ATM Fraud in Broad Daylight
February 2, 2009
Before you hit play and watch this news story, just know that the Bad Guy didn’t even have to try as hard as he did. This crime is easier to commit than this news segment shows, and there are places a whole lot more vulnerable than an ATM vestibule in the middle of the day.
It’s an important case because we rely more and more heavily on ATM/Debit and Credit Cards as we move toward a cashless society. And they’re all vulnerable to the type of attack detailed here. New card skimmers are showing up that get the mag stripe data, and are coupled with small cameras that watch you enter your PIN. The info is sent to a Bad Guy via a wireless network, and the Bad Guy makes a new mag stripe card, drives across town, withdraws money out of another ATM with your PIN, and disappears into the sunset. You’ll never see your money again.
Roll ‘em:
Basically, the Bad Guy just needs a few seconds to attach a skimmer to the ATM and attach a camera to a convenient location in view of the keypad. Everything can be pre-programmed, so this whole operation can be done in the blink of an eye. The system works by wirelessly transmitting all of the information to the crook, at a safe distance from the ATM.
The point is it’s easy to read magnetic stripes, it’s easy to re-encode magnetic stripes, and it’s easy to buy a bunch of blank credit-card-sized magnetic stripe cards and encode those stripes with stolen numbers. Since merchants don’t verify that you have a genuine— or even genuine-looking— card anymore, a Bad Guy can copy your card and use it at any gas station, any ATM, or any self-service kiosk, and probably not get caught.
(Security Break: What value does the card’s 3 or 4 digit security code add?)
To make things worse, there are a wide variety of ways to get the magnetic stripe info off a card, and because of that, attacks like this continue to grow in popularity. Some easy ways:
- Card skimmers on ATM’s, gas pumps, or even in shops – like in the video above, it only takes a few seconds to install a skimmer and an optional camera, and they can be extremely difficult to detect;
- Waiters at restaurants get your physical card for long enough to copy it, with or without a magnetic stripe reader. They simply take the stolen information and either sell it online, or if they’re truly ambitious, they fabricate a copy card themselves with inexpensive, widely available equipment;
- Browsers and websites can be compromised, or you could be phished – in which case, the Bad Guy gets everything you type and everything you see on your screen, including not only the information on the card, but also things like names, billing addresses, and whatever else you enter for the transaction.
(Security Break: What does signing the back of the card do?)
So, what can be done about this?
There are a few things consumers can do to dramatically improve security in their life, like monitoring their transactions, using known ATM machines and keeping an eye out for changes, etc. But just like passwords are no longer considered a sufficient means of protecting access to online accounts due to things like phishing, relying on a magnetic stripe on a credit card is just not enough to protect your financial transactions. Adding a second method to verify that the account owner is, in fact, the person conducting the transaction would offer material benefit.
So how would this work?
Transaction verification systems call you for approval (usually just pressing the # key) before dispensing the cash or completing the transaction, if the transaction looks suspicious.
I believe more and more banks will be implementing transaction verification systems for just this reason: It’s simple, and it works.
If you're new here, you may want to subscribe to the RSS feed. Thanks for visiting!
Good Morning America just ran this segment on ATM card cloning—
130 ATMs in 49 citiies, including New York, Chicago, and Atlanta. RBS Payment systems had to cover losses of 100 customers, whose money and identity were stolen. The criminals–in some cases, ironic ones, not smart enough to avoid the ATM bank security cameras–installed skimmers at the ATMs, just like you talked about Steve, grabbed the mag stripe data, cloned the card, used it across town to steal money.
Here’s the segment:
http://abcnews.go.com/Video/playerIndex?id=6810099
The advice the correspondent gives is to check an ATM you use for a skimming device (she wiggled the swipe slot to see if it was the legit, solid one, or one that sits on top), and to cover the keypad with one hand while you key in your PIN with the other, so overhead cameras can’t see your PIN.
That’s it? That’s the advice? They need to know about two-factor authentication, for sure.
The correspondent did tip to the fact that 65 other countries use chip-embedded cards, not mag stripes, which are more secure. She makes the point that American banks haven’t adopted the chip yet because of the cost of replacing the ATM machine readers.
Two thoughts I’d like to open up for discussion:
One, why aren’t all mag stripes protected with some sort of two-factor authentication by law? PCI doesn’t cover this!
And two, would the chips really be failsafe? Who knows of encryption hacking in Europe on chip-based cards?
FYI, this isn’t just a problem in the US. I live in Costa Rica and there have been several reports of this happening, especially in areas that are high traffic for tourists.
Althouth this is not related to skimming, we had several reports of the following scam across South Dakota yesterday. I’m wondering if anyone else had this happen to them. Our internal research determined the calls were targeted at Verizon Wireless users. The calls originated from this New York phone number 718-814-1436 with a recorded message stating that debit/credit card was compromised press 1 to activate.