Have you ever heard of a scam where the bad guy places a free standing kiosk in a store or ATM lobby and the kiosk offers a FREE service like, “Swipe here to clean your card”? Some of you might think, “Wow, that is nice of someone. A FREE service to clean my card? Awesome! Perhaps my card will work better or faster? Maybe the clerk at the checkout counter won’t have to swipe my card multiple times to make the transaction go through. Might it sanitize my card, getting rid of germs?”
Others of you might be more skeptical and think, “Wait a second, nothing is FREE. Why would someone offer this service? Who cares if my card is a bit dirty? Dirty cards can often read at the ATM or POS. So why is this here? And who put it here? And what is involved in ‘cleaning’ my card?”
If you fall into the latter group of healthy skeptics, then you are part of a more exclusive club with fewer members admitted daily. In this case, you are in the 1%. This does not mean you make more than $1 million per year. This group of 1 Percenters may be rich or poor, or anywhere in between.
If you fall into the former group of people that thought, “Wow….how nice……,” then you are the ideal victim the bad guys are banking on; your naïveté places you into the 99% who are vulnerable to increasingly more prevalent financial scams. Like the 1 Percenters, victims in this category are also rich and poor and everything in between.
The bad guys know that card data is already “in-the-clear” thanks to the card issuers. The issuers breached it at the point of issuance, by printing, embossing and encoding it, right on the card. And the bad guys also know that they can steal it right from under your nose even before the card data enters a fully protected, technologically advanced, PCI Compliant POS or ATM system.
Imagine securing your house by locking the front door with the latest and greatest deadbolt locks and steel reinforced door, but leaving your back screen door unlocked and wide open. Where do you think the bad guys are going to try and get in? To translate: the heavily secured front door represents the PCI Compliant systems in place that the merchants must purchase and have audited every year. The flimsy, highly breechable screen door represents the card data that is encoded, embossed or printed right on the card that is static and usable with or without a card present in many instances.
If they are as smart as the average kid who sneaks out for a night of partying and then tries to get back into his parent’s house, they are going to the back door, the one that is wide open and unlocked. That’s the “Swipe here to Clean you Card” systems the bad guys are using to socially engineer the card data right out from beneath the PCI DSS and at the merchant’s expense. Try telling the PCI SCC that you had the best systems in place and that you recently received PCI Compliance certification. They will tell you that your store was the source of the data breach and that you and you alone are responsible. Then they just might revoke your PCI Compliance certification, prevent you from accepting branded payment cards and fine you for your lack of security.
Scary stuff, I know, but that is why compliance does NOT stop fraud losses. The bad guys don’t fight fair. The bad guys don’t follow any rules. The bad guys are more nimble. They can change their tactics quickly and operate with almost total stealth. Most importantly, their tactics are somewhat simple. To defend against these tactics we must adopt and use unconventional methods that strike at the core of their strategy. We must adopt strategies that utilize “dynamic authentication” which remove the incentive to steal the data and eliminates its redemption value. However, we must do it in such a way that it is affordable and with a positive return on investment. If it isn’t, then we must ask why we are doing it in the first place.
The PCI DSS is said to be a standard. We know that standards are slow to evolve and they do not account for all threat vectors. They rely on a lowest common denominator set of requirements and that is its inherent weakness. If PCI does not allow for tactical strategies that involve technological innovation and they continue to act as an agent of the brands; and a bottle neck for innovation, at the merchant’s and ultimately the consumer’s expense, then why does anyone think we can defeat the bad guys using such outdated tactics? Tell the PCI SCC that you want to invest ONLY in technologies that can STOP fraud. Ask them how PCI DSS protects you from the common socially engineered scam described here. Come back and tell us what they say.