« previous 1 2 3 4 next »

At the counter

So are you at least safe if you never withdraw cash from an ATM? Unfortunately not – criminals have also found ways to get information in shops and filling stations. At its simplest the process is actually quite easy: the cashier, who gets a kickback for working with the skimmers, first puts your card through the real card reader and then through a second one to get your data. The cashier also registers your PIN, for instance by asking you to repeat the entry on the skimming device. It is also becoming more common for skimmers to break into shops and add skimming modules to legitimate card readers. For example, as described by Prof. Anderson to heise Security, an unobtrusive and fully automatic Italian device simply clips to the cable between the EPOS keypad and the card reader on the cashier's till, drawing its power from the cable. It reads the transaction details and sends an SMS message to a mobile phone in the possession of the criminals. This facilitated by least some terminals in current use sending the PIN to the chip on the card for verification unencrypted.

However, there are larger scale methods for EPOS skimmers with sufficient clout. Last year there were numerous reports of cards being skimmed in Shell filling stations in southern England. The matter became so serious that Shell withdrew its card payment facilities from its stations. Apparently, bogus service engineers supplied the garages with tampered replacement card readers. The attacks lasted some eight weeks and are believed to have netted around one million UK pounds. Another huge scale operation surfaced in early 2007, ostensibly funded by the Tamil Tigers (LTTE). It involved Sri Lankan asylum seekers being given loans by the LTTE to purchase filling station franchises and subsequently being coerced into systematically skimming the cards of UK motorists. Some 200 filling stations in the North and East of the country were affected.

Clearly some large-scale criminal organisation, even at an international level, has to be behind such well organised fraud. However, such a grandiose scale of operations is not always necessary. Recently, a do-it-yourself shop in Hesse, Germany recorded 560 payment cards from a manipulated EPOS terminal at a cash register within four weeks. Some 850,000 euros were stolen in this one case; the banks covered the losses. Of course, whatever the scale of the attacker's operation, individuals can protect themselves. Such attacks only work when your PIN is required. If you are asked to sign, skimmers cannot get your data. In the UK you can request most banks to issue you with a chip and signature card that will also accept a pin number but does not require it if you sign for an EPOS transaction. In fact the EPOS terminal usually defaults to printing a signature slip. Such cards can usually also be used at an ATM with a PIN, where you would of course be exposed to skimming like anyone else.

International

But getting the victim's card and PIN data is only half the story. Cloning a chip card is still considered a difficult operation, but a magnetic stripe card is a pushover. Fortunately for the fraudster, a major failing of many chip-capable ATM implementations is the option to "fallback" automatically to the readily copied magnetic strip if a chip is absent or not readable. The provision is officially to prevent transaction failure if a chip is damaged, but it allows fraudulent withdrawals to be made using cloned cards at ATMs overseas that are not equipped to read the chip. Because many overseas ATMS (not least in the USA) cannot cope with chips, the magnetic strip is unlikely to disappear in the near future. The triumph of convenience over security strikes again. For this very reason fraudulent withdrawals are often made by skimmers from overseas ATMs that do not support the chip.

Neither of the two main card service providers (Visa and Mastercard) were able to inform heise Security what proportion of UK ATMs can still read the magnetic stripe, but the official position of APACS is still that magnetic stripe fallback is disabled across the board. Nevertheless Prof. Anderson told heise Security "It's a sensitive topic. APACS has said in the past that mag strip copies of chip cards cannot be used in UK ATMs, which means that mag-strip fallback is disabled on all ATMs. There is strong evidence that they are not telling the truth (one of our students fried his chip and used a Barclays Bank cash machine in Cambridge). Now they are saying it's up to the bank."

You should be able to detect such an unprofessional attempt (left) without further ado. In contrast, the skimmer on the right could hardly be any smaller.

Nevertheless the skimmers are usually active in at least two countries, resulting in what investigators call "cross-border fraud". This is a global problem for law enforcement, with all the complexities that go with pursuit of fraud across jurisdictions. While there is a limit on the amount that can be withdrawn using most payment cards (or their forged copies) in foreign countries, the limit varies from one bank to another and generally only applies for a certain amount per day. In practice, perpetrators can empty an account by withdrawing the maximum amount each day for several days before the victim notices anything.

Skimmers frequently seem unconcerned about disguising themselves either when they install their equipment or when they withdraw money. The great turnover rates within skimmer gangs means that a given perpetrator is rarely part of a subsequent campaign. Furthermore, it is hard to get hold of them because they generally remove their equipment from an ATM after a few hours so they can move on to the next town. If the ATM is in a highly frequented part of a pedestrian zone or a train station in a large city, a few hours is enough to get data from dozens of victims. Indeed in one recent case in Hertfordshire, UK, a perpetrator apparently rushed up and removed a false front from a supermarket ATM immediately after a customer had lost her card in it.

The equipment added to the ATMs has the same design, so it is hard to notice the manipulation.

The gangs also employ a division of labour: one group handles the skimming equipment, another transports it, and another installs and uninstalls it and handles the data collected. A fourth group creates copies of cards, while a fifth withdraws the money with the forged cards. Despite the sophistication of the perpetrators, a few individuals have been caught red-handed, though generally Agent McLucky was also on the beat at the time.

« previous 1 2 3 4 next »