With the recent reports of data breaches from ATMs involving over 3.5 million debit cards in India and banks rushing to block as many number of cards, warning bells should ring aloud for those who frequently flash their plastic cards anywhere and anytime to shop, specially at unauthenticated or unsecured point of sale or payment terminals.
The incident also threw open a serious debate on how far our ATMs and Point of Sale payment structures are safe when malware experts adopt all new techniques to export vital credit/debit card details from POS terminals to their far exist servers.
Though it is still not clear that how much money was siphoned off from card holders’ account and how banks are going to compensate customers, it is however, clear that debit and credit card holders can’t sit back and relax now.
Recently, actress Nargis Fakhri lost her Rs 6 lakh to a fraudulent credit card transaction when her ‘cloned’ card was swiped in a US store when she landed in India.
How do card braches happen?
Many of the payment card breaches that were reported worldwide in the recent months were from hospitality and retail businesses. Hackers always look for easy target. Security experts say that POS systems are relatively easy to intrude since majority of them have older and easily accessible security protocols.
In majority cases, attackers use memory scraping malware, which is nothing but rogue software programs, to infect point-of-sale systems. But places like India, where the awareness on card breaches is abysmally low among card users and retailers, malware experts can adopt several easier ways to steal data, due to lack of encryption and authentication between POS payment systems and card readers, warn experts.
POS systems become easy target
POS terminals are specialized computers doing all necessary functions required for retail business. These systems mostly run Windows and have peripherals like touch screens, card readers with PIN pads, keyboards, receipt printers and barcode scanners. Every POS system has a particular payment application installed to handle transactions and other in-store works.
One of the common ways attackers steal credit/debit card data from POS terminals is by contaminating them with suitable malware program through remote support credentials or other techniques. These programs are known as RAM or memory scrapers because they look for credit card details from system's memory when it processes payment applications.
Bhaskar Venkatraman, CEO of JusTransact.com, a leading ecommerce firm exclusively deals with POS technology products in India, says: “Retailers and banks should take extra care while offering cash-less transaction services to customers at POS. Point to Point Encryption (PTPE) is an ideal way to protect customers’ sensitive card details getting pilfered to unscrupulous hands. Here data from PIN pad to the payment processor can be encrypted. If P2PE is not possible on existing hardware, retailers should consider shielding the communication path between payment terminals and POS software with Transport Layer Security (TLS) and digitally sign all requests sent back to PIN pads by payment applications.”
Mobile payments with digital wallet services should be used wherever is possible as they are safer than using conventional POS payment terminals, he suggested.
With malware experts finding Indian gateways too easy to indulge financial frauds, the service providers and IT experts should tighten the security screws more firmly to deny access of vital customer information to data card fraudsters.
Also published in Merinews