You are a retail business. You have spent a small fortune in time and money to upgrade your systems and have now achieved that holy grail – PCI DSS compliance. Do you sit back and relax, safe in the knowledge that you have achieved security nirvana and that fraud will never show its ugly face in your business again? Well not quite.
PCI DSS compliance has its limits
The issue is that PCI DSS compliance by its very nature can’t be all-encompassing. It deals with payment data (credit, debit, payment, pre-pay etc.) data and the flows of this information through your business. Anything not directly related to credit and debit card data is considered out-of-scope. After all, the PCI DSS standard was created by the likes of VISA, MasterCard, Amex, DiSCOver and JCB, so naturally their key priority is in keeping payment data safe and secure.
But recent technology developments demonstrate that fraud (like water) always seeks the least path of resistance and does not differentiate between in-scope and out-of-scope areas of a business. A recent story beautifully combines payment, loyalty and fraud with a dash of new technology and a pinch of sub-standard implementation to show us the limits of achieving PCI DSS compliance.
Starbucks have recently introduced iPhone and Blackberry Apps for their Starbucks Card Rewards loyalty program. All you do is launch the App in your smartphone, get the phone screen (showing a barcode) scanned by the StarBucks employee and enjoy your tall skinny extrawhip half-caf double caramel macchiato. The App does the rest, as it is matched to your account, which in turn is matched to your credit/debit card details. Thus money is taken out and loyalty points are added in automatically. Simples!!
The issue arises from the fact that the barcode in question is not of the dynamically generated variety, but is static and valid for the life of your Starbucks Card Rewards loyalty membership. This means that if someone else got hold of this barcode, they too could get free coffee on your account. But how is this done?
The scam is technically reasonably simple to pull off. All the miscreant needs is you have access to an unsecured (i.e. not pin or pattern protected) smartphone of a mark for at least 90 seconds. All the fraudster then needs to do is:
- Launch the app
- Hit the mobile equivalent of “print screen”
- Send themselves the resulting screen grab via email or mms
- Delete the sent MMS or email from the sent folder to erase any trace of the subterfuge
- Replace the handset to where it was found
From then on, all the criminal needs to do is load the image onto their phone and get that image scanned at the till, so that they too get to enjoy watery coffee, cakes and whatever else Starbucks sells on the bill of the unaware victim.
Much a do about nothing
But wait I hear you cry, there are a lot of caveats to pulling off this ruse. The smartphone needs to be unprotected (e.g. no password), it needs to be left alone in a public place for at least 90 seconds, the ne’er-do-well needs to have a phone with an identical resolution screen….and all of this for some free coffee. Many of you will correctly point out that most fraudsters probably won’t bother to go to all of this effort for such a small reward.
And you may well be right. Yes the scam does have severe limitations, but it does demonstrate that companies do need to take care in introducing new technologies in order to minimise the chances of fraud. After all, as the above app does not store or disclose any payment information it does not contravene the PCI DSS compliance status of the company. But that does not make it fraud-proof.
A continuing journey with some new companions
World's 1st PCI-accredited company for P2PE V1 & V2
So now you’re an online merchant? 4 ways to stay that way
A day in the life of an e-Commerce Manager
The Trials and Tribulations of an Online Retailer
Customer data: handle with care!