Security Through Education

A free learning resource from Social-Engineer, Inc

Home

Leave a Comment

Social-Engineer Newsletter Vol 07 – Issue 96

Are You Being Skimmed?

 
 

Being skimmed at the ATM

ATM skimmers that steal card payment and PIN data aren’t a new phenomenon, but the scam is increasing in regularity. A Google News search revealed over 1700 articles about skimmers in the past thirty days, and there are probably thousands out there that haven’t been discovered yet. Some of the skimmers are custom made faceplates that attach over the existing reader, and look exactly like the real components underneath. Another type, called an insert-skimmer, is an extremely thin reader that thieves can insert inside the card reader. Unlike the overlay skimmers that may be found by jiggling the ATM pieces; the inserts can only be detected by a maintenance employee doing an internal inspection. Recently a newer interception device was discovered in Europe. Fraudsters actually drill a small hole and insert wires to the card reader internally, then cover the hole with an official looking decal. All of these are coupled with a pin-hole camera mounted on another part of the machine, is then used to capture the target’s PIN.

Being skimmed at the gas pump and retail outlets

Thieves have started adding skimmers to gas pumps and other point of sale (POS) systems recently. There have been over 300 discovered in Florida gas pumps this year already! Most skimmers at gas pumps are installed inside the pump, and some fraudsters are using fake security tape to mask the tampering. At POS terminals criminals use a look-a-like overlay that they can easily snap on top. Krebs did a really good write up on spotting overlay skimmers, by comparing the dimensions to normal ones.

How thieves are retrieving the data

Originally skimmed data was only able to be obtained by retrieving the skimmer from the machine, and many still operate in this manner. It’s riskier to the criminal to return to the scene again, so many have devised ways to retrieve the data remotely. The most sophisticated devices have GSM built in, and send encrypted texts of the card and PIN data to the criminals. Others have Bluetooth transmission availability that transmit to the criminal’s phone when they connect nearby; or transmit to a device hidden somewhere in proximity.

How you can protect yourself

At gas pumps and POS outlet:

  • Use well-lit pumps closest to the store, as they are more easily monitored by staff.
  • Report any signs of suspicious behavior or tampering immediately.  Look for intact security tape.
  • Use cash or pay inside when you can.
  • Hide your pin from view by covering the pin pad with your free hand
  • Use a credit card instead of a debit card.
  • Check your accounts frequently for fraud.
  • Use your cellphone to search for nearby suspicious Bluetooth devices at the ATM and gas pump.
At ATMs:
  • Hide your pin from view by covering the pin pad with your free hand
  • Jiggle the card insert slot to test if it’s a fake cover
  • Use ATMs that are in well-lit and high traffic areas
  • Have your bank restrict the amount and/or number of cash withdrawals you can make in one day.
  • Look for pinholes in the casing above the keypad, which may be hiding a camera.
  • (For the technically advanced) Rewrite the name on your credit card to “Gift Card”.  In large batches on the black market, it’s more likely to be tossed out than a card that lists “Joe Johnson”.

Written By: Laurie V.

Leave A Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Looking for a Good Book?

  

Become a newsletter subscriber