputan6.com/read/601128/modus-yang-dipakai-si-pembobol-kartu-kredit-di- gerai-body-shop>.

523

Grabosky, Smith and Dempsey, above n 266, 24.

118 However, there are also many reports where an outsider could compromise merchants’ EFTPOS terminals by covertly replacing the merchants’ EFTPOS terminals with ones that have been tampered with either by ‘break and entry’ when the business is closed, or by fraudsters tricking the owner or staff into allowing the installation of the fraudsters’ bogus ‘replacement’ or ‘upgraded terminal’ by pretending to be a bank’s or relevant third party’s maintenance service officers.525

In recent years, merchants and acquirers/processors have become a point of compromise for hundreds of millions of payment card accounts.526 According to Javelin Strategy and Research, counterfeit payment cards have become one of the fastest growing card frauds. Fraudsters are breaking into payment card information from insecure and compromised merchant terminals (hacking into terminals at hotels, restaurants, petrol stations and other merchants, and obtaining consumer data).527

Merchants often become the perfect place to commit a crime such as accessing computer networks, altering transaction details,528 and skimming or intercepting payment card details from EFTPOS terminals.529

EFTPOS terminals are frequently abused in this manner, with or without the involvement of the merchant owner. In general, cardholders also do not realise when their cards are being attacked.530

In order to obtain consumer payment card information, fraudsters can install fake equipment to steal card information from the entry process. For instance, fraudsters can

525 See, e.g. Australian Crime Commission, Banks, Law Enforcement and Retailers Warn Merchants to

Secure EFTPOS terminals to Prevent Skimming (2010) <http://www.crimecommission.gov.au/media/banks-law-enforcement-and-retailers-warn-merchants-to- secure-eftpos-terminals-to-prevent-skimm>; Andrew Koubaridis, 'EFTPOS Skimmers: 4 Arrests in

Scam', New Zealand Herald (online), 10 April 2012

<http://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=10797766>.

526 Saville and Loomis, above n 297, 5. See also Grabosky, Smith and Dempsey, above n 266, 24. 527 Javelin Strategy & Research, ‘2010 LexisNexis True Cost of Fraud Study’, above n 334, 21. See also

Sullivan, ‘The Changing Nature of US Card Payment Fraud’, above n 262, 102104; Bell, above n 44; Drimer, Murdoch and Anderson, ‘Thinking inside the Box’, above n 345; Tedder, above n 44, 9.

528 Grabosky, Smith and Dempsey, above n 266, 24. See also Hidayatul Fajri, 'Kasir Restoran Bobol

ATM, Rp 123 Juta Raib [Cashiers Restaurant Stole ATM, Rp123 Million Drained]', Kompas (online), 8

May 2012

<http://megapolitan.kompas.com/read/2012/05/08/17564064/Kasir.Restoran.Bobol.ATM..Rp.123.Juta.Ra ib>; Gede Suardana, Pembobolan Rekening Nasabah: Mesin Pembayaran BCA di Hard Rock Hotel Bali Diganti [Consumers' Account Theft: BCA EFTPOS Machine at Hard Rock Hotel Bali Replaced] (2010) Detik.com <http://news.detik.com/read/2010/01/20/230403/1282860/10/mesin-pembayaran-bca-di-hard- rock-hotel-bali-diganti?nd771104bcj>.

529 Model Criminal Code Officers’ Committee of the Standing Committee of Attorneys-General, above n

466, 1. See also the Smart Card Alliance, ‘Fraud in the US Payments Industry’, above n 297, 14.

530

Barwise and Bachfeld, above n 377. See also the Smart Card Alliance, ‘Fraud in the US Payments Industry’, above n 297, 14.

119 replace the PIN pad and terminal with devices that will display, print and/or record the entered values.531 An example of this EFTPOS device-tampering scheme befell Michaels Stores Inc in Chicago (United States).532 In this fraud incident, the fraudsters replaced legitimate EFTPOS PIN pads with ones that had been tampered with. The breach affected 90 Michaels stores in 20 states, stretching from Rhode Island to Washington, and opened the debate about which party should be liable for the fraud loss.533 As a precautionary measure, Michaels have removed some 7,200 PIN pads from most of its 964 US stores.534

Another interesting example, still in the United States, was an EFTPOS skimming attack on Save Mart, the Modesto (California) based grocery chain. Save Mart admitted that the skimming attacks that targeted the self-service checkout terminals at 24 Save Mart and Lucky Supermarkets in the San Francisco Bay area were believed to have exposed hundreds of consumer accounts to debit and credit card fraud. For security purposes, Save Mart has replaced or inspected all of its 2,557 EFTPOS terminals, which include self-checkout and staffed checkout lanes.535

However, unlike the Michaels EFTPOS breaches, which were detected by card issuer neural networks systems, the Save Mart breach was uncovered during a routine maintenance check.536 This demonstrates the important fact that only trained maintenance officers are able to distinguish a ‘good’ EFTPOS terminal from one that has been tampered with. Neither staff nor consumers could do so; the terminals were indistinguishable. Hence, it can be assumed that even the most vigilant consumers will

531

See Mohamad, above n 302, 11.

532 Tracy Kitten, 3 Tips to Foil POS Attacks (2011) Bank Info Security

<http://www.bankinfosecurity.com/3-tips-to-foil-pos-attacks-a-3617>.

533 Tracy Kitten, Michaels Breach: Who's Liable? (22 May 2011) Bank Info Security

<http://www.bankinfosecurity.com/michaels-breach-whos-liable-a-3668>.

534 Tracy Kitten, Michaels Breach Bigger than Reported (12 May 2011) Bank Info Security

<http://www.bankinfosecurity.com/articles.php?art_id=3628&rf=2011-05-14-eb>. Another example is from Perth (Australia), where in 2009 POS devices were replaced by skimmers at McDonalds franchises in a POS swap that defrauded 3500 customers of over AUD5 million: Joseph Sapienza, ‘Police Arrest Two in EFTPOS Skimming Fraud’ Brisbane Times [WA News section], 22 December 2009 <http://www.brisbanetimes.com.au/wa-news/police-arrest-two-in-eftpos-skimming-fraud-20091222- lbcz.html>. Although the EFTPOS swap was conducted in Perth, monies were withdrawn in the eastern states and overseas.

535 Tracy Kitten, Grocer Confims POS Skimming Attack: Customers, Card Issuers Watch for Fraudulent

Activity (4 January 2012) Bank Info Security <http://www.bankinfosecurity.com/articles.php?art_id=4376&rf=2012-01-04-

eb&elq=6f859884d23941cab391ff197d886b3c&elqCampaignId=1109>.

120 not be able to notice the possibility of fraud, since the passive skimming attack at EFTPOS terminals will not compromise the smooth operation of EFTPOS transactions. Interestingly, even for countries that have already migrated to EMV chip and a PIN standard, this does not mean that the EFTPOS terminals will be free from fraud. Using PIN pad swap or POS swipe schemes, fraudsters can disable the part of the EFTPOS terminals that read the chip on consumer cards, so the consumer is then forced to swipe the magnetic stripe into the EFTPOS terminal to make a transaction. This is where the consumer’s card data is then stolen by the tampered with EFTPOS terminal.537

In some cases, magnetic stripe data is transmitted wirelessly to criminals who are waiting nearby.538

In ATM/debit card fraud, a merchant owner can independently operate as a point of compromise, or conspire with criminal organisations to orchestrate a fraud attack. If they operate independently, merchants can mount ‘waiter attacks’ in face-to-face transactions or abuse consumer magnetic stripe data during merchant transactions.539 Mobile handheld skimmers can be hidden inside a waiter’s pocket, or mounted underneath a cashier’s desk.540

This fraud method is also called ‘wedge skimming’.541 If colluding with strong criminal organisations, merchants can facilitate attacks using fake or modified EFTPOS terminals and tapping both cardholder magnetic stripe card data and PIN.542

There are also many occasions where a merchant’s cashiers are involved in the fraudulent skimming process. Generally, cashiers (who get paid for working with the skimmers) first swipe the consumer’s card into the EFTPOS terminal, and while the

537 Kitten, 3 Tips to Foil POS Attacks, above n 532. See also Linda McGlasson, Top 4 Skimming Threats:

From Hand-Held POS Devices to Dummy ATMs (2010) Bank Info Security <http://www.bankinfosecurity.com/top-4-skimming-threats-a-3054>.

538 Tracy Kitten, POS Skimming Scam Stopped (2 May 2011) Bank Info Security

<http://www.bankinfosecurity.com/pos-skimming-scam-stopped-a-3592>.

539 ‘Waiter attack’ is one type of eavesdropping attack that is common at points of sale such as

restaurants, petrol stations, shops and so on, where the waiter or other staff member, while taking the consumer’s card for use for payment at an EFTPOS terminal, writes down the financial data embossed on the front of the card, such as the card’s brand and issuer, cardholder’s name, PAN, and expiration date. Instead of taking notes, the staff member also can copy a consumer’s card data using a handheld skimmer.

540

Levi and Handley, above n 343. There can be a problem of merchants who are involved in fraudulent activities, the risk of which is increased by the soaring turnover rate of staff. Some may be serial fraudsters who are connected to criminal organisations. See also Model Criminal Code Officers’ Committee of the Standing Committee of Attorneys-General, above n 466, 5.

541

Siciliano, above n 455.

121 consumer is distracted and not paying attention to the cashier or their card, the cashier swipes the card for a second time but on the fraudsters’ skimmer.543

The cashier also registers the consumer’s PIN, for example by asking the consumers to repeat the entry on the skimming device.544 Another method is simply one where cashiers just observe the consumer entering their PIN at the PIN pad (‘shoulder surfing’).

2. Card ‘Double Swiping’: Merchant’s Cash Register/Computer Abuse

In Indonesia, most EFTPOS terminals do not have a PIN pad shield. Instead of being mounted on the bar and facing the consumer’s side in front of cashier’s desk, EFTPOS terminals generally are lying on the counter and the persons who swipe the card into the EFTPOS terminal are the cashiers themselves instead of the consumers. Even worse, sometimes an EFTPOS terminal is located under the cashier’s table, hence, out of sight of consumers. These practices are very different to those of other countries such as Australia.545

The practices in Indonesia (as mentioned above) are particularly vulnerable to fraud committed by merchant cashiers. By holding the consumer’s card for some time, rogue employees can use a covert and mini hand-held skimmer hidden behind the counter to steal the consumer’s card data (‘wedge skimming’). The unshielded PIN pad and the positioning of the EFTPOS terminal on the counter make it easy for a rogue employee or cashier to steal customer PINs by shoulder surfing. This unfortunate situation is also exacerbated by consumers’ behaviour as they often do not even attempt to cover the PIN pad when they enter their PIN.546

543

See Bobol Data ATM, Dua Kasir Mall Ditangkap [ATM Data Theft, Two Mall Cashiers Busted] (24

November 2011) Beritadewata.com

<http://beritadewata.com/Hukum_dan_Kriminal/Kriminal/Bobol_Data_ATM,_Dua_Kasir_Mall_Ditangk ap.html>.

544 Barwise and Bachfeld, above n 377. See also Albrecht et al, above n 368, 5356;

545 In many countries, including Australia, generally after consumers hand over the purchased goods to a

cashier, that person then scans or enters the price of the goods and asks the customer to independently swipe or insert their payment card into the merchant’s EFTPOS terminal to enable a payment transaction to occur. Most of the EFTPOS terminals are equipped with a PIN pad shield and mounted on a stick or pole facing the consumers almost vertically, making it nigh impossible for the cashier to ‘shoulder surf’ to obtain the consumer’s PIN. Double swiping the consumer’s card into a cash register computer is not common in these countries. From the information security viewpoint, these practices are highly regarded because they can reduce the likelihood of the occurrence of waiter or cashier attack using a hand-held skimmer (because card has never left consumer’s hand in the Australian scenario above), and of PIN theft using the shoulder surfing method or a pinhole camera (due to the orientation and protection of the key pad from the cashier’s line of sight).

122 To further complicate matters, after swiping a consumer’s card in the merchant’s EFTPOS terminal, most merchant cashiers in Indonesia ‘double-swipe’ the payment card into merchant’s card reader in their cash register computer. 547

One of the reasons for this insecure but ‘legitimate’ practice is to speed up reconciliation between payment transaction data in EFTPOS and the merchant record in their cash register system.548 From the information security perspective, swiping consumer cards into merchant cash register computers is very dangerous.549 Consumer debit card data stored in the merchant computer is vulnerable to data breach, especially due to internal fraud. Devos and Pipan note that in relation to administration, fund transfer information and further reference, most of the parties involved in the payment card system keep track of and store the cardholder transaction data. Indeed, according to them, ‘this data is vulnerable and if stolen the data can be used to conduct fraudulent transactions or to produce fake cards’.550

There have been cases in big cafes in Bali where clerks or cashiers, using a mobile phone camera ‘snap’ an image of the consumer’s card data as it appeared on the cash register’s monitor when the card was swiped at the merchant’s cash register computer.551

Based on an interview with Sabu (Halo BCA Division Head, Bank Central Asia, who was also involved in the investigation and apprehension of fraudsters), one manner in which fraudsters capture consumer ATM/debit card information from a merchant’s cash register monitor is as follows: when a consumer’s card is swiped in a merchant’s cash register computer, the magnetic stripe information (in all tracks) that appear in cash

547 ‘Double swiping’ here does not refer to the conduct of merchant cashiers that swipe consumers

payment card twice in the EFTPOS machine for one transaction. Instead, ‘double’ in this sub-section refers to the common practice in almost all merchants in Indonesia where merchant cashiers after dipping or swiping a consumer’s card in the EFTPOS machine to enable payment transactions, also then swipe it again to the merchant’s cash registers to deliberately capture consumers’ payment card magnetic stripe data for merchant reconciliation purposes

548 Rezkiana Nisaputra, Visa Siap Amankan Transaksi Kartu Kredit di Indonesia [Visa Ready to

Safeguard Credit Card Transactions in Indonesia] (24 May 2013) Okezone.com <http://economy.okezone.com/read/2013/04/03/457/785755/visa-siap-amankan-transaksi-kartu-kredit-di- indonesia>.

549 ‘Waspadai Data Skimming Pada Cash Register [Allert on Data Skimming on Cash Register]’ on

BANKINFOSECURITY: SEC_RITY is not complete without ‘U’

<http://bankinfosecurity.wordpress.com/2012/06/23/wasapadai-data-skimming-pada-cash-register/>.

550

Devos and Pipan, above n 297, 3–4.

551 See Gede Suardana, Kasir Mall di Bali Terlibat Jaringan Pembobol ATM [Mall Cashier in Bali

Involved in ATM Fraudster's Network] (24 September 2011) detiknews

<http://news.detik.com/read/2011/11/24/172907/1775045/10/kasir-mall-di-bali-terlibat-jaringan-

pembobol-atm>; Empat Pembobol ATM Diadili [Four ATM Thieves Prosecuted] (27 Agustus 2012) Natanews: Dimensi Baru Informasi <http://www.natanews.com/521/empat-pembobol-atm-diadili/>.

123 register monitor are captured by a fraudster cashier using a mobile phone camera. The consumer’s PIN is obtained by the corrupt cashier ‘shoulder surfing’ and memorising the number entered when the consumer enters their PIN in the EDC PIN pad located at the cashier’s desk. Later, fraudsters use this data to create a counterfeit card and withdraw consumer’s money from ATMs.552

A more sophisticated and massive payment card fraud involving a merchant’s cash register has more recently occurred in Indonesia. In early March 2013, payment card data theft (identity theft) occurred at several Body Shop merchants in Jakarta and Padang (Indonesia) and compromised hundreds of bank consumers’ payment cards (such as credit cards and debit cards) from Mandiri Bank and BCA. Most probably, this breach happened because Body Shop merchants implemented the common practice of ‘double swiping’ for payment card transactions — one swipe to the EFTPOS machine, and another swipe to the merchant’s cash register.553

According to the Indonesian Credit Card Association, around 200 payment cards were counterfeited and more than 10,000 cards blocked and replaced by the affected banks due to this breach.554 The subsequent identity fraud in the form of unauthorised transactions occurred in foreign countries such as the United States, Mexico, the Philippines, Turkey and Malaysia.555 Again, this shows that international actors were also involved in the Indonesian Body Shop case.

However, it is believed that fraud like the Body Shop case has not only happened recently. Many fraud incidents have been left unsettled, or settled privately between the parties involved, where the incident was never reported to the authorities or in the media.

Long before the Body Shop case occurred, in 2007, the author raised this concern informally with several high ranking officers at Bank Indonesia and at the author’s issuing bank (which is also an acquiring bank), and via one fraud discussion group

552 Interview with Nathalya Wani Sabu, Division Head Halo BCA, PT Bank Central Asia, Tbk (Jakarta,

14 August 2012).

553 Martha Thertina and R R Ariyani, 'YLKI: Regulasi Kerahasiaan Data Pribadi Mendesak [YLKI:

Privacy Regulation is Urgent]', Koran Tempo 5 April 2013, B2.

554 Martha Tertina and Rhama T W, 'Merchant Dilarang Double Swipe Kartu Pembayaran [Store

Prohibited Double Swipe Payment Cards]', Koran Tempo 15 April 2013, B2.

124 mailing list.556 However, no attention was paid to this by either the regulator or the

Documento similar