Mike Barwise, Daniel Bachfeld
Attack of the card cloners
Criminals are cleaning out bank accounts with stolen card data. Their methods are quite simple, and yet so clever that bank customers hardly stand a chance.
Let's assume that you don't do any banking online, your debit card is in your wallet, and no one has your PIN – so how did someone manage to withdraw money from your account? You could be the victim of a skimming attack. Criminals are manipulating ATMs to get data from electronic payment cards, which they then copy so that they can withdraw money later. PINs are simply read electronically.
You are not even safe from such attacks in shops and petrol stations. Card terminals are often manipulated without the knowledge of the shop owner. Generally, victims don't realize when they are attacked, but a few weeks later they get a shock when they see that criminals have emptied their accounts using cloned cards. There has been a lot of hype about phishing, but now public attention is turning to what is being called "skimming".
Many people are victimized in each attack. Nevertheless detailed statistics for the UK are hard to obtain, for several reasons. Firstly, since the demise of the National High-tech Crime Unit last year, reports to the police have to made at the local level. Secondly, the banks are very loath in general to admit to the level of skimming that goes on, and thirdly the typical delay between the often unnoticed skimming itself and the visible loss of funds from accounts makes it difficult to correlate the two reliably.
However, figures provided to heise Security by UK banking trade body APACS show that in the first six months of 2007 skimming fraud accounted for 72.3 million UK pounds: a 37 per cent rise on the 52.8m lost in the equivalent period in 2006. Electronic fraud specialist Professor Ross Anderson of the Cambridge University Computer Laboratory told heise Security that the problem is growing fast, although the banks do not seem keen to publicise the danger. However he also pointed out that people making transactions using chip and pin (EPOS) terminals in retail outlets such as supermarkets and petrol stations are at least as vulnerable as they are at ATMs.
The minimum equipment required for skimming ATMs is a miniature debit card reader, which scans the card's magnetic strip, and a video camera that records the PIN number when it is entered. This mini-reader is simply stuck to the outside of the ATM with double-sided tape where the card is inserted. The untrained eye will hardly notice this mini-scanner, which is adapted to the ATM's design. Sometimes, the criminals even put a completely new front panel on the ATM. The data they gather are then stored and either transmitted to a PC when the front panel is dismantled, or the data are sent to the criminals sitting in a car outside the bank via a wireless connection.
The video camera that records the PIN is positioned so that it can peep through a tiny hole onto the touch screen or keypad where the number is entered. Sometimes, however, the camera is not positioned directly above the keypad, but over to the side, for instance on the wall inside a pamphlet box. The video of the PIN entry is generally also saved. In other cases, a fake keypad placed over the original one may be used instead of a camera. Then, keystrokes are logged before being passed on to the actual keypad. It turns out that skimmers from Romania generally use this trick, whereas Bulgarian skimmers apparently prefer the video method.
It is important that any equipment used for skimming go unnoticed. Criminals therefore make sure that their equipment fits the various types of ATMs exactly. Such equipment is often beautifully constructed, containing microcontroller devices smaller than a thumbnail and exquisite SMD technology.
However, there have also been several cases worldwide of complete phoney ATMs being installed by crooks just to gather card details that are later exploited. Typical is the installation of a bogus ATM in a shopping mall in Connecticut in April 1993 by fraudster Gerald Greenfield. Working through a network of bogus companies, Greenfield and his associates manufactured and installed the machine, which was in operation for 12 days. They glued up the slot of a nearby legitimate ATM to attract more business, and eventually extracted some 107,000 US dollars from multiple accounts using cloned cards. A similar unpublicised case in the UK in 2000 involved the setting up of a bogus financial services company in the East End of London with an "always empty" ATM in the wall of its office. These perpetrators were only caught after numerous complaints about the machine being empty had been made to the legitimate building society the machine was labelled as belonging to.