15 September 2014

Identity Theft Expert

Robert Siciliano - IDTheftSecurity.com

509 | posts 1,303,969 | views 59 | comments

Protect your Cards from Multiple Kinds of Skimmers

12 June 2014  |  1654 views  |  3

PIN may sometimes stand for pilfered identification number if a hacker gets yours. And it’s easier than ever for thieves to get your PIN from an ATM, coming up with clever ways to beat security technology.

 

The “primitive” way to get your card number is to manually place a phony card reader over an ATM card reader and then come back to retrieve it. Now it’s being done wirelessly via Bluetooth and SMS tech built into the skimmer. Coupled with wireless cameras and keypad overlays, getting your PIN is easier than ever.

They’re also brazen enough to land jobs that will grant them ATM access; they then install malware that can transmit your PIN to their personal device. PIN hacking’s memory chips and transmitters are thinner and lighter these days, making them go undetected.

The crime of ATM skimming racks up $350,000 a day.

  • Wedge skimming. An employee runs a card through a card reader tool that transfers data from the card’s stripe. The crook downloads this to his device, then burns the data onto a phony card or uses the data to place online or phone orders.
  • Fake ATMs. The crook installs the phony machine in a place that will attract users like a saucer of honey will attract bees. The machine will read and copy tons of data.
  • ATM skimming. The thief fits a card reader onto an ATM or gas pump card reader. The very inconspicuous reader may have wireless technology. This crime often comes with installation of secret pinhole cameras nearby to capture the consumer’s PIN.
  • Data intercepting. A thief poses as a gas pump serviceman and unlocks it with special keys, then plants a device inside that reads all the customer cards’ unencrypted information.
  • Point of sale swapping. The skimming device is placed at the terminal where you make a purchase. Even busy places like McDonald’s have been targeted.

These smart criminals can copy skimmed credit card data on gift cards, blank cards, hotel cardkeys or white cards, the latter being quite useful at self-checkouts. Protection comes in the form of:

  • Anti-Skim Security built into the ATM from the factory or as an add-on solution, which is installed inside the machine
  • Checking your statements every day via a smartphone app or every week online or monthly via your paper statement for suspicious transactions
  • Challenging questionable transactions right away
  • When entering your PIN, conceal the keypad with your other hand
  • After handing an employee your card, keeping a close eye on it. Don’t let the employee leave your site with your card.

A crook (often a store employee in this case) can also nab your data with a handheld skimming device like the “wedge” listed above.

The Many Faces of Skimming

  • Remember, the phony skimming device that’s attached to the card reader goes undetected by the consumer, unless the consumer is well-versed in this kind of crime and knows what to look for.
  • The crooked employee gets your information, then sells it.
  • Thieves can now get the data via wireless technology like Bluetooth, eliminating the risk of getting caught at the machine.
  • Pinhole cameras can be placed anywhere close by, such as in a brochure holder.
  • A crook may place a data capturing device over the keyboard to get PINs.

Get familiar with the ATM you use—because you should be using the same one so that it will be easier to spot something different about it.

 

TagsSecurity

Comments: (3)

Fred Pyziak - CIBC (Retired) - Toronto | 13 June, 2014, 14:22 If Banks and card issuers were to create an application as part of their mobile smart phone service that allows customers to " logically lock" their credit and debit cards in the Banks logical vault when the card is not in use, this would shrink the availability fraud window. At the moment all cards are available 7/24/365 for use by both customer and fraud artist, here is the senerio .... Customer walks into store decides to buy with credit card, takes out smartphone logs in to his bank app and unlocks his card for use... Buys article and then locks the card back up into the logical vault, obviously can be done anytime when convenient .... All pre-authorized debits would be allowed through anytime wether in the logical vault or not. Can you imagine the competitive edge this would give a lead Bank with this type of customer security, provides customer with the security of knowing his card is safe when not in use by him and frauds artist would tend not sell or ask for that Banks cards on the open market .... Let's face it the CNP fraud is the largest segment of loss in Europe in 2011 is was almost 650 EUR MILLION ...... Why do cards need to be open all the time, mobile technology and the new generation of customers want control over their credit, let them have control of their security as well ..... When EMV gets rolled out to all Banks and countries the onus for fraud falls onto the customer and they become liable for losses not the Bank ..... Time to get with the capabilities of ubiquous mobile capability and give control to the customer ...... The CNP fraud would drop for those Banks with customer Logical Vault for their cards ......
Matt Scott - Wincor Nixdorf International GmbH - Bracknell | 15 June, 2014, 22:37 What about augmenting 3DSecure with a one-time-use password (delivered by SMS) for CNP transactions? Also - the 'Card lock' whilst sounding like a good idea could rapidly turn into a customer service nightmare - especially if you apply insufficient security to the service API.
Fred Pyziak - CIBC (Retired) - Toronto | 16 June, 2014, 00:38

Matt ... it goes without saying that appropraite security would have to be a part of any API of this nature, most mobile Banking platforms that I'm aware of are very secure, its the cards that are not ( even CHIP has been compromised - see Cambridge University Labs report).... like I said take a look at the cost of CNP in Europe ..... the "customer nightmare" is the fraudulent use of your card .... even if the customer was able to block their card via mobile thats much faster that phoning a CSR to do it .... I'm assuming that this type of service would be on a voluntary basis by customers who are tech savy and who understand mobile technology ... ( the next Gen X ) ... regards   ... the rise in CNP speaks for itself  

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Robert

Are All Hackers Bad?

09 September 2014  |  659 views  |  0  |  Recommends 0 TagsSecurity

How to Secure Your iCloud

03 September 2014  |  1537 views  |  1  |  Recommends 0 TagsSecurity

Family Identity Theft is Ugly

29 August 2014  |  975 views  |  0  |  Recommends 0 TagsSecurity

Best Way to Destroy a Computer Virus

27 August 2014  |  798 views  |  0  |  Recommends 0 TagsSecurity

How to tell if your Computer has a Virus

25 August 2014  |  1062 views  |  0  |  Recommends 0 TagsSecurity
name

Robert Siciliano

job title

Security Analyst

company name

IDTheftSecurity.com

member since

2010

location

Boston

Summary profile See full profile »
Security analyst, published author, television news correspondent. Deliver presentations througho...

Robert's expertise

Who is commenting on Robert's posts

Ketharaman Swaminathan
Boris Taratine
Michael Rosenstein
Fred Pyziak
Matt Scott
Spyindiavimlesh kumar
Paul Love
Mike McCormack