ATM skimming: The perils of plastic
ATM skimming is the new wave of cyber crimes
ATM skimming is the new wave of cyber crimes. DESIGN : HIRA FAREED
Automated Teller Machine (ATM) skimming — an illegal activity in which account details are stolen from the magnetic strip contained on the back of the debit card using an electronic skimming device placed over the card entry slot — has been around for a while.
The cyber crime recently shook Pakistan when customers of a prominent multinational bank had Rs50,000 stolen from their accounts after a hacking attempt from England on the bank’s ATMs. It is still unclear how many of the bank’s customers were impacted by the hacking attempt but one of bank’s spokespersons assured the affected customers that they would be reimbursed for the stolen money.
Skimming incidents
• In January 2014, 13 men were indicted in the US for using Bluetooth-enabled skimmers to steal more than $2 million (a little over Rs203 million) from gasoline stations.
• The Aite Group USA has reported that in 2010, the average loss from skimming was $30,000 (Rs3,058,650) which rose to $50,000 (Rs5,097,750) in 2011.
• In July 2011, a global investigation lead by Europol resulted in the outbreak of an organised crime ring suspected of skimming more than 15,000 credit and debit cards. The group, based in Bulgaria, with links to the US, South Africa, Kenya, Italy, Spain and Poland, was responsible for losses of more than €50 million (a little over Rs560 million).
• The US Secret Service estimates that annual losses from ATM fraud totalled about $1 billion (a little over Rs101 billion) in 2008.
Different types of skimming
• Point-of-sale (POS) skimmer: This involves the theft of debit card information while making an otherwise legitimate transaction. There is a possibility that the person at the counter might have hidden a skimming device inside the POS machine. If the merchant informs you that the machine is not working or the network is not responding, make sure to verify this. Another technique adopted by skimmers is to use a handheld POS skimming device. This is commonly used by waiters in restaurants to swipe a card and record one’s data while taking it to the cashier to prepare the bill.
• Card trapping: The perpetrator places a device on the card entry slot of an ATM which physically captures the card to retrieve later. Meanwhile, the PIN is captured by either a camera or a keypad overlay. The consumer leaves the ATM believing that his/her card has been captured. The card is then used to make fraudulent cash withdrawals.
• Cash trapping: This is a method through which cash is trapped while being dispensed by an ATM during a transaction. A device is attached to the ATM so that when the cash is about to come out, it gets trapped by the device. In this type of skimming, a false front is placed over the shutter of the dispenser using adhesive tape.
• Inspect an ATM before using it. Be cautious if you see anything loose and/or damaged or if you notice scratches or adhesive tape.
• Before inserting the card into an ATM, just give the front panel a little push to ensure that it is part of the machine. If the skimmer gets detached, immediately inform the bank or the police.
• Cover the keypad with your hand while entering the PIN.
• Regularly update your PIN via an ATM.
• Try to use ATMs located inside banks since it is difficult for perpetrators to install skimmers
in the presence of the bank’s security staff.
• Ask customers to verify their identity in order to ensure that the card being presented belongs to the person using it.
• Banks should conduct surprise inspections of POS equipment to check if anything has been tampered with.
• Do not give access to POS equipment to anyone claiming to be a technician. Request the technical support engineer to show some identification first.
• Maintain a list of all the devices with serial numbers and develop a routine to inspect the devices on a regular basis.
• Randomly change employees handling POS equipment to eliminate collusion.
• PINs should be time-barred, after which an ATM or the bank should prompt the user to change it.
• Banks need to ensure continuous monitoring of their ATMs’ cameras.
• ATM manufacturers have tried a variety of anti-skimming technologies which include green or blue semi-transparent plastic casings that protrude from the card slot to prevent thieves from attaching skimmers.
• Since most perpetrators focus their attention on lifting data from magnetic strips, more than 90% of European ATMs have shifted to the ‘chip and pin’ approach, also known as the EMV (Europay, MasterCard and VISA) standard. EMV is a two-factor authentication protocol in which the chip and PIN authenticate the user.
• Appropriate lighting should be used to facilitate monitoring capabilities of surveillance cameras.
• Cameras should be positioned in such a way that they capture the area around the keypad without recording or viewing the PINs entered.
Omar Safdar has served in the Pakistan Army for over twenty years and is a certified protection professional (CPP). He specialises in the fields of loss prevention and corporate security. He tweets @omarsafdar_CPP
Published in The Express Tribune, Sunday Magazine, April 5th, 2015.
The cyber crime recently shook Pakistan when customers of a prominent multinational bank had Rs50,000 stolen from their accounts after a hacking attempt from England on the bank’s ATMs. It is still unclear how many of the bank’s customers were impacted by the hacking attempt but one of bank’s spokespersons assured the affected customers that they would be reimbursed for the stolen money.
Skimming incidents
• In January 2014, 13 men were indicted in the US for using Bluetooth-enabled skimmers to steal more than $2 million (a little over Rs203 million) from gasoline stations.
• The Aite Group USA has reported that in 2010, the average loss from skimming was $30,000 (Rs3,058,650) which rose to $50,000 (Rs5,097,750) in 2011.
• In July 2011, a global investigation lead by Europol resulted in the outbreak of an organised crime ring suspected of skimming more than 15,000 credit and debit cards. The group, based in Bulgaria, with links to the US, South Africa, Kenya, Italy, Spain and Poland, was responsible for losses of more than €50 million (a little over Rs560 million).
• The US Secret Service estimates that annual losses from ATM fraud totalled about $1 billion (a little over Rs101 billion) in 2008.
Different types of skimming
• Point-of-sale (POS) skimmer: This involves the theft of debit card information while making an otherwise legitimate transaction. There is a possibility that the person at the counter might have hidden a skimming device inside the POS machine. If the merchant informs you that the machine is not working or the network is not responding, make sure to verify this. Another technique adopted by skimmers is to use a handheld POS skimming device. This is commonly used by waiters in restaurants to swipe a card and record one’s data while taking it to the cashier to prepare the bill.
• Card trapping: The perpetrator places a device on the card entry slot of an ATM which physically captures the card to retrieve later. Meanwhile, the PIN is captured by either a camera or a keypad overlay. The consumer leaves the ATM believing that his/her card has been captured. The card is then used to make fraudulent cash withdrawals.
• Cash trapping: This is a method through which cash is trapped while being dispensed by an ATM during a transaction. A device is attached to the ATM so that when the cash is about to come out, it gets trapped by the device. In this type of skimming, a false front is placed over the shutter of the dispenser using adhesive tape.
• Inspect an ATM before using it. Be cautious if you see anything loose and/or damaged or if you notice scratches or adhesive tape.
• Before inserting the card into an ATM, just give the front panel a little push to ensure that it is part of the machine. If the skimmer gets detached, immediately inform the bank or the police.
• Cover the keypad with your hand while entering the PIN.
• Regularly update your PIN via an ATM.
• Try to use ATMs located inside banks since it is difficult for perpetrators to install skimmers
in the presence of the bank’s security staff.
• Ask customers to verify their identity in order to ensure that the card being presented belongs to the person using it.
• Banks should conduct surprise inspections of POS equipment to check if anything has been tampered with.
• Do not give access to POS equipment to anyone claiming to be a technician. Request the technical support engineer to show some identification first.
• Maintain a list of all the devices with serial numbers and develop a routine to inspect the devices on a regular basis.
• Randomly change employees handling POS equipment to eliminate collusion.
• PINs should be time-barred, after which an ATM or the bank should prompt the user to change it.
• Banks need to ensure continuous monitoring of their ATMs’ cameras.
• ATM manufacturers have tried a variety of anti-skimming technologies which include green or blue semi-transparent plastic casings that protrude from the card slot to prevent thieves from attaching skimmers.
• Since most perpetrators focus their attention on lifting data from magnetic strips, more than 90% of European ATMs have shifted to the ‘chip and pin’ approach, also known as the EMV (Europay, MasterCard and VISA) standard. EMV is a two-factor authentication protocol in which the chip and PIN authenticate the user.
• Appropriate lighting should be used to facilitate monitoring capabilities of surveillance cameras.
• Cameras should be positioned in such a way that they capture the area around the keypad without recording or viewing the PINs entered.
Omar Safdar has served in the Pakistan Army for over twenty years and is a certified protection professional (CPP). He specialises in the fields of loss prevention and corporate security. He tweets @omarsafdar_CPP
Published in The Express Tribune, Sunday Magazine, April 5th, 2015.