You're in a restaurant, enjoying a deep conversation. Peripherally, you see the waiter take your credit card and return a few minutes with a slip for you to sign. You think nothing of it until a few hours later when you receive a call from your bank: Someone is racking up serious debt on your credit card, mostly for electronics purchases. Is it you?
Skimming, a form of high-tech financial fraud, is on the rise worldwide. It relies on sophisticated data-reading electronics to copy the magnetic stripe information from your credit card or debit card. It can capture both your credit card number and your PIN. And it's happening not just at restaurants but at neighborhood gas pumps and ATM machines.
Today a criminal merely has to slip an electronic magnetic strip reader over the existing card slot at an ATM, or replace a point of sale device. When you slide your plastic in, the skimming device reads it first, and then the actual card reader does -- at which point the transaction proceeds as expected. But now a crook has an exact copy of your card data without your even realizing it.
Older card-skimming devices required criminals to return and collect the information periodically, exposing them to risk of discovery. But newer skimmers can broadcast the card data to the thieves either by Bluetooth (which has a short range) or by GSM cellular. This enables the thieves, who may be sitting in a car nearby or in a building on the other side of the planet, to capture the account numbers live as the account holder makes a purchase or a withdrawal.
Pay at the Pump
Gas stations may be the most vulnerable outposts. Pumps today are largely automated and often unattended, giving criminals plenty of opportunity to embed skimming devices in them late at night. In Grand Junction, Colorado, a maintenance worker found skimming devices inside three gas pumps. And in 2010, a law enforcement investigation found that 180 gas stations from Salt Lake City to Provo, Utah, had skimmers inside their pumps. One Sandy, Utah, customer told the local TV station afterward, "I can't tell the difference between the fake one or the real one, so yeah I would stick my card in it."
Skimming attacks became so prevalent in Arizona in 2009 that the governor ordered state patrol officers to inspect gas stations along major highways.
ATMs Problematic, Too
ATMs are vulnerable for the same reasons that gas pumps are: They're exposed and unattended. Criminal organizations have targeted ATMs throughout Europe and have started hitting major cities in the United States, too. In a presentation at Black Hat USA 2008, security researchers Nitesh Dhanjani_and Billy Rios showed pictures of a warehouse full of ATM card readers and keyboards, in molded plastic of every color to match any ATM on the market today.
Responding to the threat, South Africa's Absa bank experimented with adding pepper spray anti-tampering systems at 11 of its most commonly skimmed ATMs; unfortunately, maintenance crews attempting to service the machines have sometimes triggered the spray.
Collecting credit card data is a relatively simple matter of capturing the account number. But debit cards are even more desirable to thieves because the bad guys can plunder a bank account quickly and completely without the account holder's realizing what's happening. The card networks monitor credit card usage, and they have rigorous risk- and fraud-prevention policies in place. In contrast, debit cards are linked directly to a bank account, though obtaining the PIN associated with a debit card is somewhat more difficult.
The most common high-tech ways to steal PINs are with tiny cameras mounted within a fish-eye mirror and with an electronic mesh overlaid on the keyboard. Criminals are often caught while mounting or removing such cameras, but recently they've figured out less obvious ways to steal PINs.
PINs may be four or six digits long. When you key in your PIN, software at the ATM or point of sale automatically converts it into a one-way algorithm called a hash. Then, if someone captures the data steam, they'll see only the resulting hash value, not the original four or six digits. By itself, a hashed PIN is a useless string of numbers. You can't type in the hashed PIN as it appears on your debit card or within a database inside a bank network, because those digits will be converted into yet another value. Instead, you have to find a way to generate that hash value, and until recently that wasn't practical.
In 2008 the FBI disclosed that attackers had used the PINs of Citibank account holders during a crime spree in Manhattan. According to the FBI documents, attackers had located the PIN data in a data breach, analyzed and decrypted the algorithm used, and then generated a table of all the possible four- and six-digit PIN codes that that algorithm might produce -- what's called a Rainbow Table in cryptography. The criminals didn't have to match an accountholder's PIN exactly; they only needed the four or six digits that would produce the same hash value.
Royal Bank of Scotland
Even if criminals can reproduce the encrypted hash value, they cannot withdraw more than certain amount during a single transaction or within a certain period -- unless someone inside the bank's network adjusts those values. That happened on November 8, 2008, when a gang of criminals robbed the US payment processing arm of The Royal Bank of Scotland group, RBS Worldpay, from both the inside and the outside. Within a 12-hour window they withdrew an estimated $9.4 million from ATMs in 230 cities across the globe. Meanwhile, someone else on the inside increased the daily withdrawal limits on individual accounts -- in one instance to half a million dollars.
Ane Estonian suspect was extradited to the US in August 2010. Another suspect, 28-year old Victor Pleshchuk, received four years' probation from a Russian court the following month. A third, unnamed suspect remains at large.
Protect Yourself at an ATM
Since the 2008 attacks, banks and credit card networks have improved their back-end security systems considerably. ATM manufacturers now offer better data protection through updated technology. For instance, privacy filters cause ATM screens to blur when viewed at an angle, to prevent over-the-shoulder eavedropping. Some ATMs sink the keyboard to prevent spy cameras from seeing your PIN, and jiggle inserted cards to prevent skimmers from reading them.
Even so, when standing at an ATM, if you have any reason to suspect that the machine may be compromised, don't use the machine. You may want to run your finger along the card slot to see whether anything comes loose or feels mismatched. If so, report it to the bank and find another ATM to handle your transaction.
Safety at the Point of Sale
Compromises at point-of-sale terminals are much harder to detect, especially at gas pumps. Your safest course is use a credit card instead of a debit card when paying for gasoline, since the card networks will detect and stop fraud quickly. Credit card consumers are often covered by zero liability programs; but with debit cards, that may not be the case, depending on your bank.
Skimming is just the latest scam. As word gets out -- and as the payment and ATM industry gets wiser -- the criminals will move on. Until then, it's caveat emptor: Let the buyer -- or card user -- beware.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.