January 30, 2015

Juggling with cards: doing criminal business on ATMs, part 2

Security

In part one of our series, we discussed tech used by bank card ‘seekers’. Today, we’ll reveal another part of the story, covering how criminals carry out the most dangerous skimming processes.

2 (1)

Outsourcing skimming processes

For the majority of what a carder does, he doesn’t need to be highly qualified. However, some operations – including the process of hardware installation – are quite risky. Sometimes, these functions are delegated to outsourced ‘specialists.’

A skilled professional spends about 30 seconds installing skimming equipment. This is only done upon completing several stages of prep work and gathering intelligence, including analysis of a location and surveillance cameras, as well as determining the quietest business hours — all of it not without help of an assistant stationed in close proximity to the object.

skimmer-suspect

skimmer-suspect.png caption: Criminal installs skimmer on ATM. Photo wtsp.com

A proficient installer is also hard to takedown. A cool-headed, well-dressed gentleman need only claim he just noticed something weird on the ATM and wanted to confirm his suspicions before calling the police. Mischief is then very hard to prove, especially if the culprit has gotten rid of the glue and installation appliances. This is why banks recommend users not touch anything suspicious and to call the police immediately.

Beside ATMs, carders are interested in other types of terminals that accept bank cards. These include terminals at gas stations, ticket-vending machines at train stations – and generally all kinds of vending machines. They provoke less suspicion from ordinary people – compared to ATMs – and are less heavily protected.

Criminal reaping

As soon as the skimming hardware is installed, the criminals are working on the next stage of the scam – the ‘reaping’. They have to take advantage of this time to clone as many cards as possible before the scam is discovered: As soon as the bank is aware a skimming campaign took place, odds are higher that the holders of harvested cards will block them. To observe the situation, a carder’s accomplice has to be stationed in a car or a café facing the targeted ATM.

If no one notices the ATMs have a few ‘tweaks’, the scam functions until the battery is fully drained, compromising up to one thousand card credentials.

If no one notices the ATMs have a few ‘tweaks’ and the bank’s security officers remain unaware, the scam functions until the battery is fully drained, compromising up to one thousand card credentials.

The greediest criminals dismantle the equipment, and the smartest carders abandon it for good to minimize the risk of being caught. The cumulative profit from the stolen cards may be worth thousands of dollars, which makes up for any equipment cost.

Withdrawing money from the cloned cards is a separate, high-risk branch of this type of criminal business – that’s why this part of the scam is frequently outsourced. As a rule, several people, referred to as ‘mules’, are involved into this process.

Sometimes mules simply give away the cash to the skimmer-specialized carder, profiting from an agreed upon percentage of the revenue. But there are schemes where mules purchase packages of stolen magnetic strip data and act autonomously, frequently from other parts of the world.

Crudeness is no goodness

The reason stealing cash from bank cards is so easy lies within the primitivism of corresponding security technology. The first magnetic strip based bank cards emerged a couple of generations ago, in the middle of the last century, when the equipment for stealing and cloning card credentials was still unheard of.

The reason stealing cash from bank cards is so easy lies within the primitivism of corresponding security technology.

The data recorded on the magnetic strip is, in fact, protected by nothing but a short and vulnerable PIN code serving to justify transactions. There are several types of enhanced protection technology, which appeared later, but they remain optional.

It should go without saying, but payment systems and banks have spent years devising a solution to this problem. More robust EMV cards equipped by a magnetic strip and an integrated chip have been used in Europe for over 20 years.

The difference here is the fact that a chip cannot be cloned the way a magnetic strip can. An ATM requests a card chip to create a unique one-time key, which may be stolen, but will be void for another transaction.

Security researchers have reported a number of EMV cards vulnerabilities, but those are complicated to use in practice. So, this evolution might drive skimmers out of business, but there’s a rub: migrating to EMV cards is a long, complex, and expensive process involving a number of parties.

All must migrate: payment systems, banks, acquirer businesses, producers of POS terminals and ATMs and many others. That’s why many countries, including developed markets, make use of old-fashioned non-EMV cards.

That said, even an EMV-based card may be stripped of money. In order to provide backward compatibility with legacy terminals and increase resilience, a transaction might be completed without the use of the chip, based on magnetic strip data.

In the U.S., with a full-scale program of nation-wide EMV deployment currently running, carders are most active, as reported by European ATM Security Team. Indonesia and Thailand in Asia, and Bulgaria and Romania in Europe, are also leading in terms of risk. 

Banks might be able to reimburse the money stolen by carders, especially in cases when responsibility can be transferred to another agent – be it a payment system, an ATM owner, or an insurance company. Most likely, the cardholder will be held responsible, and there are numerous cases where this was the case.

Rules of survival

There are no surefire ways to 100% guarantee your card won’t fall victim to ATM-skimmer, but a few of these of simple tips might mitigate risks.

  1. If your card is not equipped with an EMV chip, you shouldn’t use it at all. Your bank might replace it with an EMV card on demand. The use of the chip does not guarantee full safety, but may mitigate the risk.
  2. Enable the option of SMS notifications to better track transactions. The sooner you discover evidence of theft, the higher the chances are that you might get the money back.
  3. If you aren’t a frequent traveler, find out if your bank can limit the geography of your card’s operations (when you go abroad, you can just ‘switch on’ the country you are travelling to). This is a very efficient measure which has proven its worth in a number of European countries.
  4. Do not use the card with a lot of money on it. The less transactions you use it for, especially in new places (for instance, abroad), the better. For high-risk operations you may use a separate card with a low limit.

  1. Should you use an ATM, choose ones located in well-lit and secure areas – for example, inside of a bank office. Respectively, avoid using standalone ATMs in secluded shopping mall corners.
  2. When entering your PIN, stand as close to the ATM as you can and cover the number pad with your hand. Special vanity panels are still a rare case, and the chances are higher a camera or your neighbor will look at the PIN. Don’t forget to regularly change your PIN (with a trusted ATM or with assistance of a bank employee), especially after risky transactions.
  3. Keep an eye out for oddities on the ATM and in the surrounding area. Not all the carders are professional or use proficient equipment. Also, do not even think of swiping your card through a special ‘magnetic strip cleaner’ located near the ATM (strange as it seems, many people buy this simple trick).
  4. Count all the bills you get from an ATM. There are special ‘traps’ installed into trays which catch single bank notes. If an ATM would not return your card, this might also be a part of the scam — call the bank immediately, without leaving the terminal. Such scams became very popular in European countries after EMV deployment — in this case, carders need your card with a chip.
  5. Do not leave the card unattended when paying in restaurants and shops – there are a number of compact manual scanners to clone the card, and a PIN is easy to overlook.

  1. Do not show your card to strangers and never send or post photos of the card, even made from one side. Many legacy websites allow completing transactions without a CVV2 code, which is printed on the reverse side of the card, let alone without using two-factor authentication support (with one-time SMS passwords).

Just stay alert. A bank card is a useful tool, but sometimes its convenience plays against us. Remember: better to be ridiculous and paranoid than sorry and broke.