Skimming from the sofa
Skimming devices attached to cash machines to read users' card details increasingly return their data to the criminals via SMS text messages. The devices copy the magnetic strip of cash point and credit cards at the card slot and spy on PINs via keyboard attachments or mini cameras. The data is subsequently used by the skimmers to withdraw money from users' accounts. More details on this method of attack can be found in The H Security article "Manipulated ATMs - Attack of the card cloners".
The new generation of skimming devices no longer store the data over a period of time for later collection, but transmit it via SMS direct to the criminals, allowing them to clone card details from the comfort of their own living room. The risk of getting caught is reduced by 50% because criminals no longer need to retrieve the skimming device to read out the data. The only time a perpetrator needs to go to the cash machine is to mount the device. This method isn't entirely new, of course, as some skimming devices have transmitted their data via short-distance radio for quite a while. However, with a radio link the criminals need to keep their receivers within range of the device.
Various "Skimming for Dummies" sets are already available on the internet, offering card slot and keyboard attachments with GSM functionality and even card writers for making counterfeit cards – sometimes for as little as $1,800. However, security blogger Brian Krebs thinks that such products are attempts to trick other petty thieves and no functioning hardware is actually delivered. Krebs says prices for real skimming hardware with GSM, for instance for cash points by NCR, start at around €8,000. According to his report, the GSM feature is provided via dismantled mobile phones that are given larger batteries.
The German State Office of Criminal Investigation (LKA) of Lower Saxony, for example, has found that mobile phones are indeed used in skimming attacks. Talking to The H's associates at heise Security, however, the LKA's press office said that the mobiles are generally only used for taking pictures or videos of the victim's keyboard inputs, but not for sending any collected data.
- Credit card skimming attacks on pay-at-the-pump petrol stations, a report from The H.