Given the cross-country locations of the Barnes & Noble stores that were victims of credit card breaches due to tampered credit card terminals, one of two culprits can be pegged for the crime—either a very organized criminal group that operates in a variety of locations, or a localized group that was able to infiltrate the operation that configures and ships out the terminals for Barnes & Noble. (Read More: Barnes & Noble: Identity Theft 'Sophisticated' Crime )
Based on investigations similar to this, it is likely that a criminal operation infiltrated a centralized location, which is responsible for the configuration, repair and replacement of credit card terminals for Barnes & Noble.
Retailers of all sizes employ the same type of credit card terminals as large retailers such as Barnes & Noble. So, what can retailers, including small and middle market establishments, do to minimize this sort of attack? Here are some actions to consider.
• Only contract with a reliable terminal supplier. There is a big temptation to use any vendor as a supplier, particularly if their costs are the lowest. However, as part of a vendor selection process, organizations should ask a supplier of terminals what they do to ensure terminals do not get tampered with. At a minimum, vendors should put their employees through periodic background checks, track which employees work on what units, and do random physical internal inspections of units to ensure they are not tampered with before they are sent out.
• Lock down terminals. Terminals that are not locked down are easy to quickly swap out with a doctored unit. Terminals should be locked in a cradle and only the manager on duty should have the key. What's more, the keys to these terminal cradles need to be distinct for each location so that one key does not open every cradle at every location.
• Confirm a terminal swap. Too many merchants are too relaxed in their terminal swap procedures. If a terminal turns up with instructions for a swap, or a technician appears with a new terminal, the store personnel should not handle the swap. A terminal swap procedure should involve the generation of a trouble ticket in a help desk system and the store manager should confirm the swap with the help desk or point-of-sale (POS) support.
• Use MAC address filtering on your store location networks. If a device is unplugged and a new device is plugged in with a different MAC address, it will not work and the network should generate an alert.
• Monitor your sensitive devices. If a credit card terminal or POS gets unplugged from a network, the network should generate an alert. The alert should then be correlated to a help desk ticket. If there is no ticket, someone should immediately notify loss prevention and follow up with store management to find out why the device was unplugged.
• Monitor the network. Terminals or POS should only be communicating with a service provider for transaction authorization and routers(s) and/or firewall(s) should be configured accordingly. If a terminal or POS attempts to communicate with any other external IP address, that should generate an alert to corporate IT and security, which should then be investigated immediately. This will catch those devices that are tampered with attempting to transfer data to a server outside of your network.