Insider Threats: Reduce the Risk from Malicious Employees

There have been numerous news stories about employees stealing credit card information before it is even entered into your information systems.  These are usually occurring out on the sales floor.  You can be fully compliant with the PCI DSS, but most of the offenses we are talking about occur outside the scope of what those requirements are designed to protect against.

The following types of scenarios are happening every day at merchants worldwide:

  • Wait staff and cashiers colluding to collect or skim card numbers from patrons for personal gain.
  • Cashiers taking credit cards that have been accidentally left behind and then using them.
  • Criminal networks using wait staff to collect card numbers with hand-held skimmers.
  • Cashiers writing down credit card information or making carbon copies of credit cards.

The Verizon 2010 Data Breach Investigations Report found that 48% of breaches are due to internal agents and 51% of those are perpetrated by regular employees malicious insideror end-users.  The University of Florida conducted an inventory shrinkage study in 2009, and found that the highest source of inventory shrinkage, 43%, was due to employee theft.  What are these figures telling us?  That the risk of having malicious insiders within your organization is relatively high and we should probably do something to try to reduce it.

 

What’s going on here?

Not all employees are bad, of course; some of them just succumb to temptation out of desperation, and because committing credit card fraud or stealing a few numbers is easy to do.  Criminal networks like to approach lower paid service staff such as cashiers, bartenders, and wait staff because it can be easy to coerce them to hand over a few card numbers for $50 a pop.  Maybe some people just like the thrill that goes with it.  Others just do not have any money to spend and figure it will be more convenient to use someone else’s funds.  Just like with any other crime, there needs to be means, opportunity, and motive.  Let us define these and see how they apply to credit card theft.

Means – Does someone have the ability to steal credit card information? What do they need to do this?  A cashier or waiter armed with a low-tech device such as pen and paper or a high-tech handheld skimmer has the tool required to commit the crime.  Here are a few shots of what these may look like:

Opportunity – Does someone have the chance to steal credit card information? Every time a customer hands over their credit card to make a payment, an opportunity presents itself. Think about every time you put your card in a folio on a restaurant table and watch the waitress take off into the back to settle your bill. Is there a difference when you hand over your credit card at a checkout counter and see the cashier making a transaction? Have you ever even thought about it?

Motive – What are the reasons someone would steal credit card numbers? Criminals always have different motives for their crimes, so a specific motive is hard to detect and identify before the crime is actually committed. Examples of popular motives include: Low wages, disgruntled working conditions, quick access to money in desperate times, etc.

 

How can this affect my business?

While the percentage of insider theft of credit card data is pretty high, the actual number of reported card numbers that have been compromised through employee skimming and theft is low compared to those due to breaches of information systems containing central repositories of credit card data. Does that mean we should ignore it? Not at all. Imagine how easy it is to do, and the likelihood that many instances of these crimes go unreported because they are not detected by the cardholder. Some people don’t check their statements thoroughly and some criminals are smart enough to try to make their malicious activities as unnoticeable as possible by making only small charges or just selling off the information.

Cardholders are typically not liable for unauthorized charges; however, it could take time for someone to discover that they have fraudulent charges on their account. It is very inconvenient to go through the process of reporting the fraud, monitoring your credit report, getting a new credit card, etc. Be honest: if you found out where your card number was stolen you’d most likely be a bit upset and use a lot of expletives when talking about that shop or restaurant in the future. You may decide you don’t want to shop or dine there anymore, and you’ll probably tell a lot of people about what happened, where it happened, and why you don’t think it’s safe to shop there anymore. Do you think this can have any ill effects on the organization’s reputation? What about future revenue? How about any financial or legal liability? Potentially, the answer could be yes to all of these questions.

 

What can I do?

A multi-pronged approach is recommended to help to reduce the risks of credit card skimming and theft by insiders at the point of customer interaction. The approach includes a comprehensive awareness program for staff and managers, visual monitoring, and background checks.

Awareness: Reduce the Means – Employees and managers that interact directly with customers at the point-of-sale need to understand what to look for, who to report incidents to, and what the consequences are for this type of theft.<span >  There are additional activities that should be done to fight card theft: develop, implement, and enforce policies that discuss what is required of personnel who handle credit card information.<span >  Provide the employees with periodic training and give them examples of what to look for such as suspicious activity, identification of skimmers, or other unauthorized devices at the point of sale. Report and prosecute the offenders to ensure everyone knows the consequences. A few resources that you can use and reference include the following:

PCI Security Standards Council Information Supplement: Skimming Prevention – Best Practices for Merchants

Visa Data Security Bulletin: How to Protect Your Business and Your Customers from Data Fraud

Visual Monitoring: Reduce the Opportunity – When people know they are being watched, they tend to curb their malicious behavior or at least think twice about it. Cameras can be set up to watch the areas where transactions take place. Perform credit card clearing processes in public areas. For example, restaurants should have the staff clear the transactions at the table using authorized mobile devices or at a point of sale that is in clear view of the patrons. Do not make them go into a back area where no one can see what they are doing. Try using systems and processes where the credit card does not leave the customer’s hand. If they swipe it themselves, it can’t be physically stolen.

Background Checks: Reduce the Motive – It is interesting to note that PCI DSS requirement 12.7 does not make background checks a requirement for personnel who have access to only one card number at a time such as cashiers, waiters, etc. Fortunately, many of the retailers we’ve assessed do have some type of process in place for employees at the point of sale mainly due to loss prevention practices. The National Retail Mutual Association (NRMA) maintains a Retail Theft Database that can be used by merchants to conduct retail related background checks. Information from member companies is collected and shared to report on incidents including credit card theft. Many of the employees identified in the reports have no criminal records so this is a great tool to identify high-risk personnel before they are hired. It is also a good idea to ensure your managers maintain good working relationships with their staff and try to identify when they are having problems that affect their performance and attitude. If employees feel respected and valued, they’ll do the same for the organization.

 

How can SecureState help?

As always, SecureState is here to help if you have any questions or need assistance in developing and implementing comprehensive PCI and cardholder security controls.

 

Leave a Comment...

Your email address will not be published. Required fields are marked *


*