12.09.11

The woes of a Physical Security breach

This blog is written to emphasize the importance of physical security in this current day and age. I myself am a victim to a recent physical security breach that happened with Lucky Superstores in the United States, which has resulted in the theft of debit card details of many of its customers. It has been confirmed that more than 20 stores are affected through the 500 or more self-checkout stations which were compromised to aid in this physical security based attack.

For the benefit of people who are unaware, self-check-out stations as the name suggests are a convenient way to get your shopping payment done by yourself at physical stores. The customers themselves can use touch screen and barcode systems to scan the products purchased and then use their electronic payment cards and PIN numbers to authorize the payment. This helps customers avoid huge queues at traditional cashier-based check-out points at the store. The concerns with such stations are they are mostly unmanned, lack thorough supervision and hence are not tamperproof.

In my case, I have some precautions on my account to ensure that I know what transactions occur on my account. I had mobile text transaction notifications from my bank enabled along with daily spending limit alert notifications. So when recently I saw a message notification on my phone stating that an ATM withdrawal from my account for 500 dollars was made when I was actually was at work, I called the bank immediately to report the fraud and the bank helped put this money back in and ordered a new payment card for me. However I realized that the same happened to another friend who lived near me and the common place where we both used our debit cards was none other than the Lucky Store near our house. Soon enough, the store released a public statement that their checkout machines were compromised and possibly many customers were affected, which confirmed the source of this attack.

The interesting thing about this attack is that the victim had no control or precaution mechanism, which could have helped prevent this attack. The sole responsibility of this mishap would be on the store, that possibly did not monitor the self-check-out machines from being tampered with, or did not audit their physical payment systems regularly.

The criminals behind this attack are still at large and the investigation is ongoing at the time this blog is written. They rigged the in-store self-check-out machine card readers with data-skimming devices, which then allowed the stolen information to be passed on wirelessly. This meant that the thieves did not need to be physically present at the store or visit the store again to complete the theft. With more and more devices wirelessly linked to allow more convenience to the overall consumer experience, an extra level of ease and vulnerability is created for such attacks.

Hopefully this incident and this blog will remind us all that we can never be a 100% safe and should always exercise equal amounts of caution while making online, as well as physical purchases, with our electronic payment devices. Wishing everyone a safe shopping experience this holiday season!

Some recommendations:

  • Always enable notifications on your accounts via email or phone. At least you know when your account has been compromised.
  • Be wary while using electronic payment cards in stores. Big stores usually audit their systems frequently, unlike in my blog however it’s advised to avoid small shops and unattended payment machines.
  • Do not share your payment details or electronic cards with anyone or store them in an easily accessible place.
  • Always change your authentication password and PIN numbers associated with your payment methods from time to time. Keeping the same security phrases makes you more susceptible to fraud.
  • Use online services (such as Verified by Visa) or other two-level authentication mechanisms approved by your bank for extra safety. It may mean more inconvenient steps to completing a transaction, but at least it’s better to be safe than sorry.
  • Read your bank newsletters and advisories to keep a check on the latest known threats associated with the bank.
  • In case of any suspicious activity observed on your account, immediately notify the bank authorities to seek the next course of action.