Earlier this year, the European ATM Security Team (EAST) reported on a criminal gang that had been apprehended, who were known to use "Ghost Terminals"; a standard point of Sale (POS) terminal that had been modified to harvest card data (link to the article
is
here).
With this particular incident these terminals were utilised in Taxi's, where the cardholder would pay for the fare by card, and during the transaction the ghost terminal would copy the magnetic stripe and store the PIN entered by the cardholder.
This will undoubtedly cause a problem with Issuers, as once fraud is detected on a card the first course of action is to determine where the point of compromise is. However, with these ghost terminals the transaction will never go online and is in effect
a non existent transaction. The terminal in essence is a shell only, which acts and behaves like a terminal but never performs a transaction. And as the terminal is not connected to the acquirer, they will not be in receipt of any error messages that may indicate
that the terminal is not performing correctly. Such devices could be utilised in many ways, in taxi's, at outdoor events, pop up shops, etc.
The fraudsters are essentially giving away stock or services for free in the knowledge that they can reap better rewards through utilising the stolen card information fraudulently. The cardholder has no idea it is not a legitimate transaction; as far as
they are concerned, they have made a transaction and either got a receipt, or a message on the terminal screen of a connection error and paid by cash.
Ultimately, this is a very sophisticated variation of a skimming attack, and it goes to show that there is still opportunity for fraudsters to facilitate this. For example, over the last few years, consumers have become very aware of the anti-skimming kit's
applied by banks to their ATMs. These anti-fraud devices are very prominent, and designed to make consumers and fraudsters aware that the ATM it is applied to is protected. However, with the advent of 3D printing, there have been reports of 3D prints that
are similar to those anti-skimming devices being submitted to 3D printing companies for manufacture. In those cases, the manufacturer was alert enough to not perform the print due to its possible use in criminal activity, i.e. to support a skimming device.
Now that 3D Printers are on the market place, with some high end printers able to print at high definitions, the potential to block the print through a manufacturer is reducing. The opportunity for fraudsters to exploit this improving technology has to be
seen as a risk.
Elsewhere, with the level of technologically advancement reducing the size of components, skimming devices are reducing in size. There is no long a need for fraudsters to fabricate an entire false front of an ATM, when technology allows the fraudster to
build a skimming device with wireless capability to send the data elsewhere. Also, with the utilisation of Unattended Payment Terminals (UPT) there is further opportunity to target devices that are invariably in areas that are not monitored closely, e.g. unattended
petrol stations or Car Washes that are in locations such as industrial estates. Such sites, if not monitored fully are extremely attractive to fraudsters.
So, ultimately, while card skimming seems to be an old technique, it is still very much part of a fraudsters arsenal. And as components reduce in size, and technology to transmit and store data improves; it will still very much be a problem for issuers to
contend with.