Protect your Cards from Multiple Kinds of Skimmers

/in /by

PIN may sometimes stand for pilfered identification number if a hacker gets yours. And it’s easier than ever for thieves to get your PIN from an ATM, coming up with clever ways to beat security technology.

2CThe “primitive” way to get your card number is to manually place a phony card reader over an ATM card reader and then come back to retrieve it. Now it’s being done wirelessly via Bluetooth and SMS tech built into the skimmer. Coupled with wireless cameras and keypad overlays, getting your PIN is easier than ever.

They’re also brazen enough to land jobs that will grant them ATM access; they then install malware that can transmit your PIN to their personal device. PIN hacking’s memory chips and transmitters are thinner and lighter these days, making them go undetected.

The crime of ATM skimming racks up $350,000 a day.

  • Wedge skimming. An employee runs a card through a card reader tool that transfers data from the card’s stripe. The crook downloads this to his device, then burns the data onto a phony card or uses the data to place online or phone orders.
  • Fake ATMs. The crook installs the phony machine in a place that will attract users like a saucer of honey will attract bees. The machine will read and copy tons of data.
  • ATM skimming. The thief fits a card reader onto an ATM or gas pump card reader. The very inconspicuous reader may have wireless technology. This crime often comes with installation of secret pinhole cameras nearby to capture the consumer’s PIN.
  • Data intercepting. A thief poses as a gas pump serviceman and unlocks it with special keys, then plants a device inside that reads all the customer cards’ unencrypted information.
  • Point of sale swapping. The skimming device is placed at the terminal where you make a purchase. Even busy places like McDonald’s have been targeted.

These smart criminals can copy skimmed credit card data on gift cards, blank cards, hotel cardkeys or white cards, the latter being quite useful at self-checkouts. Protection comes in the form of:

  • Anti-Skim Security built into the ATM from the factory or as an add-on solution, which is installed inside the machine
  • Checking your statements every day via a smartphone app or every week online or monthly via your paper statement for suspicious transactions
  • Challenging questionable transactions right away
  • When entering your PIN, conceal the keypad with your other hand
  • After handing an employee your card, keeping a close eye on it. Don’t let the employee leave your site with your card.

A crook (often a store employee in this case) can also nab your data with a handheld skimming device like the “wedge” listed above.

The Many Faces of Skimming

  • Remember, the phony skimming device that’s attached to the card reader goes undetected by the consumer, unless the consumer is well-versed in this kind of crime and knows what to look for.
  • The crooked employee gets your information, then sells it.
  • Thieves can now get the data via wireless technology like Bluetooth, eliminating the risk of getting caught at the machine.
  • Pinhole cameras can be placed anywhere close by, such as in a brochure holder.
  • A crook may place a data capturing device over the keyboard to get PINs.

Get familiar with the ATM you use—because you should be using the same one so that it will be easier to spot something different about it.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

“Flash Attacks” Make Big Money for Debit and Credit Card Scammers

/0 Comments/in , , , , , /by

The latest ATM scam is so brilliantly simple, it’s hard to believe that it actually works. Apparently, banks’ fraud detection systems are unable to flag nearly simultaneous transactions from the same account. This leaves bank customers vulnerable to what’s been termed a “flash attack,” in which multiple scanners use a stolen debit card number to withdraw cash from the same account.

Once a victim’s debit card number has been successfully skimmed, the card can be cloned, say, 100 times, and the cloned cards can be distributed to 100 people. All 100 people can then use the cloned cards to withdraw cash from 100 different ATMs within a brief window of five or ten minutes. If 100 people withdraw $200 each from the same account, at the same time, the scam nets $20,000 in almost no time.

Your credit or debit card number can be skimmed in a number of different ways:

Wedge Skimming: The most common type of skimming occurs when a salesperson or waiter takes your credit or debit card and runs it through a card reader, which copies the information contained in the card’s magnetic stripe. Once the thief has obtained the credit or debit card data, he can then burn the card number to a blank card, or simply use the number to make purchases online or over the phone.

POS Swaps: Many people pay for goods or services by swiping a credit or debit card through the in-store point of sale machines. EFTPOS (electronic funds transfers at the point of sale) skimming occurs when the point of sale terminal has been replaced with a skimming device. In Australia, fast food chains, convenience stores, and specialty clothing stores have been common targets. McDonald’s, for example, has been hit with this scam.

ATM Skimmers: A card reader device can also be placed on the face of an ATM, disguised as part of the machine. It’s almost impossible for the average user to recognize a skimmer unless it is of poor quality, or the user has an eye for security. Often, the thieves will hide a small pinhole camera in a brochure holder, light bar, mirror or car stereo looking speaker on the face of the ATM in order to extract the victim’s pin number. The device may use wireless Bluetooth or cellular technology built to obtain the data remotely. Gas pumps are equally vulnerable to this type of scam.

Data Interceptors: Rather than simply placing a skimmer on the face of a gas pump, some criminals place a data-stealing device inside the pump. Posing as a fuel pump technician, a criminal can use a universal key purchased on eBay to access the terminal. Once inside, they unplug a cable that connects the keypad to the display, and piggyback their own device within the mechanism, in order to capture all the unencrypted card data.

Dummy ATMs: ATMs can easily be purchased through eBay or other outlets, and installed in any heavily trafficked location. The machine, which might be powered by car batteries or plugged into the nearest outlet, is programmed to read and record card data. I found one advertised on Craigslist and picked it up at a nearby bar, for $750 from a guy named Bob.

Once credit card numbers have been skimmed, hackers can copy the data on to blank cards, hotel keys, or “white cards,” which are effective at self-checkouts, or in situations where the thief knows the salesperson and is able to “sweetheart” the transaction. A white card can also be pressed with foils, giving it the appearance of a legitimate credit card.

Federal laws limit cardholder liability to $50 in the case of credit card fraud, as long as the cardholder disputes the charge within 60 days. In order for the $50 limit to apply to debit cards, fraud victims must notify the bank within two days of discovering the fraudulent transactions. After two days, the maximum liability jumps to $500.

When using an ATM, gas pump, or point of sale terminal, always cover your PIN.

As inconvenient as this may seem, regular debit card users should check online statements daily.

Consider limiting your debit card use. I use mine only two or three times a month, for deposits and withdrawals.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses credit and debit card fraud on CNBC. (Disclosures)