ATM Skimming rising, again

Do you know what ATM stands for? For crooks, it stands for A Thief’s Moneymaker.

http://www.dreamstime.com/stock-photos-identity-theft-red-words-binary-code-computer-monitor-image39907813A new report from FICO says that “skimming” crimes have made their biggest spike in the past 20 years. This includes ATMs on bank premises, but of course, public ATM kiosks have seen the biggest spike.

The thief tampers with the ATM’s card receiver; the installed gadget collects card data which the thief retrieves later. “Skimming,” as this is called, also refers to capturing the PIN via a hidden camera.

With the stolen data, thieves craft phony debit cards, which they then use at ATMs or for purchases. In seconds, your bank account could be sucked dry—poof!

ATM users normally do not know that a skimming device is in place; they just swipe their card. The thief will come back to collect the skimmed data (likely in the middle of the night).

  • He downloads your data.
  • He burns it to a blank ATM card.
  • He drains your bank account first chance he gets or goes on a wild shopping spree.
  • All of this can happen within minutes to hours.
  • The hidden camera may be concealed by a brochure slot near the machine—placed there by the crook himself—with bank brochures he got from inside the bank.
  • The camera may be hidden in a nearby lighting fixture or even attached somewhere on the ATM.

Prevent Getting Skimmed

  • Use only ATMs inside banks if possible. The riskiest locations are restaurants, bars, nightclubs and public kiosks.
  • Regardless of ATM location, inspect the machine. A red flag is if the scanner’s colors don’t jibe with the rest of the machine.
  • Jiggle the card slot to see if it feels like something’s attached to it.
  • Inspect card slots at gas stations and other non-ATM devices that scan your debit card.
  • Look around for areas a camera might be hidden. Even if all seems clear, cover your hand when you enter the PIN.
  • Try to get away from using a debit card at all. At least with a credit card, you can dispute fraudulent charges before you lose any money (up to 60 days), but with a credit card, you have only a few days to do this.
  • Frequently check your bank and credit card statements.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention. Disclosures.

What is ATM Skimming?

Ever hear of a crime called skimming? It may not be as dramatic a crime as assault or Ponzi schemes, but it can cause significant problems to you as your  savings account can be wiped out in a flash.

4HPicture a scrawny nerd tampering with an automated teller machine (ATM)—the machine you use with your debit card to get cash. The thief places a device over the slot through which you slide your debit card. You have no idea it’s there. You swipe your card, and the device “skims” or reads your card’s information. In the middle of the night, the thief creeps back, removes the skimming device, downloads your data, burns it to a blank ATM card, makes a fat withdrawal and goes home with the loot. Or they could download your information from the skimmer and then use your information to make online purchases or access your account. Either way, they could clean you out before you wake up next morning!

Now, to be successful, the criminal not only needs a skimming device, they also need to attach a tiny wireless camera to capture your PIN.  These cameras are usually concealed in the lighting fixture above the keypad, in a brochure near the machine, or attached directly to the ATM.

To protect yourself from being skimmed, and generally staying safe when using your debit or credit cards, follow these tips:

  • Scrutinize the ATM. This means every ATM, even ones from your bank. You also want to check any of the card sliders like ones at gas stations, etc, especially if you’re using your debit card. If the scanner does not match the color and style of the machine, it might be a skimmer. You should also “shake”  the card scanner to see if it feels like there’s something  attached to the card reader on the ATM.
  • Cover the keypad when entering your PIN. In order to access your bank accounts, thieves need to have your card number and your PIN. By covering the keypad, you prevent cameras and onlookers from seeing your PIN.
  • Check your bank and credit card statements often. If someone does get your information, you have 60 days to report any fraudulent charges to your credit card company in order not to be charged. For a debit card, you only have about 2 days to report any suspicious activity.
  • Be choosy. Don’t use general ATMs at bars or restaurants. These are not usually monitored and therefore, can be easily tampered with by anyone.

Stay safe from skimming!

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

ATM Skimming, Cyber Fraud Keep Bankers up at Night

Last year there were hundreds of cyber fraud incidents that struck banks and put consumers’ personal data at risk, even though the one involving Target stole the scenes. These crimes included payment card skimming, denial-of-service and web app tampering.

1DAs we’ve discussed, security is a top concern for banks at the board level. It’s not that the criminals are particularly bright and that’s why they’re causing so many problems, but rather, security for banks just cannot keep up with the volume and type of attacks. Security can also be under-resourced and/or putting too much of its attention in the wrong places.

A web app attack is the interference of web applications, (such as sending a phishing e-mail ) that tricks the recipient into revealing their banking information. Another example is cracking passwords.

Web attacks are ubiquitous and can be conducted by mediocre-skilled crooks, hunting for the user names and passwords of online banking customers. Banks are responding by beefing up verification processes for their customers rather than relying on just the one-step authentication.

The denial-of-service attack is the second big threat upon banks, when malicious traffic is heaped upon the institution’s web server to disrupt site operation. A malfunctioning site turns off customers—including potential customers. But a DDoS attack can also be launched to divert attention away from another planned attack that actually steals data.

Payment card skimming hits banks hard. The crook puts a phony card reader over the card-swiping device to collect the card’s data off its magnetic strip. The thief will then create phony ATM cards.

The skimming tool can be made at home with a 3D printer—and the cost of the printer can very quickly be recovered with fraudulent use of the phony cards. Skimmers are not traceable, putting a lot of load on bankers’ backs. The fact that some ATMs are remotely located doesn’t help.

There’s still room for the criminals to become savvier, joining forces and sharing ideas, getting organized etc. However, many still remain solitary, which enhances their ability to go undetected.

As renowned security expert Bruce Schneier recently said “Security is now about resilience – it’s not about defense. Banks must up their security awareness, and have a plan in place to respond quickly and thoroughly should there be a breach.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Live ATM Skimming Video Confiscated

ATM skimming, the top ATM-related crime, accounts for about $350,000 in fraud every day in the United States, exceeding a billion dollars a year.

An organization called EAST, or European ATM Security Team, posted seized video footage from a compromised ATM, depicting the installation of a camera and skimmer. The video shows how criminals collect cardholders’ PINs.  It also shows how easily cardholders can protect their PINs. This must-see video is simple, but says a lot. (You can watch more ATM skimming demonstrations on Extra TV.)

EAST explains, “while the vast majority of ATM transactions are completely secure, criminals do occasionally target cash machines to try to either steal cards (card trapping) or to copy cards (card skimming). In both cases, the criminals need to obtain the 4-digit cardholder PIN to allow for fraudulent cash withdrawal. The video shows criminals installing a micro camera above an ATM PIN pad and then placing a skimming device over the card reader throat. The scenes that follow show cardholders conducting transactions at the ATM and it’s easy to see that the criminals can’t obtain the PIN of those who cover their hand when entering it.”

To help combat this type of crime, ADT has introduced the ADT Anti-Skim ATM Security Solution, which helps prevent and detect skimming on all major ATM makes and models. ADT’s anti-skim solution is installed inside an ATM near the card reader, making it invisible from the outside.

When using an ATM, beware of skimming devices. The following cardholder security tips are courtesy of the LINK ATM Scheme.

– Protect your PIN by standing close to the ATM and shielding the key pad with your other hand.

– Check to see if anything looks unusual or suspicious about the ATM. If it appears to have anything stuck onto the card slot or key pad, do not use it. Cancel the transaction and walk away. Never try to remove suspicious devices.

– Be cautious if strangers offer to help you at an ATM, even if your card is stuck or you’re having difficulties. Don’t allow anyone to distract you.

– Where possible, use an ATM which is in clear view and well lit.

– Check that other people in the queue are a reasonable distance away from you.

– Keep you PIN secret. Never reveal it to anyone, even someone who claims to be calling from your bank or a police officer.

– Avoid opening you purse, bag or wallet when you’re in the queue. Put your money away immediately.

– Regularly check your account balance and bank statements, and report any discrepancies to your bank immediately.

To ensure peace of mind, subscribe to an identity theft protection service, such as McAfee Identity Protection, which offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. For additional tips, please visit http://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss ATM skimming on Fox Boston. (Disclosures)

ATM Security Threats Increase

ATM skimming alone is responsible for $350,000 of fraud daily exceeding a billion dollars in losses annually.

A recent news report of a skimming scam in Long Island, N.Y., netted thieves more than $200,000 from ATMs at five branches.

Skimming today is far more sophisticated than in the past. Skimmers can include blue tooth and texting technology that send the data to the criminal anywhere. Keypads can be compromised by devices that overlay the exiting pad and transfer the data remotely.

ATM scams and fraud go beyond skimming to crimes that are very physical such as ram raiding to remote malicious software hacks.

During the Black Hat conference a hacker demonstrated how he forced three ATMs to dispense funds by exploiting the machines’ weaknesses in the computers that operate the ATMs. He purchased machines online and discovered that the physical keys were the same for all ATMs of that type made by that manufacturer.  He used the keys to unlock a compartment of the ATM that had standard USB slots. He then inserted a program he wrote for one of the machines, commanding it to dispense all of its vault cash.

Bankinfosecurity.com published “7 Growing Threats to Financial Institutions”.

#1 Skimming; Hardware readily available online that is attached to the face of ATM records user card information and pin codes. In this case you may still be able to perform a transaction.

#2 Ghost ATMs; A card reader is blocked off and replaced with hardware that supersedes the machine and records all your data without allowing a transaction. The machine reads “Can’t complete transaction”.

#3 Dummy ATMs; In some cases an ATM is bought off of eBay (do a search) or elsewhere and installed anywhere there is foot traffic. The machine is set up for one purpose; read data. The machine might be powered by car batteries or plugged in the nearest outlet.

#4 Ram Raids; ATMs built into a wall or stand alone are being rammed by a truck and/or wrapped with chain and pulled out then loaded onto a truck. Once removed the thieves blow torch the machine taking the cash. This is a hot topic in Mexican banks, buy certainly happens everywhere. A bank would be smart to install battery backed GPS in any machine.

#5 PIN ID’s; Sophisticated criminal hackers break into a database or skim magnetic strips. They then go to an online banking site with a hacking software that plugs in various well known PINs. These PINs might be consecutive numbers, people names, pet names, birthdates, or other various simple pass phrases people use. When it finds a match it gives the criminal access to your account.

#6 Automated PIN Changes; Criminals go through the banks telephone banking system to change the customers PIN. They may try to change the customers ANI (Automatic Number Identification) is a system utilized by telephone companies to identify the DN (Directory Number) of a caller. This might be accomplished via “Caller ID Spoofing”. They use publicly available data on the card holder such as name, card account number and last four digits of the social security number to “verify” them as the banks customer.

#7 SMS Attacks; AKA Smishing or Phexting – phish texting. Customers receive a text from a bank on their Smartphone requesting login information.

#8 Malware or Malicious Software; Researchers found a virus that specifically infects ATMs and takes over the machine logging card numbers and pins.

To help combat ATM skimming, ADT unveiled the ADT Anti-Skim ATM Security Solution, which helps prevent skimming attempts and detects skimming devices on all major ATM makes and models.

ADT’s Anti-Skim Solution is installed inside an ATM near the card reader, making it invisible from the outside. The solution detects the presence of foreign devices placed over or near an ATM card entry slot, without disrupting the customer transaction or operation of most ATMs. It can trigger a silent alarm for command center response and coordinate video surveillance of all skimming activities. Also, the technology helps prevent card-skimming attempts by interrupting the operation of an illegal card reader.

How to protect yourself from ATM skimming;

  1. First and foremost; Pay attention to your statements every two weeks. Refute unauthorized transactions within a 30-60 day time frame.
  2. Pay close attention to everything you do at an ATM. Look for “red flags”, anything out of place, your card sticks, odd looking configurations on the ATM, wires, two sided tape.
  3. Use strong PINs, uppercase lower case, alpha and numeric online and when possible at an ATM and for telephone banking.
  4. Don’t reply to phishing or phexting emails. Just hit delete.
  5. Don’t just use “any” ATM. Choose ATMs at locations that are “more secure” than in the middle of nowhere. Do not drop your guard if the ATM is at a bank branch.

Robert Siciliano personal security expert to Home Security Source discussing ATM skimming on Fox Boston. Disclosures.

How Secure Are You And That ATM Transaction?

ATM fraud is more common and likely than a crime committed directly against customers who are in the process of attempting to withdraw cash from the machines, according to NetworkWorld.

When studying “emergency PIN technologies” they state fraud was one of the few concrete conclusions from a report about the use of emergency technology at ATMs issued by the Federal Trade Commission.

Meanwhile reports indicate that thieves used “skimmer” devices to steal $217,000 from Long Island Banks between April and the end of May 2010. Banking information was then re-encoded onto the magnetic strips of blank gift cards. Investigators report that the thefts occurred in Suffolk County, N.Y. They estimate that between 100 and 200 accounts may have been cloned.

The ATM is all about quick easy cash. In the world of technology, when “quick” is paired with “easy” there is a sacrifice made in regards to security. Security is often slow and difficult and most people won’t sacrifice convenience for personal security.

Certainly there is a degree of security in ATMs, but to make them fully secure requires the end user to do more, and unfortunately users often don’t have the ability to jump through all the hoops security requires.

However by understanding some of the risks and incorporating some security tips you can protect yourself.

Always be vigilant when you are at an ATM. Look around the perimeter of the kiosk and beware of anyone paying unwanted attention. If someone is “lurking” they could be waiting to pounce or are shoulder surfing to get your PIN code.

Choose a PIN that’s not easily guessed but can be quickly entered.  Consecutive numbers or the same numbers is never a good idea. Often new ATMs won’t allow you to choose a “soft” PIN anyway.

Don’t ever let anyone help you at an ATM. It’s hard to envision what kind of scenario might involve another person intervening at an ATM. But consider this: Your card gets stuck, someone graciously peeks their head over your shoulder to help. They unstick your card and help you finish the transaction. In the process they got your PIN and swapped your card with another.

In another example two women picked up drunk guys from bars who were waiting for a cab and persuaded them to pull money out of their ATMs while they watched for the PINs. Once they got back to the car one, while making out with him, would pick his pocket and hand off the card to the friend.

Beware of ATM skimming and be able to recognize what an ATM skimmer looks like. Here are some excellent pictures of a well made covert skimming device attached to the face of an ATM. You really need to look for it to recognize it. Not all are as well crafted, but some are very good. ATM skimming of course is when the information on the back of your card is “skimmed” and the criminal then burns the data onto another card and makes withdrawals.

They may have also installed a camera behind a brochure holder, speaker, mirror or in a light bar. If you ever get a vibe that something doesn’t feel right, just leave. Always shield the ATM keypad with your second before entering your PIN.

Meanwhile Romanian Police raided 38 locations and arrested five fraudsters allegedly part of a card cloning gang. Those detained face accusations of being members of an organized crime group, unauthorized access to a computer system, possessing card-cloning equipment, access device fraud and distributing fake electronic-payment devices. Based on this video, they didn’t get a whole lot of equipment but confiscated some cash.

To help combat this type of crime, ADT unveiled the ADT Anti-Skim ATM Security Solution, which helps prevent skimming attempts and detects skimming devices on all major ATM makes and models.

ADT’s anti-skim solution is installed inside an ATM near the card reader, making it invisible from the outside. The solution detects the presence of foreign devices placed over or near an ATM card entry slot, without disrupting the customer transaction or operation of most ATMs. It can trigger a silent alarm for command center response and coordinate video surveillance of all skimming activities. Also, the technology helps prevent card-skimming attempts by interrupting the operation of an illegal card reader.

This technology does not require any software adjustments be made to the ATM itself, and does not connect to or affect the ATM communications network. Prior to its North American introduction, the ADT Anti-Skim ATM Security Solution was successfully field tested on dozens of ATMs of four major U.S. financial institutions in controlled pilot programs. Testing pilots yielded positive results, with no known skimming compromises occurring.

Robert Siciliano personal security expert to ADT Home Security Source discussing ATM skimming on Extra TV. Disclosures.

Russian Hackers Make Millions Breaching 7/11 and ATMs

Robert Siciliano Identity Theft Expert

It started simply by hacking 7-Elevens public website using a SQL injection.  SQL is abbreviation of Structured Query Language.  Pronounced  ”Ess Que El” or ”Sequel” depending on who you ask.  This led to 7 elevens main servers compromised which led to ATMs within 7-Eleven hacked.

Wired reports

““The Russians, evidently using an SQL injection vulnerability,  “gained unauthorized access to 7-Eleven, Inc.’s servers through 7-Eleven’s public-facing internet site, and then leveraged that access into servers supporting ATM terminals located in 7-Eleven stores,” the plea agreement reads. “This access caused 7-Eleven, Inc., on or about November 9, 2007, to disable its public-facing internet site to disable the unauthorized access.””

The investigation began with noticeable fraud at a Citibank followed by a stakeout and arrest. From there a traffic stop connected a mule to the rest and the name dropping began.

This is brilliant:

“Federal prosecutors in New York had by then charged three more people in the ATM-cashing conspiracy, including 32-year-old Ukrainian immigrant Yuriy Ryabinin, aka Yuriy Rakushchynets, and 30-year-old Ivan Biltse.

In addition to looting Citibank accounts, Ryabinin had participated in a global cybercrime feeding frenzy that tore into four specific iWire prepaid MasterCard accounts, issued by St. Louis–based First Bank,  in the fall of 2007. On Sept. 30 and Oct. 1 — just two days — the iWire accounts were hit with more than 9,000 actual and attempted withdrawals from ATM machines around the world, resulting in $5 million in losses.

At the time of the ATM capers, FBI and U.S. Secret Service agents had been investigating Ryabinin for his activities on Eastern European carder forums. Ryabinin used the same ICQ chat account to conduct criminal business, and to participate in amateur-radio websites. The feds compared photos of Ryabinin from some of the ham sites to video captured by New York ATM cameras in the Citibank and iWire withdrawals, and determined it was the same man — right down to the tan jacket with dark-blue trim.

When they raided Ryabinin’s home, agents found his computer logged into a carding forum. They also found a magstripe writer and $800,000 in cash — including $690,000 in garbage bags, shopping bags and boxes stashed in the bedroom closet. Another $99,000 in cash turned up in one of the safe-deposit boxes rented by Ryabinin and his wife, Olena. Biltse was also found with $800,000 in cash.

Ryabinin’s wife told investigators that she witnessed her husband “leave the couple’s house with bundles of credit cards in rubber bands and return with large sums of cash,” a Secret Service affidavit (.pdf) reads.”

This is all “account takeover”. All this money comes from consumer accounts who used ATMs at a convenient store and sometimes at a bank. Once the criminal gets your account data and PIN via the processors server they then burn the data to a white card. There’s no way to protect yourself from this crime when the data is breached at the processor level.

Check your statements frequently, at least every week online. Some banks give less than a week to refute unauthorized charges. Check with your bank to find out exactly what their time frame is if your account is compromised. Call the “claims” department and ask them “what’s the cut off date when making a claim?” My bank told me I can make a claim up to a year, but after 60 days there are federal regulations the limit their liability.

I asked my bank what their thoughts were on using a debit card and they said:

  1. Not to use it at a gas pump or a convenient store ATM where you enter your PIN
  2. They suggested using it as a credit card and not as a debit card
  3. Not to use at their own branch after hours to withdraw cash due toi skimming, which wasn’t new information to me but I didn’t expect my bank to say that.

Unfortunately your security, or lack thereof, is in the hands of others. Take control. Protect your identity. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano, identity theft speaker, discusses ATM skimming on NBC Boston

Craigslist ATM I bought Causes Industry Stir

Robert Siciliano Identity Theft Expert

Apparently I raised a hackle or two. Seems my little stunt got the attention of industry insiders, and not all of them believe that I bought a used ATM on Craigslist, which turned out to contain thousands of credit card numbers. Well, it did actually happen, and despite what many say, that the ATM couldn’t have contained 16-digit credit and debit card numbers on it, it did.

The most intense resistance to my experiment came from one Boston cop who watched me plant this thing in Downtown Crossing. He crossed his arms, glared at me, and when I walked away from the ATM, asked what I was doing. When I told him, he yelled for the women who were already using my ATM to stop, then took down my information while screaming at me. He later told me that his main concern was the possibility that the ATM might have contained a bomb!

According to ATMmarketplace.com, the ATM industry is braced for a backlash in the face of security concerns. There should be a backlash. We definitely need some regulation as to who can or can’t buy an ATM. And according to Mike Lee, the chief executive of the ATM Industry Association, “while ATMIA does not condone the auctioning of ATMs, online or otherwise, the association has little control over how they are sold.”

Personally, I think that the association needs to start establishing some control, and throwing your hands up in the air is lame. Both eBay and Craigslist have prohibited certain items. Why can’t I buy an old credit card off eBay, but I can buy an ATM with thousands of credit and debit card numbers on it? I can’t buy a “traffic signal control device” off eBay either. Because someone recognized in the wrong hands, the device can wreak havoc.

James Phillips, director of North American sales for ATMGurus, a Triton company, says that “an ATM that has old software or one that retains card numbers does not provide enough information for the owner to compromise consumer accounts,” but that my experiment still “has the potential to be so damaging to the industry’s reputation.” First of all, a 16-digit number is enough to turn data into cash. Even without a PIN, the 16-digit number can be used to buy goods online, or encoded on a blank card to buy goods in a store. This is why Visa and MasterCard require new software to block out the numbers. Second, Jim, you’re right, this is damaging. So please, fix it, and don’t allow lame excuses. And my machine is a Triton 9100. She’s a beauty by the way. Works nice off a 12-volt car battery, too.

Wendy Amaral, an account manager at Nationwide Money Services, says that while it’s possible that some companies could provide processing without collecting the required background information about the ATM owner, Visa, MasterCard, and other financial institutions are firm about the rules, and that audits are unlikely but possible. I think “possible audits” sounds like another cop out. For those of us who use ATMs, the idea that we are protected by “possible audits” is a slap in the face.

George McQuain, chief executive of ATM ISO Global Axcess Corp., which provides ATM processing, says he’s skeptical that I was able to set up my ATM for processing without a background check or even any questions. I haven’t revealed the processors who agreed to set up my ATM because they seemed to be small shops, and I don’t intend to destroy their livelihoods in my attempt to point out the inadequacy of the industry’s regulations. But the first processor set me up over the phone, and all I had to do was fill out a PDF and fax it back. The second showed up to my house in a pickup truck to service the ATM in my garage.

McQuain also says that it is rare for an ATM to have such outdated software that it would allow the owner to print so much customer information. But it was easy for me to find one. And even when they are replaced with newer models, where do they go? Where does the data go? I’ll tell you. On Craigslist, and then to the criminals.

There have been tons of reports on my story:

You can protect yourself from these types of scams by paying attention to your statements. Refute unauthorized transactions within 60 days. Consider never using a debit card again, since credit cards are safer. When using an ATM, pay close attention to details, and look for anything that seems out of place. If your card gets stuck in the machine or you notice anything odd about the appearance of the machine, such as wires, double sided tape, error messages, a missing security camera, or the machine seems unusually old and run down, don’t use it. Don’t use just any ATM. Instead, look for ATMs in more secure locations. Cover your pin!! And invest in Intelius Identity Theft Protection and Prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. “Disclosures”

Robert Siciliano Identity Theft Speaker rolling an ATM around on Fox

Carders, Dumps, and Identity Theft

Robert Siciliano Identity Theft Expert

WE DO NOT SELL DUMPS. DO NOT EMAIL OR CALL US.

WE DO NOT SELL DUMPS

Albert Gonzalez and his gang of criminal hackers were responsible for data breaches in retailers and payment processors, with some estimates saying they breached over 230 million records combined. Gonzalez, considered a proficient criminal hacker, provided “dumps,” a term which refers to stolen credit card data, to “carders”. “Carders” are the people who buy, sell, and trade stolen credit card data online. This video provides an example of an online forum where stolen data is bought and sold. Gonzalez pleaded guilty to his crimes and will be serving the next fifteen years in jail. He and his gang used a combination of schemes that have caused a significant increase in counterfeit fraud.

Hackers rely on a variety of techniques to obtain credit card data. One such technique is wardriving, in which criminals hack into wireless networks and install spyware. Another is phishing, in which spoofed emails prompt the victim to enter account information. Phexting or smishing are similar to phishing, but with text messages instead of emails. Some hackers use keylogging software to spy on victims’ PCs. Others affix devices to the faces of ATMs and gas pumps in order to skim credit and debit card data.

Gonzalez and his gang used another, more advanced technique known as an “SQL injection.” SQL stands for “Structured Query Language.”  The term refers to a virus that infects an application by exploiting a security vulnerability. WordPress, a blogging platform, is an example of a commonly used application that has been found vulnerable to these types of attacks. There are hundreds of other applications that can fall victim to an SQL injection.

IBM Internet Security Systems discovered 50% more web pages infected in the last quarter of 2008 than in the entire year of 2007. In 2005, a now defunct third party payment processor called CardSystems suffered an SQL injection, compromising a reported 40 million credit cards.

While Gonzalez has gone down, carders are still very active. A group of white hat hackers that calls itself War Against Cyber Crime recently succeeded in breaking into Pakbugs.com, a Pakistan-based carder forum, and published a list of members’ login details and email addresses. Pakbugs.com has since dropped offline.

With 213 million cardholders and 1.2 billion credit cards in the U.S., there’s no shortage of opportunity for carders to maintain their current pace. When a carder uses one of your existing credit cards, it’s called “account takeover.” When they use your personal information to open up new credit accounts in your name, it’s called “new account fraud” or “application fraud.”

1. Protecting yourself from account takeover is relatively easy. Simply pay attention to your statements every month and refute unauthorized charges immediately. I check my charges online once every two weeks. If I’m traveling extensively, especially out of the country, I let the credit card company know ahead of time, so they won’t shut down my card while I’m on the road.

2. Protecting yourself from new account fraud requires more effort. You can attempt to protect your own identity, by getting yourself a credit freeze, or setting up your own fraud alerts. There are pros and cons to each.

3. Invest in Intelius Identity Protection and Prevention. Because when all else fails you’ll have someone watching your back.

Includes:

·         Triple Bureau Credit monitoring – monitors changes in your credit profiles from Equifax, Experian and TransUnion-includes email alerts of any suspicious changes

·         Social Security Number and Public Record Monitoring – monitors the internet and public sources for fraudulent social security number, aliases, addresses, and phone numbers

·         Junk Mail Reduction – stop identity thieves from using personal information from your mailbox, trash or even phone calls by eliminating junk mail, credit card offers and telemarketing calls

·         Neighborhood Watch – includes a sex offender report, list of neighbors and a neighbor report on each of your neighbors

·          Identity Theft Specialists  – if in the unlikely event you become a victim of identity theft our Identity Theft experts will work with you to restore your identity and good name

·         Credit Report Dispute – if you find errors on your credit report we will help you resolve them quickly

·         Protection Insurance and Specialists -Identity Protect has you covered with up to $25,000 in Identity Theft Recovery Insurance and access to Personal Identity Theft Resolution Specialists.

Robert Siciliano Identity Theft Speaker discussing credit card and debit card fraud on CNBC

Preventing Card-Skimming Identity Theft

Identity Theft Expert Robert Siciliano

Skimming is one of the financial industry’s fastest-growing crimes, according to the U.S. Secret Service. The worldwide ATM Industry Association reports over $1 billion in annual global losses from credit card fraud and electronic crime associated with ATMs.

Skimming can occur in a few different ways. The most common is when a store clerk takes your card and runs it through a device that copies the information from the magnetic strip. Once the thief has the credit or debit card data, he or she can place orders over the phone or online. Thieves can also copy the data on blank cards, or “white” cards. White cards are effective at self checkouts, or when the thief knows the clerk and is able to “sweetheart” the transaction. A white card can also be pressed with foils to look like a legitimate credit card, as seen in this video.

The PCI Security Standards Council provides guidelines designed to help merchants securely store and transmit card account data and prevent it from falling into the hands of criminals. Retailers who fail to comply with PCI’s standards can be fined up to $500,000 by credit card providers such as Visa and MasterCard. PCI recently released a series of recommendations for the prevention of skimming scams. “Skimming is becoming a widespread problem. These are guidelines for what retailers should be looking at with their reader devices”, says Bob Russo, general manager of the PCI SSC. “We discuss different techniques for protecting those point-of-sale devices.”

The PCI Council’s “Skimming Prevention: Best Practices for Merchants” guidelines include a risk assessment questionnaire and self-evaluation forms to gauge susceptibility to these types of attacks and to determine where they need to shore up their defenses. The guidelines cover how to educate and protect employees who handle the point of sale devices from being targeted, as well as ways to prevent and deter compromise of those devices. They also detail how to identify a rigged reader and what to do about it, and how physical location of the devices and stores can raise risk.

Thieves can completely replace a merchant’s point of sale terminal with a device that is rigged to record or divert card data wirelessly, or simply store the data until the criminal comes back and removes it. (This is what happened to Stop and Shop.)

Criminals can also place a device on the face of an ATM, which appears to be a part of the machine.  It’s almost impossible for civilians to know the difference unless they have an eye for security, or the skimmer is of poor quality. Often, the thieves will hide a small pinhole camera in a brochure holder near the ATM, in order to extract the victim’s pin number. Gas pumps are equally vulnerable to this type of scam.

A customer at a New York City bank discovered a skimming device on the face of an ATM, and went inside the bank to inform the branch manager. The manager, who had never seen an ATM skimmer and wasn’t sure what to do, took the skimmer and thanked him. The customer then remembered, from numerous reports about ATM skimming, that there is usually a second part to the ATM skimmer, the camera. In this case, he found it behind a small mirror that alerts the ATM user to beware of “shoulder surfers.” He brought the camera to the bank manager, who replied by saying, “Maybe we should shut that machine down, huh?” The bank manager contacted bank security, shut down the machine, and alerted other area banks.

To help combat this type of crime, ADT unveiled the ADT Anti-Skim ATM Security Solution, which helps prevent skimming attempts and detects skimming devices on all major ATM makes and models. ADT’s anti-skim solution is installed inside an ATM near the card reader, making it invisible from the outside. The solution detects the presence of foreign devices placed over or near an ATM card entry slot, without disrupting the customer transaction or operation of most ATMs. It can trigger a silent alarm for command center response and coordinate video surveillance of all skimming activities. Also, the technology helps prevent card-skimming attempts by interrupting the operation of an illegal card reader. This technology does not require any software adjustments be made to the ATM itself, and does not connect to or affect the ATM communications network. Prior to its North American introduction, the ADT Anti-Skim ATM Security Solution was successfully field tested on dozens of ATMs of four major U.S. financial institutions in controlled pilot programs. Testing pilots yielded positive results, with no known skimming compromises occurring.

You can protect yourself from these types of scams by paying attention to your statements and refuting any unauthorized transactions within 60 days. When using an ATM, pay close attention to details, and look for anything that seems out of place. If your card gets stuck in the machine or you notice anything odd about the appearance of the machine, such as wires, double sided tape, error messages, a missing security camera, or if the machine seems unusually old and run down, don’t use it. Don’t use just any ATM. Instead, look for ATMs in more secure locations. Use strong PINs, with both upper and lowercase letters, as well as numbers. And invest in Intelius identity theft protection. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano, identity theft expert, discusses ATM skimming on Fox News.