We live in a digital world so it’s only natural for bank robbers to move into the 21st century right alongside the rest of us. Armed robbers also face additional criminal charges for brandishing a weapon so stealing digital funds is simply less risky for criminals these days. So if old school crime doesn’t pay, what does?
Thieves have increasingly shifted to high-tech crimes such as hacking, identity theft, and skimming. Card skimming has found its way into many devices including ATMs, gas station pumps and even vending machines because once installed, each device will skim data from every card inserted. Famed security reporter and author, Brian Krebs, has been at the forefront of skimmer reporting for many years. His security blog regularly details the rise in ATM skimming including images of these seized devices, busted scams and security tips. Credit card alert service, FICO, saw a massive 546% increase in ATM skimming attacks from 2014-2015 with increases every year with no decline in sight.
Skimmers themselves are simplified card readers that are attached discreetly to actual payment terminals in a matter of seconds. Once attached, skimmers employ a simple magnetic reading head to skim data off every single card that is swiped. Pinhole cameras record video of corresponding PIN entries as well. All of this data is stored on a battery-powered device that is then retrieved by the thieves. Sometimes data is directly downloaded via a cable connection but wireless systems using Bluetooth are becoming increasingly popular. These wireless skimmers allow thieves to literally sit in their cars while collecting card data from distances up to 75 feet away.
Today, a standard magnetic striped card reader/writer including PC software can be purchased on eBay for under $50.
From there, the data can end up in the hands of other criminals willing to pay for it on the Dark Web or simply as a cloned card that will work in every ATM just like the original. Ever since the late 60s, magnetic stripes have been in use to communicate a range of data including financial transactions. Today, a standard magnetic striped card reader/writer including PC software can be purchased on eBay for under $50. This allows anyone with that data to simply burn a cloned version of any consumer’s debit or credit card. Since magnetic stripe technology is still a holdover from the 60s, it has no modern encryption means. To make matters worse, most EMV or Chip-and-PIN cards still include the magnetic stripe as a backup data repository for older POS (Point-of-Sale) systems so skimmers can still steal data from modern, encrypted EMV cards too. So if even the latest card technology is susceptible to skimming attacks, what’s a consumer to do?
Creditcards.com and many other websites list basic skimmer avoidance tips including paying for gas inside, concealing your PIN entry and choosing ATMs or gas pumps closest to lights and buildings. We’ve heard these tips before so I won’t dwell on them too much here, but one of the most effective defenses is using your ‘spidey-sense’. I’m not talking about an impending sense of danger (although any cash withdrawal situation could involve risks) but rather, a feeling that something doesn’t look or feel quite right. Since skimmers are physically placed over legitimate card readers, they tend to leave telltale signs of manipulation. Just like phishing emails written by non-native English speakers and writers can read strangely, an ATM with a crooked, loose or mismatched bezel color surrounding the card slot generally indicates subtle if not egregious tampering. But what’s a thief to do who doesn’t possess the design and installation finesse of Apple?
Cybercriminals have resources too. Some more permanent solutions involve Krazy Glue® to keep the bezel from shifting. On the Dark Web, a complete card skimmer kit can be purchased for a mere $1,000. Such kits include tutorial videos on installation and usage. For thieves on a budget, 3D printer files are also sold for them to print at home. This allows them to take their time in picking out the right 3D bezel file, modifying it where necessary and choosing the right color to match the target ATM’s design.
I’ve been in the wireless security business for many years so I’ve seen this cat and mouse gameplay out more times than I can remember. As soon as law enforcement deploys a solution, criminals deploy their own workaround solution.
Security researchers and academia tend to favor preventative and future solutions while many banks, gas stations and stores containing ATMs have a vested interest in saving money by making little to no change. But law enforcement needs tools right now to combat the problem. However, recent developments in this area leave me optimistic about the possibility of striking a deadly blow to illegal skimmers. I wish I could reveal more, but for now, I can only say that some of the best security minds are working on a solution that will appear later this year. Until that solution arrives…stay cyber safe.