Juggle-ling with cards: doing criminal business on ATMs, part 2

In part one of our article, we discussed technology used by bank card ‘seekers’. Today we’ll relate another part of the story, covering how criminals carry out the most dangerous skimming processes.

Outsourcing skimming processes

The difficult parts of a skimmers job don’t really require an indivudal to be skilled or qualified in any way.  However, some operations include hardware installation and these can be tricky to get right.  In fact, the process is so professional you can even ‘out-source’ the

A skilled professional spends about 30 seconds on installing skimming equipment. This is done only upon completing several stages of prep work and gathering intelligence, including analysis of a location and surveillance cameras, as well as finding out the quietest business hours — all of it not without help of an assistant stationed in close proximity to the object.

Criminal installs skimmer on ATM. Photo wtsp.com

A proficient installer is also hard to comedown. A cold-headed, well-dressed gentleman would state he has merely noted some weird thing on the ATM and wanted to confirm his suspicions before calling the police. The mischief is then very hard to prove, especially if the culprit has got rid of glue and installation appliances. This is why banks recommend users to touch nothing suspicious and call the police straight away.

Beside ATMs, skimmers are interested in other types of terminals accepting bank cards. These include terminals at petrol stations, ticket-vending machines at train stations, and, generally, all kinds of vending machines. They provoke less suspicion from ordinary people, compared to ATMs, and are less heavily protected.

Criminal reaping

As soon as the skimming hardware is installed, the criminals are working out the next stage of the scam – the ‘reaping’. They have to use the best of their time to clone as many cards as possible before the scam is discovered: as soon as the bank is aware a skimming campaign took place, odds are higher that the holders of harvested cards would block them. To observe the situation, a carder’s accomplice has to be stationed in a car of a café facing the targeted ATM.

If no one notices the ATMs got a few ‘tweaks’ and the bank’s security officers remain unaware, the scam functions until the battery is fully drained, compromising up to a thousand card credentials.

Then the greediest skimmers dismantle the equipment, and the smartest skimmers abandon it for good to minimize the risk of being caught. Anyway, the cumulative profit from the stolen cards may be worth of up to thousands of dollars, which makes up for any equipment cost.

Withdrawing money from the cloned cards is a separate, high-risk branch of this type of criminal business – that’s why this part of the scam is frequently outsourced. As a rule, several people, referred to as ‘mules’, are involved into this process.

Sometimes mules simply give away the cash to the skimmer, profiting from agreed percentage of the revenue. But there are schemes when mules purchase packages of stolen magnetic strip data and act autonomously, frequently from other parts of the world.

Crudeness is no goodness

The reason why stealing cash from bank cards is so easy, lies within the primitivism of corresponding security technology. The first magnetic strip based bank cards emerged a couple of generations ago, in the middle of the past century, when the equipment for stealing and cloning card credentials was unheard of.

The data recorded on the magnetic strip is, in fact, protected by nothing but a short and vulnerable PIN code serving to justify transactions. There are several types of enhanced protection technology which appeared later, but they remain optional.

It goes without saying, payment systems and banks have been spending years elaborating the solution of this problem. More robust EMV cards equipped by a magnetic strip and an integrated chip have been used in Europe for over 20 years now.

The difference here is the fact that a chip cannot be cloned the way a magnetic strip can. An ATM requests a card chip to create a unique one-time key which may be stolen, but will be void for another transaction.

Security researchers have reported a number of EMV cards vulnerabilities, but those are pretty complicated to use in practice. So, this evolution might drive skimmers out of business, but there’s a rub: migrating to EMV cards is a long, complex and expensive process involving a number of parties.

A reasonable portion of offline paranoia may save money online: https://t.co/ZGkvthc12o

— Eugene Kaspersky (@e_kaspersky) December 18, 2014

All must migrate: payment systems, banks, acquirer businesses, producers of POS terminals and ATMs and many others. That’s why many countries, including developed markets, make use of old-fashioned non-EMV cards.

That said, even an EMV-based card may be stripped of money. In order to provide backward compatibility with legacy terminals and increase resilience, a transaction might be completed without the use of the chip, based on magnetic strip data.

In the USA, with a full-scale program of nation-wide EMV deployment currently running, skimmers are most active, as reported by European ATM Security Team. Indonesia and Thailand in Asia, and Bulgaria and Romania in Europe, are also leading in terms of risk.

A dozen of simple #tips might mitigate risks of falling victim of #ATMskimmer

Tweet

Bank might be able to reimburse the money stolen by skimmers, especially in cases when responsibility can be transferred to another agent, be it a payment system, an ATM owner, or an insurance company. But odds are high of cardholder being responsible after all – there are numerous cases when it was so.

So, as usual, if you are drowning, you’re on your own.

Rules of survival

There are no bullet-proof ways to ensure a 100% guarantee your card won’t fall victim to skimmers, but a dozen of simple tips might mitigate risks.

1. If your card is not equipped with an EMV chip, you’d better not use it at all. Usually, your bank might replace it with EMV card on demand. The use of the chip does not guarantee full safety, but may relatively mitigate the risk.
2. Enable the option of SMS notifications to better track transactions. The sooner you discover the fact of robbery, the higher the chances you might get the money back.
3. If you are no frequent traveler, find out if your bank can limit the geography of your card operations (when you go abroad, you can just ‘switch on’ the country you are travelling to). This is a very efficient measure which has proven its worth in a number of European countries.
4. Do not use the card with a lot of money on it. The less transactions you use it for, especially in new places (for instance, abroad), the better. For high-risk operations you may use a separate card with a low limit.

Some tips on what to do if your credit card gets hacked, via the @Kaspersky Daily: http://t.co/lnFCmLsJcV

— Brian Donohue (@TheBrianDonohue) November 17, 2014

5. Should you use an ATM, choose ones located in well-lit and secure place – for example, inside of a bank office. Respectively, avoid using standalone ATMs in secluded shopping mall corners.
6. When entering PIN, stand asa close to the ATM as you can and cover the number pad with your hand. Special vanity panels are still a rare case, and the chances are higher a camera or your neighbor will look up the PIN. Don’t forget to regularly change your PIN (with a trusted ATM or with assistance of a bank employee), especially after risky transactions.
7. Keep an eye for oddities on the ATM and in the surrounding area. Not all the skimmers are professional or use proficient equipment. Also, do not even think of swiping your card through a special ‘magnetic strip cleaner’ located near the ATM (strange as it seems, many people buy this simple trick).
8. Count all the banknotes you get from an ATM. There are special ‘traps’ installed into trays which catch single bank notes. If an ATM would not return your card, this might also be a part of the scam — call the bank immediately, without leaving the terminal. Such scams became very popular in European countries after EMV deployment — in this case carder needs your card with chip.
9. Do not leave the card unattended when paying in restaurants and shops – there are a number of compact manual scanners to clone the card, and a PIN is easy to overlook.
10. Do not demonstrate your card to strangers and never send or post photos of the card, even made from one side. Many legacy websites allow completing transactions without a CVV2 code which is printed on the reverse side of the card, let alone without using two-factor authentication support (with one-time SMS passwords).

A bank card is a useful tool, but sometimes its convenience plays against us. Remember: its better to be ridiculous and paranoid, than sorry and broke.