Should You Worry About Contactless Credit Card NFC Skimming

/0 Comments/in , /by

If you have a contactless card, you might have worries about skimming. A contactless card or “frictionless” or “tap and go” is a card that has technology in it that allows payment over secure wireless like Apple Pay, Android Pay etc. Basically, this is where a criminal literally digitally pickpockets you by scanning things like your debit card or passport. What’s scary about this is that anyone can get an app for their phone that will allow them to skim. Is there protection for this? Maybe.

But before you freak out, you probably don’t even have a contactless card. Very few cards deployed in the USA are contactless, so that sleeve you use doesn’t protect you from anything. Now if you are overseas or even in Canada, then look at your card and if there is a WiFi looking logo on there, you have contactless.

The way that the bad guys skim this information is by using RFID, or radio-frequency identification. There are RFID signal jammers out there, but the question is this: do they work and are they necessary?

RFID Signal Blockers

If you put some time into it, you will find a number of RFID signal blockers on the market. Some of these are small and slip right into your wallet. Others are passport sized. There are also RFID signal blocker wallets on the market.

The Test

A blogger recently put these RFID signal blockers to the test…on the London Underground, one of the most crowded places in the world, especially during rush hour. He set up the test by asking one person to place a debit card in their pocket, and then another person used a mobile phone with an RFID signal scanner. The result was that the phone could scan and record the number on the debit card and the expiration date, simply by holding the phone really close to the pocket.

The blogger took the test a step further and tried to block these signals with RFID blocking technology. Even though the experiment was very unscientific, the blogger found that the blocker stopped the skimming.

Protecting Yourself

There are some things you can do to protect yourself from this. First, check your passport. It should have a chip in it. This chip is in all US passport that have been released since 2007. Now, someone can still take information from your passport using RFID skimming, but they have to actually be on the page where the photo is, and it’s pretty rare that they would have access to that.

You can also use a shielding device. They can certainly work, and some people have even found great results by using tinfoil. This will further help to protect your accounts.

Finally, even if you are using an RFID shielding device, make sure that you are checking your statements for anything suspicious. This is especially the case if you often find yourself in crowded places, like the subway.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Skimming Big Business targeting Big Business

/in /by

Skimming means more than just cutting fat off steak; it’s also when a thief obtains data from that magnetic strip on the back of your credit card (or debit or ATM card).

2CThe thief records and copies this data with a counterfeit card reader onto a blank card’s strip, and then makes purchases or cash withdrawals with this fraudulent card—in the account holder’s name.

Skimming takes place at ATMs, taxis, gas stations, restaurants, retail stores—any place where an employee will swipe your card to make your purchase. A credit/debit/ATM card reader can be fitted with a skimmer by the thief. Or, the thief can skim your card using a handheld skimming device.

Next time you hand your card to a clerk, watch it very carefully. At one gas station, two attendants skimmed dozens of customers’ cards with a square-shaped device the size of a dime, then sold the stolen information.

There are several ways to skim this cat:

  • An employee skims a card, then sells the stolen data, usually online on illegal “carding sites.”
  • The skimming or scanning device can be tiny, hidden in the hand.
  • Other skimming devices are superimposed on an ATM’s “mouth” to collect information when customers insert their cards. Thieves can then transfer the data via Bluetooth.
  • Sometimes a scanning-overlay is placed on the keyboard to capture PINs.
  • A less sophisticated approach is to record via tiny camera the customer entering the PIN.
  • Thieves with only half a brain know to wear concealing attire when they collect these devices. They do it quickly since they know that banks can catch on quickly.
  • These devices are also placed inside gas station pumps.
  • Some of these crimes are perpetrated by organized groups, and the gas station ones usually come from Europe.

Make It harder for Thieves

Always use the same ATMs so that you might detect a subtle difference one day.

Use indoor ATMs.

Keep your eyes on your card after giving it to an employee, though this isn’t always possible when the employee disappears into an employee-only area.

Cover the PIN pad with your other hand when entering your PIN.

Finally, routinely check your credit card and bank statements for any unauthorized charges.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Top 5 Credit/Debit Card Skimming Attacks

/0 Comments/in , , , /by

Credit card fraud is a multi-billion dollar industry. Skimming is one of the financial industry’s fastest-growing crimes, according to the U.S. Secret Service. ATM skimming alone is responsible for $350,000 of fraud daily exceeding a billion dollars in losses annually.

Skimming can occur in a few different ways;

Wedge Skimming

The most common skim is when a store clerk/waiter etc. takes your card and runs it through a card reader device that copies the information from the magnetic strip. Once the thief has the credit or debit card data he downloads it to his PC then he can burn the data to a gift card or blank “white card” or place orders over the phone or online.

POS Swaps

EFTPOS (electronic funds transfers at the point of sale) skimming occurs when the point of sale terminal is replaced with a skimming device. People commonly swipe both credit and debit cards through the in-store machines to pay for goods and services at these outlets. This is what happened to Stop and Shop. In Australia, fast food chains, convenience stores, and specialty clothing stores are bearing the brunt of the crime. McDonald’s is among the outlets whose EFTPOS machines have been targeted.

ATM Skimmers

Criminals can also place a card reader device on the face of an ATM, which appears to be a part of the machine. The device may have wireless Bluetooth or cellular technology built to obtain the data remotely.   It’s almost impossible for civilians to know the difference unless they have an eye for security, or the skimmer is of poor quality. Often, the thieves will hide a small pinhole camera in a brochure holder, light bar, mirror or car stereo looking speaker on the face of the ATM in order to extract the victim’s pin number. Gas pumps are equally vulnerable to this type of scam.

Data Interceptors

Another type of gas pump skim is pulled off due to a common set of keys that will open almost any gas pump. Criminals pose as fuel pump technicians and access the terminal with the master keys. Once inside they access the wires that connect the key pad/card reader and piggyback a device inside the pump that reads all the unencrypted card data.

Dummy ATMs

In some cases an ATM is bought off of eBay (do a search) or elsewhere and installed anywhere there is foot traffic. The machine is set up for one purpose; read/copy data. The machine might be powered by car batteries or plugged in the nearest outlet. I bought one off Craigslist for $750 from a guy named Bob at a bar. How you like them apples.

When credit card information is skimmed, hackers can copy the data on blank cards, gift cards, hotel keys, or “white” cards. White cards are effective at self checkouts, or when the thief knows the clerk and is able to “sweetheart” the transaction. A white card can also be pressed with foils to look like a legitimate credit card, as seen in this video.

To help combat ATM Skimming, ADT unveiled the ADT Anti-Skim ATM Security Solution, which helps prevent skimming attempts and detects skimming devices on all major ATM makes and models. ADT’s anti-skim solution is installed inside an ATM near the card reader, making it invisible from the outside.

Consumers must check their statements online weekly or at least their papers ones monthly. Refute unauthorized charges immediately. Federal law allows up to 60 days to dispute a charge. After that you may be paying for an identity thief’s Vegas bender. Whenever entering a PIN always cover the keypad with your other hand.

Robert Siciliano personal security expert to Home Security Source discussing ATM skimming on Fox Boston. Disclosures.

More ATM Skimmers Being Used By Gangs

/0 Comments/in , , /by

A report issued by the FTC finds that customers in the process of withdrawing cash from ATMs are more likely to be victims of ATM fraud than a direct, physical crime, and skimmer devices have recently been found on gas pumps and ATMs throughout Northern California.

ATM skimming occurs when a device is placed on the face of an ATM, often over the slot where the card is inserted. The skimmer, which may use Bluetooth or cellular technology to transmit the data to criminals wirelessly, appears to be a part of the machine. It’s almost impossible for ATM users to know the difference unless they have an eye for security, or the skimmer is of poor quality. Often, the thieves will hide a small pinhole camera in a brochure holder, light bar, mirror, or speaker on the face of the ATM, which is used to capture the victim’s PIN. Gas pumps are equally vulnerable to this type of scam.

Always shield the ATM keypad with your hand while entering your PIN. Be vigilant while using an ATM. Look around and beware of anyone lurking – they could be waiting to pounce, or shoulder surfing, trying to see your PIN. And if you ever sense that something is off about an ATM or gas pump, just leave.

Choose a PIN that’s not easily guessed but can be entered quickly. Using consecutive numbers or repeating the same numbers is never a good idea. Many new ATMs won’t allow you to choose a “soft” PIN anyway.

Don’t ever let anyone assist you at an ATM. It’s hard to envision what kind of scenario might require another person to intervene at an ATM. But consider this possibility: your card gets stuck and a stranger graciously peeks his head over your shoulder to help. He frees your card and helps you finish the transaction. In the process, he got your PIN and swapped your card with another.

Beware of ATM skimming and learn to recognize a skimmer. Here is an example of a particularly well-made skimming device, which would be easy to miss. Not all are as well crafted, but some are very good.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses dummy ATM scams on NBC Boston. (Disclosures)

A Viable Solution to Wave of Skimming and Point of Sale Attacks

/0 Comments/in , /by

Officials are reporting a wave of credit and debit card attacks targeting point of sale swapping, skimming of card data, and hacking into payment processors. Reports say the U.S. Secret Service, among others, are in the process of investigating a multistate crime spree.

The Oklahoma Bankers Association commented, “It is beyond apparent our bankers are taking great losses on these cards and we also need to explore creative ideas to mitigate these losses. It is in the best interest of retailers, bankers, processors and card providers to find ways to limit these losses so that debit and credit cards can remain a viable method of payment.”

Organized criminals have long been ramping up and coordinating multiple attacks. They continually find inventive ways to circumvent existing systems.

Electronic funds transfers at the point of sale (EFTPOS) skimming is when the POS is swapped out.

EFTPOS (electronic funds transfers at the point of sale) skimming occurs when the point of sale terminal is replaced with a skimming device. People commonly swipe both credit and debit cards through the in-store machines to pay for goods and services at these outlets. In Australia, fast food chains, convenience stores, and specialty clothing stores are bearing the brunt of the crime. McDonald’s is among the outlets whose EFTPOS machines have been targeted.

Last year, legitimate EFTPOS devices at McDonald’s outlets across Perth Australia were replaced with compromised card-skimming versions, cheating 3500 customers out of $4.5 million. They actually replaced the entire device you see at the counter when you order your Big Mac!

Officials say the problem is so bad they urged people to change credit and debit card PIN numbers weekly to avoid the possibility of having their account balances wiped out, as it was likely more cases would be identified.

Revisiting the Oklahoma Bankers Association’s statement, specifically, “It is in the best interest of retailers, bankers, processors and card providers to find ways to limit these losses so that debit and credit cards can remain a viable method of payment,” it sounds a little desperate to me. Credit and debit cards as we know them, with their magnetic strips, are easily compromised and frequently targeted by criminals. Now that Mexico and Canada are going chip and PIN, getting “creative” to save the mag stripe is going to take a lot more than a class in creativity. Sounds like a serious upgrade is in order.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses credit and debit card fraud on CNBC. Disclosures