Posts

ATM Skimming rising, again

Do you know what ATM stands for? For crooks, it stands for A Thief’s Moneymaker.

http://www.dreamstime.com/stock-photos-identity-theft-red-words-binary-code-computer-monitor-image39907813A new report from FICO says that “skimming” crimes have made their biggest spike in the past 20 years. This includes ATMs on bank premises, but of course, public ATM kiosks have seen the biggest spike.

The thief tampers with the ATM’s card receiver; the installed gadget collects card data which the thief retrieves later. “Skimming,” as this is called, also refers to capturing the PIN via a hidden camera.

With the stolen data, thieves craft phony debit cards, which they then use at ATMs or for purchases. In seconds, your bank account could be sucked dry—poof!

ATM users normally do not know that a skimming device is in place; they just swipe their card. The thief will come back to collect the skimmed data (likely in the middle of the night).

  • He downloads your data.
  • He burns it to a blank ATM card.
  • He drains your bank account first chance he gets or goes on a wild shopping spree.
  • All of this can happen within minutes to hours.
  • The hidden camera may be concealed by a brochure slot near the machine—placed there by the crook himself—with bank brochures he got from inside the bank.
  • The camera may be hidden in a nearby lighting fixture or even attached somewhere on the ATM.

Prevent Getting Skimmed

  • Use only ATMs inside banks if possible. The riskiest locations are restaurants, bars, nightclubs and public kiosks.
  • Regardless of ATM location, inspect the machine. A red flag is if the scanner’s colors don’t jibe with the rest of the machine.
  • Jiggle the card slot to see if it feels like something’s attached to it.
  • Inspect card slots at gas stations and other non-ATM devices that scan your debit card.
  • Look around for areas a camera might be hidden. Even if all seems clear, cover your hand when you enter the PIN.
  • Try to get away from using a debit card at all. At least with a credit card, you can dispute fraudulent charges before you lose any money (up to 60 days), but with a credit card, you have only a few days to do this.
  • Frequently check your bank and credit card statements.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention. Disclosures.

What is ATM Skimming?

Ever hear of a crime called skimming? It may not be as dramatic a crime as assault or Ponzi schemes, but it can cause significant problems to you as your  savings account can be wiped out in a flash.

4HPicture a scrawny nerd tampering with an automated teller machine (ATM)—the machine you use with your debit card to get cash. The thief places a device over the slot through which you slide your debit card. You have no idea it’s there. You swipe your card, and the device “skims” or reads your card’s information. In the middle of the night, the thief creeps back, removes the skimming device, downloads your data, burns it to a blank ATM card, makes a fat withdrawal and goes home with the loot. Or they could download your information from the skimmer and then use your information to make online purchases or access your account. Either way, they could clean you out before you wake up next morning!

Now, to be successful, the criminal not only needs a skimming device, they also need to attach a tiny wireless camera to capture your PIN.  These cameras are usually concealed in the lighting fixture above the keypad, in a brochure near the machine, or attached directly to the ATM.

To protect yourself from being skimmed, and generally staying safe when using your debit or credit cards, follow these tips:

  • Scrutinize the ATM. This means every ATM, even ones from your bank. You also want to check any of the card sliders like ones at gas stations, etc, especially if you’re using your debit card. If the scanner does not match the color and style of the machine, it might be a skimmer. You should also “shake”  the card scanner to see if it feels like there’s something  attached to the card reader on the ATM.
  • Cover the keypad when entering your PIN. In order to access your bank accounts, thieves need to have your card number and your PIN. By covering the keypad, you prevent cameras and onlookers from seeing your PIN.
  • Check your bank and credit card statements often. If someone does get your information, you have 60 days to report any fraudulent charges to your credit card company in order not to be charged. For a debit card, you only have about 2 days to report any suspicious activity.
  • Be choosy. Don’t use general ATMs at bars or restaurants. These are not usually monitored and therefore, can be easily tampered with by anyone.

Stay safe from skimming!

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Protect your Cards from Multiple Kinds of Skimmers

PIN may sometimes stand for pilfered identification number if a hacker gets yours. And it’s easier than ever for thieves to get your PIN from an ATM, coming up with clever ways to beat security technology.

2CThe “primitive” way to get your card number is to manually place a phony card reader over an ATM card reader and then come back to retrieve it. Now it’s being done wirelessly via Bluetooth and SMS tech built into the skimmer. Coupled with wireless cameras and keypad overlays, getting your PIN is easier than ever.

They’re also brazen enough to land jobs that will grant them ATM access; they then install malware that can transmit your PIN to their personal device. PIN hacking’s memory chips and transmitters are thinner and lighter these days, making them go undetected.

The crime of ATM skimming racks up $350,000 a day.

  • Wedge skimming. An employee runs a card through a card reader tool that transfers data from the card’s stripe. The crook downloads this to his device, then burns the data onto a phony card or uses the data to place online or phone orders.
  • Fake ATMs. The crook installs the phony machine in a place that will attract users like a saucer of honey will attract bees. The machine will read and copy tons of data.
  • ATM skimming. The thief fits a card reader onto an ATM or gas pump card reader. The very inconspicuous reader may have wireless technology. This crime often comes with installation of secret pinhole cameras nearby to capture the consumer’s PIN.
  • Data intercepting. A thief poses as a gas pump serviceman and unlocks it with special keys, then plants a device inside that reads all the customer cards’ unencrypted information.
  • Point of sale swapping. The skimming device is placed at the terminal where you make a purchase. Even busy places like McDonald’s have been targeted.

These smart criminals can copy skimmed credit card data on gift cards, blank cards, hotel cardkeys or white cards, the latter being quite useful at self-checkouts. Protection comes in the form of:

  • Anti-Skim Security built into the ATM from the factory or as an add-on solution, which is installed inside the machine
  • Checking your statements every day via a smartphone app or every week online or monthly via your paper statement for suspicious transactions
  • Challenging questionable transactions right away
  • When entering your PIN, conceal the keypad with your other hand
  • After handing an employee your card, keeping a close eye on it. Don’t let the employee leave your site with your card.

A crook (often a store employee in this case) can also nab your data with a handheld skimming device like the “wedge” listed above.

The Many Faces of Skimming

  • Remember, the phony skimming device that’s attached to the card reader goes undetected by the consumer, unless the consumer is well-versed in this kind of crime and knows what to look for.
  • The crooked employee gets your information, then sells it.
  • Thieves can now get the data via wireless technology like Bluetooth, eliminating the risk of getting caught at the machine.
  • Pinhole cameras can be placed anywhere close by, such as in a brochure holder.
  • A crook may place a data capturing device over the keyboard to get PINs.

Get familiar with the ATM you use—because you should be using the same one so that it will be easier to spot something different about it.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

ATM Skimming, Cyber Fraud Keep Bankers up at Night

Last year there were hundreds of cyber fraud incidents that struck banks and put consumers’ personal data at risk, even though the one involving Target stole the scenes. These crimes included payment card skimming, denial-of-service and web app tampering.

1DAs we’ve discussed, security is a top concern for banks at the board level. It’s not that the criminals are particularly bright and that’s why they’re causing so many problems, but rather, security for banks just cannot keep up with the volume and type of attacks. Security can also be under-resourced and/or putting too much of its attention in the wrong places.

A web app attack is the interference of web applications, (such as sending a phishing e-mail ) that tricks the recipient into revealing their banking information. Another example is cracking passwords.

Web attacks are ubiquitous and can be conducted by mediocre-skilled crooks, hunting for the user names and passwords of online banking customers. Banks are responding by beefing up verification processes for their customers rather than relying on just the one-step authentication.

The denial-of-service attack is the second big threat upon banks, when malicious traffic is heaped upon the institution’s web server to disrupt site operation. A malfunctioning site turns off customers—including potential customers. But a DDoS attack can also be launched to divert attention away from another planned attack that actually steals data.

Payment card skimming hits banks hard. The crook puts a phony card reader over the card-swiping device to collect the card’s data off its magnetic strip. The thief will then create phony ATM cards.

The skimming tool can be made at home with a 3D printer—and the cost of the printer can very quickly be recovered with fraudulent use of the phony cards. Skimmers are not traceable, putting a lot of load on bankers’ backs. The fact that some ATMs are remotely located doesn’t help.

There’s still room for the criminals to become savvier, joining forces and sharing ideas, getting organized etc. However, many still remain solitary, which enhances their ability to go undetected.

As renowned security expert Bruce Schneier recently said “Security is now about resilience – it’s not about defense. Banks must up their security awareness, and have a plan in place to respond quickly and thoroughly should there be a breach.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

ATM Security Threats Increase

ATM skimming alone is responsible for $350,000 of fraud daily exceeding a billion dollars in losses annually.

A recent news report of a skimming scam in Long Island, N.Y., netted thieves more than $200,000 from ATMs at five branches.

Skimming today is far more sophisticated than in the past. Skimmers can include blue tooth and texting technology that send the data to the criminal anywhere. Keypads can be compromised by devices that overlay the exiting pad and transfer the data remotely.

ATM scams and fraud go beyond skimming to crimes that are very physical such as ram raiding to remote malicious software hacks.

During the Black Hat conference a hacker demonstrated how he forced three ATMs to dispense funds by exploiting the machines’ weaknesses in the computers that operate the ATMs. He purchased machines online and discovered that the physical keys were the same for all ATMs of that type made by that manufacturer.  He used the keys to unlock a compartment of the ATM that had standard USB slots. He then inserted a program he wrote for one of the machines, commanding it to dispense all of its vault cash.

Bankinfosecurity.com published “7 Growing Threats to Financial Institutions”.

#1 Skimming; Hardware readily available online that is attached to the face of ATM records user card information and pin codes. In this case you may still be able to perform a transaction.

#2 Ghost ATMs; A card reader is blocked off and replaced with hardware that supersedes the machine and records all your data without allowing a transaction. The machine reads “Can’t complete transaction”.

#3 Dummy ATMs; In some cases an ATM is bought off of eBay (do a search) or elsewhere and installed anywhere there is foot traffic. The machine is set up for one purpose; read data. The machine might be powered by car batteries or plugged in the nearest outlet.

#4 Ram Raids; ATMs built into a wall or stand alone are being rammed by a truck and/or wrapped with chain and pulled out then loaded onto a truck. Once removed the thieves blow torch the machine taking the cash. This is a hot topic in Mexican banks, buy certainly happens everywhere. A bank would be smart to install battery backed GPS in any machine.

#5 PIN ID’s; Sophisticated criminal hackers break into a database or skim magnetic strips. They then go to an online banking site with a hacking software that plugs in various well known PINs. These PINs might be consecutive numbers, people names, pet names, birthdates, or other various simple pass phrases people use. When it finds a match it gives the criminal access to your account.

#6 Automated PIN Changes; Criminals go through the banks telephone banking system to change the customers PIN. They may try to change the customers ANI (Automatic Number Identification) is a system utilized by telephone companies to identify the DN (Directory Number) of a caller. This might be accomplished via “Caller ID Spoofing”. They use publicly available data on the card holder such as name, card account number and last four digits of the social security number to “verify” them as the banks customer.

#7 SMS Attacks; AKA Smishing or Phexting – phish texting. Customers receive a text from a bank on their Smartphone requesting login information.

#8 Malware or Malicious Software; Researchers found a virus that specifically infects ATMs and takes over the machine logging card numbers and pins.

To help combat ATM skimming, ADT unveiled the ADT Anti-Skim ATM Security Solution, which helps prevent skimming attempts and detects skimming devices on all major ATM makes and models.

ADT’s Anti-Skim Solution is installed inside an ATM near the card reader, making it invisible from the outside. The solution detects the presence of foreign devices placed over or near an ATM card entry slot, without disrupting the customer transaction or operation of most ATMs. It can trigger a silent alarm for command center response and coordinate video surveillance of all skimming activities. Also, the technology helps prevent card-skimming attempts by interrupting the operation of an illegal card reader.

How to protect yourself from ATM skimming;

  1. First and foremost; Pay attention to your statements every two weeks. Refute unauthorized transactions within a 30-60 day time frame.
  2. Pay close attention to everything you do at an ATM. Look for “red flags”, anything out of place, your card sticks, odd looking configurations on the ATM, wires, two sided tape.
  3. Use strong PINs, uppercase lower case, alpha and numeric online and when possible at an ATM and for telephone banking.
  4. Don’t reply to phishing or phexting emails. Just hit delete.
  5. Don’t just use “any” ATM. Choose ATMs at locations that are “more secure” than in the middle of nowhere. Do not drop your guard if the ATM is at a bank branch.

Robert Siciliano personal security expert to Home Security Source discussing ATM skimming on Fox Boston. Disclosures.