RH-ISAC BLOG

Detecting and Responding to POS Skimmers and Shimmers

Author: Scott Tenaglia, Research Director at Two Six Labs

The Growing Threat of POS Skimmers and Shimmers

Point-of-Sale skimmers and shimmers are a pervasive and growing threat to retailers.

Global loses from all forms of credit card fraud are estimated by The Nilson Report to exceed $32 billion in 2019. One fast-growing type of fraud impacting retailers is the use of POS skimmers and shimmers. Secretly installed by criminal actors on top of credit card terminals to intercept card swipes and dips, these devices can circumvent all technical controls of a retail store, enabling the undetected and widespread theft of customers’ credit card data.

Criminal activity involving these devices creates for the retailer a complex range of risks, responsibilities, and uncertainties. For example:

  • If it happens in your store, how do you respond?
  • What are your risks?  And what are your reporting requirements?
  • How would you investigate?
  • How can you determine what damage was done and how much data was stolen?
  • Is it possible to proactively detect these devices before a data breach occurs?

Upon discovery of a skimmer or shimmer, the victim organization will be forced to consider these questions and more, including the implications and obligations for store managers and staff, asset protection teams, IT security, C-Suite executives and Boards of Directors.

Despite the increasing prevalence and complexity of these threats, there remains a lack of sophisticated services and technological solutions available to companies at risk.

Current methods for detection and mitigation involve implementing best practices and physical countermeasures that do not holistically address the threat. These methods may require extensive employee training and generally are non-scalable, manual efforts that are outmatched by criminal adversaries. Proactive detection often is limited to periodic penetration testing and regulatory or compliance initiatives.

Fortunately, more advanced technology services are now available to defeat this type of criminal activity. Deep forensic investigation of the skimmer or shimmer can pinpoint its capabilities and operating time, as well as identify data loss and assist with breach response, reporting and risk mitigation.

These services can be easily integrated into standard incident response plans and performed in coordination with a retailer’s CISO office and security teams, as well as legal counsel, regulators and law enforcement agencies. 

Additionally, at least one new proactive detection technology is emerging to enable retailers to continuously monitor for skimmers and shimmers operating within a store. The goal is to help prevent a harmful data breach before it occurs, and thus avoid the many associated risks, complications and costs.

To learn more, attend the breakout session “Responding to POS Skimmers and Shimmers” at the 2019 Retail Cyber Intelligence Summit. Scott Tenaglia, Research Director at Two Six Labs, will present real-world case studies and details from forensic investigations of POS skimmers found in the stores of a leading global retailer.

The session is on Wednesday, September 25 at 1:20pm. Space is limited. For more ore information, visit https://summit.rhisac.org/.

This blog is part of our Retail Cyber Intelligence Summit sponsor series. Check back on our blog for more posts from our Summit sponsors!