The moment I seriously worried about skimmer credit cards and debit cards, it was not the case when my entire bank account was transferred to Turkey or when I had to replace a credit card three times in two months for fraudulent charges. At that time I learned that stealing a credit card number is as easy as connecting a magnetic stripe reader to a computer and opening a word processor. Each shot spits out the credit card number without the need for additional setup. Advanced devices for stealing your information are installed by criminals directly at ATMs and credit card readers. These are called skimmers, and if you are careful, you can protect yourself from these insidious devices.
What are skimmers?
Skimmers are essentially malicious card readers connected to real payment terminals so they can collect data from anyone who steals their cards. The thief often has to return to the affected machine to retrieve the stolen data file, but with this information he can create cloned cards or simply jump into a bank account to steal money. Perhaps the scariest part is that skimmers often do not work properly with the ATM or credit card reader, making them harder to recognize.
Classic shadowing attacks remain and may still be a problem today According to Stefan Tanase, a security researcher in the Kaspersky Lab, banks have switched to EMV smart cards. Even if the cards have a chip, the data is still on the magnetic stripe of the card to be backwards compatible with systems that can not handle the chip. Even now, long after the introduction of EMV cards in the US, some traders still demand that they use the magnetic stripe.
The typical ATM skimmer is a small device that fits over an existing card reader. Most often, the attackers also place a hidden camera nearby to record personal identification numbers (PINs) for accessing accounts. The camera can be in the card reader, on the top of the ATM or even mounted on the ceiling. Some criminals install a wrong PIN over the keyboards to directly capture the PIN and bypass the need for a camera.
The image above is a real skimmer used at an ATM. You see the funny, bulky yellow piece? That's the skimmer. This is easy to recognize because it has a different color and material than the target device. However, there are other telltale signs. Underneath the slot in which you insert your card are raised arrows that are embedded in the plastic housing of the device. You can see how the gray arrows are very close to the yellow housing of the reader and almost overlap. This is a sign that a skimmer has been installed over the existing one, as the real card reader would have some space between the card slot and the arrows.
From Skimmers to Shimmer
When the US banks finally caught up with the rest of the world and started issuing smart cards, this was a huge security benefit for consumers. These smart cards or EMV cards offer a more robust security than the painfully simple magnetic strips of older credit cards. But thieves are learning fast and have had years of attacks targeting smartcards in Europe and Canada.
Instead of skimmers sitting on the magnetic stripe readers, there are glints in the card readers. These are very, very thin devices that are not visible from the outside. When you insert your card, the shimmer reads the data from the chip on your card, just as a skimmer reads the data on the magnetic stripe on your card.
However, there are some important differences. On the one hand, the integrated security of EMC means that attackers receive only the same information as with a skimmer. In his blog, security researcher Brian Krebs explains that "data collected by glimmering can not be used to make a chip-based card, but could be used to clone a magnetic stripe card, but the data is usually stored on a magnetic stripe on a card If the chip is replicated on chip-ready cards in the chip, the chip contains an additional security component that can not be found on a magnetic strip. "
The real problem is that shimmering is much harder to detect, as it is in ATMs or vending machines are located . The shimmer below was found in Canada and reported to the RCMP. It is little more than an integrated circuit printed on a thin plastic plate. If the owners of the compromised device had not been careful, this could have stolen the information from each user.
Manufacturers of ATMs have not done this sort of fraud lying. Newer ATMs are equipped with robust antitampering devices that sometimes include radar systems to detect items inserted or connected to the ATM. However, a Black Hat security conference researcher was able to capture PINs as part of a complicated fraud using an ATM's built-in radar.
The threats are real and continue to evolve; For this reason, it is so important to briefly review an ATM or credit card reader before use.
Check for Tampering
When you approach an ATM, you should look for obvious signs of tampering on top of the ATM. near the speakers, the screen, the card reader itself and the keyboard. If something looks different, eg. Any other color or material, improperly aligned graphics, or anything else that does not look right does not use this ATM. The same applies to credit card readers at the checkout or at petrol stations.
When you're at the bank, it's a good idea to quickly see and compare the ATM located next to your ATM. If there are obvious differences, do not use them and report suspicious manipulation to your bank. For example, if there is a flashing card entry on an ATM to indicate where the cash card is to be used and the other ATM has a simple reader slot, you know something is wrong. Most skimmers are glued to the existing reader and obscure the flashing display.
If the keyboard does not feel right – maybe too thick – it may cause a PIN overlap, so do not use it.
Even if you do not see any visual differences, push everything, Tanase said. ATMs are solidly built and generally have no loose parts. Credit card readers have more variety, but still: pull on protruding parts like the card reader. Check if the keyboard is fixed firmly and only one piece. Is something moving when you press on it?
Skimmers read the magnetic strip while the card is inserted. Give the map a bit of wobbling when you use it, Tanase advises. The reader has to execute the strip in a single motion, as he can not read the data properly when not in the field. If the ATM is the way it picks up the card and returns it at the end of the transaction, the reader is inside. The wobbling of the card when inserting into the slot does not disturb your transaction, but makes the skimmer to fail.
This tactic does not work with shimmers and does not work with ATMs that capture and hold your card while your transaction is in progress. However, there are still ways to protect yourself when using these machines.
Thinking About Your Steps
Whenever you enter your debit card PIN, assume someone is looking. Maybe it's over your shoulder or through a hidden camera. Cover the keyboard with your hand when entering your PIN, Tanase said. This is a good policy, even if you notice nothing unusual at the ATM. Obtaining the PIN is essential as criminals can not use the stolen magnetic stripe data without them, Tanase said. Of course, this assumes that the attacker is using a camera and not an overlay to get your PIN.
Criminals often install skimmers at ATMs that are not in excessively busy locations because they do not want to be observed when installing malicious hardware or collecting the collected data. ATMs in banks are generally safer because of all the cameras, though some brave criminals still manage to install them there. The ATM in a grocery or restaurant is generally safer than the one on the sidewalk. Stop and consider the security of the ATM before you use it.
That is, no place is safe from an enterprising criminal. Take for example this video. The thief installs a skimmer in a grocery store in seconds.
The chances of being hit by a skimmer are higher on the weekends than in the week since this is the case. It is more difficult for customers to report bank suspicious ATMs. Criminals usually install skimmers on Saturdays or Sundays, then remove them before banks reopen on Monday.
If possible, do not use the magnetic stripe on your card to complete the transaction. For credit card readers in stores, you can search for a slot under the PIN pad to insert your card and the EMV chip to be read. If you use your EMV chip, the card will be authorized for the device and your personal information will never be transferred. This forces criminals to attack the inner workings of EMC-enabled readers. The cracking of EMC readers is possible, but much more difficult than the Magstripe skimming.
If the credit card terminal accepts NFC transactions, consider Apple Pay, Samsung Pay or Android Pay. These services identify your credit card information so that your personal information is never disclosed. If a criminal somehow intercepts the information, he will only receive a useless virtual credit card number. Keep in mind that Samsung Pay can actually emulate a magnetic stripe transaction on certain devices when you hold your phone over the card reader. This is much safer than using your credit card.
In a scenario that often requires the use of a magnetic strip, fuel has to be paid for at a gas pump. These attacks are widespread, as many still do not support EMV or NFC transac- tions, and attackers are given unnoticed access to the pumps. It is much safer to pay the cashier. If no cashier is on duty, use the same tips for using ATMs and examine the card reader before using it.
Digital Attacks and Solutions
The recent British Airways hack introduced a new concept : the digital card skimmer. Instead of using a physical device to collect your map information or a fake phishing site that asks you to enter your information, a digital skimmer is malicious software that is inserted into a legitimate website.
Fighting this type of attack is ultimately up to business to make sure their websites and services are secure. However, there are a few things that consumers can do to protect themselves. One option is the use of virtual credit cards. These are dummy credit card numbers associated with your real credit card account. If any of the conditions are impaired, you do not need to get a new credit card. Just generate a new virtual number. Some banks, such as Citi, offer this feature as a feature. Ask for availability.
If you do not receive a virtual card from a bank, Abine Blur offers the subscriber masked credit cards. These are prepaid credit cards that you can create on the fly and use for online purchases. Abine even provides a fake name and billing address that further disguise your personal information. If one of them is exposed, you will not lose any money or private information.
Another option is to sign up for card notifications. For example, Ally Bank sends a push notification to your phone every time your debit card is used. This is handy because you can instantly identify fake purchases. If your bank offers a similar option, turn it on.
If you do not notice a card skimmer and your card details are stolen, take the heart out. As long as you report the theft to your card issuer (for credit cards) or your bank (where you have your account) as soon as possible, you will not be liable for the lost amount and your money will be refunded. Business customers, on the other hand, do not have the same legal protection and may find it harder to get their money back.
Also try to use a credit card whenever possible. A direct debit transaction is an immediate money transfer and requires a FDIC claim, which can take several weeks to process. Credit card transactions can be stopped and canceled at any time, forcing merchants to better secure their ATMs and point-of-sale terminals.
Timely reporting in frauds is very important to keep an eye on your debit and credit card transactions. Personal finance apps like Mint.com make sorting all transactions easier.
Finally, look for your phone. Banks and credit card companies typically have very active anti-fraud policies and will usually contact you by phone or SMS if they find something suspicious. Quick reaction can mean stopping attacks before they can affect you. Keep your mobile handy.
Remember, if something at an ATM or a credit card reader does not feel right, do not use it. Whenever possible, use the chip instead of the strip on your card. Your bank account will thank you.
Fahmida Y. Rashid contributed to this story