Visa has recently been alerted to another point-of-sale (POS) PIN entry device that is vulnerable to skimming attacks in the US. This most recent compromise involves the eN-Crypt 2400, also known as the C2000 Protégé, manufactured from 1992 to 2002 by Ingenico, Inc.
This POS PED was compromised with tapping mechanisms installed to capture PIN and card data. While the situation is being addressed at the merchant location, Acquirers, merchants and processors are advised to be aware of the circumstances of the attack in case other merchants become affected.
As the criminal sector becomes more familiar with the older implementations of PIN Entry Devices, Acquirers must ensure that merchants have upgraded their POS devices or replaced them with more advanced products that incorporate current security features set out for the transaction industry.
There are two variations of the skimming attack, both of which allow the capture and disclosure of card account data and PINs:

• Knowledgeable individuals, representing themselves as service technicians at the merchant location, modify active PEDs by inserting tapping devices to capture PINs without removing the PEDs from service. Security weaknesses of these PEDs allow the perpetrators to modify the devices without causing noticeable physical damage, or tamper evidence, to the PED and without disabling the PED by “zeroizing” the cryptographic keys, or tamper response.
• Criminals us a technique involving two PEDs. They take an active PED and remove the internal operating circuitry from the casing without triggering any tamper response. They then attach a tapping device to the PED circuitry, discard the damaged casing, place the internal circuitry with the tapping device into a new casing, and place the PED back into service. Security weaknesses of these PEDs allow the perpetrators to access and then modify the devices without “zeroizing” the cryptographic keys and disabling the PED.
  
• VULNERABLE POS PIN ENTRY DEVICES
  In addition to the Ingenico eN-Crypt 2400/C2000 Protégé device, merchants should not deploy any of the following POS PEDs, which are also known to be vulnerable to compromise:
  
  
• Verifone PIN pad 101 and 201
  
• Verifone PIN pad 2000
  
• Hypercom S7S and S8

Pin Pads approved are:

• Verifone PIN pad 1000SE - Triple DES encrypted


• Hypercom S9 - Triple DES encrypted

The Visa PIN Security Tools and Best Practices for Merchants brochure, is available online at www.visa.com/pin or for information regarding Merchant Services and upgrading a PIN Pad, contact NTC Texas at 877-877-6511.

Labels: Merchant Services - Vulnerable Pin Pads