Card fraud is a rare kind of threat in that it doesn't solely occur online but offline as well. Unfortunately, many small businesses are not sufficiently protected from the dire consequences of payment card fraud.
In 2018, losses due to payment card fraud reached $24.26 billion worldwide. Experts project that losses will balloon to $36.44 billion by 2022.
As much as small business owners would like to think their size does not make them a target for thieves, that simply isn't the case. Small businesses reported losing an average of $37,258 to card fraud last year.
Whether you run an online business or a brick-and-mortar operation, there are certain types of card fraud you need to be aware of. In this article, I discuss the threats small business owners face and offer recommendations so you (and your customers) do not fall victim to card fraud.
Types of hardware-enabled payment card fraud
Obtaining payment card credentials requires physical access to the victim's point-of-sale (POS) equipment – the terminals that store personnel use to read data off cards and process transactions. There are two possible scenarios where in-store payment card fraud occurs:
- Clerk skim: This tactic requires the help of a store clerk to run a payment card through a reader that copies the data stored on its magnetic strip to a storage device. This is usually done before the clerk runs the card through the store's POS terminal.
- POS swap: In this scenario, a criminal poses as a POS technician and replaces a store's existing terminals with clones that can be remotely accessed.
Regardless of the manner used, a consumer's payment card data end up in criminals' hands.
Types of malware-enabled payment card fraud
A particularly insidious type of fraud doesn't involve physically altering a store's POS system; instead, cyberthieves work hard to create different variations of malware that steal user data stored on payment cards from retail checkout systems.
POS malware hunts for credit card data that includes the owner's full name, billing address, expiration date, and card verification value (CVV) numbers. This information very briefly becomes available in unencrypted format in a device's memory, and POS malware gathers it instantly once the unencrypted data is detected. The stolen data is then sent to the attacker's computer or server.
More advanced payment card fraudsters, however, infiltrate databases where the information is stored. These cases fall under the broad category of data breaches that involve the theft of personally identifiable information, or PII, in bulk.
There's a reason why most payment card fraudsters resort to online forms of fraud. Online fraud presents fewer risks than engaging in physical theft. Online criminals can easily cover their tracks as opposed to being caught red-handed with a skimming device in an actual store.
Most fraudsters collect credit card data to collate so-called "fullz" dumps, cybercriminal slang for "full credit card data" repositories, that they then peddle in underground markets or the deep web. Some create and sell actual cards or credit card clones coded with stolen data. Still, other cyberthieves use the stolen data to make card-not-present purchases for personal gain.
Recent POS malware attacks you may have heard about
Over the years, various high-profile retail, hotel and restaurant chains have suffered significant losses due to POS malware infections. Here are some that you may know about, or that may have personally affected you.
- The Target breach in 2013: An in-depth investigation following one of the biggest data breaches revealed that attackers obtained the payment card information of 110 million consumers through POS malware. POS terminals in unnamed branches of the store may have been tampered with, allowing the attackers to hack into Target's payment card database. A few weeks after the compromise, card dumps related to the Target breach flooded underground markets. Before the card numbers could be used for fraud, some banks canceled the affected cards and issued new ones to their owners.
- Home Depot breach in 2014: Like Target, the Home Depot attackers obtained access to the payment card details of 56 million of the store's customers via a POS malware attack. Though how they managed to hack into Home Depot's network wasn't revealed, the store's management admitted that the source of the compromise was traced to its POS system.
- InterContinental Hotels Group (IHG) in 2017: Twelve of the group's hotels in North America and the Caribbean suffered from POS malware infections, exposing its customers to significant risks. The source of the infection was traced to IHG's payment processing server.
- Sabre Corp breach in 2017: The company's online reservation system was infected with a POS malware variant that put its clients and consumers at risk of financial and identity theft. Because Sabre Corp provided reservation services to clients that include Hard Rock and Lowes Hotels, this incident put them at risk as well.
- Forever 21 breach in 2018: Though the exact number of affected customers wasn't revealed, Forever 21 admitted that POS terminals in several of its stores were infected with POS malware for as long as eight months.
- Applebee's breach in 2018: POS terminals in more than 160 of the restaurant's branches were infected with POS malware, which put its customers at great risk of financial and identity theft.
- Checkers breach in 2019: Reports revealed that POS terminals in 15% of the food chain's stores were infected with POS malware.
- Earl Enterprises in 2019: This breach put the customers of well-known restaurants like Bucca di Beppo, Planet Hollywood, Chicken Guy!, Mixology, Tequila Taqueria, and Earl of Sandwich at significant risk. A POS malware variation had been present in the chain's systems for nearly 10 months before it was detected. A month after the malware was detected, 2 million credit card numbers that were stolen during the incident were sold online.
After a spate of POS malware attacks, banks and financial service providers migrated to Europay, Mastercard and Visa (EMV) chip and pin technology. They hoped the stricter requirements for using EMV chip and PIN cards would alleviate the problem. Years after their introduction, however, there are still attacks against establishment chains and small businesses alike.
DMSniff: The latest form of POS malware
The newest malicious form of POS malware on the block is DMSniff. Though believed to have been active since 2016, it made waves this year, thanks to its use of domain generation algorithms. Because the malware can change domains upon detection, it stays under the radar while spreading mayhem.
To date, 11 variations of DMSniff have been found. These are believed to gain access to POS systems using a combination of brute-force and exploit attacks. In a brute-force attack, threat actors subject systems to innumerable username and password combinations until the right ones are found and compromise is achieved. In exploit-enabled attacks, the threat actors scan victims' networks for vulnerabilities. Once holes are found, the right exploit is dropped, and the network is breached.
DMSniff is just one form of POS malware that is still actively wreaking havoc against many establishments today. Businesses, especially small businesses, need to monitor their systems for fraud.
Best practices to reduce your risk of payment card fraud
Whether fraud occurs digitally or in-store, the damage caused to small businesses and their customers can be irreparable.
Companies, therefore, need to prevent payment card fraud. Here are six steps small business owners can take to reduce their risk of credit card fraud:
- Screen potential employees, especially those who'll operate payment systems, thoroughly.
- Do not just trust anyone to fix or update your payment terminals or systems. Ask for their credentials and verify with the POS company that the technician is affiliated with the company.
- Use firewalls and antimalware solutions on your systems.
- Employ web categorization and other website monitoring tools to identify malicious visitors and block them from accessing your network.
- Protect your routers. Employ bring-your-own-device (BYOD) guidelines. Some threats get into networks via insufficiently protected devices.
- Block potential POS threats from online sources by obtaining a list of domains tied to attacks.