Card Skimmers Found On Florida Nordstrom’s Cash Registers

November 5, 2013

Just caught an article from last month, where a group of men installed card skimmers on cash registers in a Florida Nordstroms. The registers used the PS/2 port on the PCs for keyboard entry, and so any text sent to the register would be caught by the skimmer. Unfortunately, the keyboards used generally have the credit card reader built into the keyboard, so that means credit card data was being sent as plain text through that same port. That’s a really big risk for cardholders and Nordstrom.

I’m not sure how they were able to hot install a PS/2 device without having to reboot the PC. In my experience, unplugging a PS/2 mouse or keyboard usually meant you had to reboot the PC to re-establish the connection. But they were able to get the skimmer installed somehow, so that’s a threat right there. Also amazed that PS/2 is still being used in industry. When I started, support handled a 50/50 split between PS/2 and USB-based keyboards and input devices. Today, it’s closer to 95% in favor of USB. It’s just easier to use and troubleshoot.

Anyway, as I’ve mentioned in previous posts, if third parties have access to your POS system, they have access to everything on it, including credit card data. It doesn’t matter if your processing software encrypts it before it shoots it off to the internet, the data is still available at some point on the computer. That’s why companies like MagTek have created great products like the Dynamag, which can encrypt the data in the MSR itself before sending it to the PC. So even if it does get compromised, all the thieves get is a garbled mess.

With PCI compliance becoming more prevalent, and merchants facing fines for data loss, doing what you can as a business owner to mitigate the damage now is a great way to avoid paying a steep fine later. We have the Dynamag available for a little over 50 dollars, and your merchant account provider can encode it usually for a nominal fee, or even for free. Seems a lot cheaper than a $20,000 fine for a data breach.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: