New anti-fraud technology that NCR (NYSE:NCR) is rolling out for its ATMs might find even broader use in point-of-sale PINpads—but not the way that most PINpads are currently designed.
The new features, which NCR is calling SPS (for "skimming protection solution"), involve two elements. First—and most technically interesting—is a jammer that disrupts a skimmer that has been attached to the front of an ATM. When a motorized card reader pulls a payment card into the ATM, the electromagnetic jammer prevents a skimmer from reading the mag stripe on the card.
The second, more mundane technology is having the card-reading device send diagnostic information to the bank in real time when there's evidence of tampering.
How could any of this help block PINpad skimming? Most PINpads use a simple swipe slot, which makes installing a skimmer easy and jamming it almost impossible. Those motorized NCR ATMs don't read the card's mag stripe until it's safely inside the machine, but the card never goes inside a typical PINpad. That makes the jamming technology useless for most existing PINpads.
But the technology that detects whether a skimmer has been attached should be pretty straightforward to adapt to POS devices. The phone-home element should also be straightforward, and it duplicates something that really should be happening with every network-connected PINpad anyway. The most common non-skimmer attack on PINpads involves a thief disconnecting a POS device on a store's counter and swapping in one that's been tampered with. That event should show up on network logs, but it's only likely to be noticed when (and if) a network administrator gets around to reviewing the logs.
If the PINpad, however, is generating a real-time stream of anti-tampering information, that stream could be sent directly to systems that are paying attention—for example, at a card processor. If a new PINpad unexpectedly shows up at a store, the card processor could flag the device even before the first customer tries to use it. Likewise, if a PINpad detects that a skimmer has been attached, it could notify the card processor, which could notify the cashier immediately.
It's in the interest of card processors to add that kind of monitoring to their services, and that's the logical place to do it. It's already clear that retailers' own network logs aren't checked regularly enough. For smaller chains and individual stores, that may just not be practical. Processors, on the other hand, could check anti-tampering information even with dial-up PINpads.
Whether these technologies will actually show up in PINpads anytime soon depends on PIN-pad makers themselves. But now seems like a good time to cram anti-skimming and anti-tampering features into the devices. With a 2015 deadline for retailers to be able to handle EMV cards, there will be lots of PINpad refreshes going on (most of them probably at the last minute). And even though the anti-skimming technology applies only to mag-stripe readers, considering how hard it has been to kill mag stripes in the past, there's every reason to believe mag stripes (and skimming) will still be around for a long time.
Teavana Data Breach Fuels Gift Card Buys At Target
Remote Access Breach Hits Retailers In Kentucky, Indiana
Are PIN Pads Insecure By Design?