A post relating to this item from Finextra:
13 May 2009 | 10235 views | 0
New York police are on the hunt for a gang of thieves accused of using ATM skimming technology to steal account details and PIN numbers before withdrawing over $500,000.
Recently, a targeted
crime spree hit Staten Island with 250 Sovereign Bank customers caught up in a never-ending technological arms race between criminals and the rest of us. This time it wasn’t the latest hacker sitting at a far away computer in the middle of the night.
Rather it was a small gang that used skimming technology and video cameras to compromise the accounts and make off with over $500,000. But for the alertness of Microsoft "evangelist",
Sean Siebel who spotted the scam while doing his own personal banking, it probably would have been millions lost before detection.
According to banks, skimmers are
rarely spotted in the wild, yet after seeing Sean on the news, another New Yorker spotted another skimmer at a Chase branch. The branch manager hadn't heard of the scam.
We see national news headlines about breaches and individual customer information being stolen by faceless entities in far-away lands. We assume these scams require tech prowess and amazing skill, but it usually turns out to be as simple as a mirror and hidden
video camera. Many times the response to these attacks is to
add more features and functionality to our technology. In the case of credit cards, the focus has been on Chip and PIN, especially in Europe. Soon, even more sophisticated 2-factor authentication is coming through cards with built-in single use PIN generators.
Unfortunately, as this story shows, even the most advanced technology is easily subverted by cheap tools you could purchase at Best Buy or download for free, together with a small amount of ingenuity. The problem is that we place too much trust in the technology,
and not enough in being alert, observant and careful. In fact, the more we rely on technology to do our thinking for us, the more complacent and vulnerable we become.
The lesson: if your security approach is purely based on a better technology mousetrap, you are a breach waiting to happen. Don't forget to educate your people, understand the risks you face, and always assume that the criminals will find a way around whatever
technology barriers you erect.