In association with heise online

24 June 2010, 17:02

UK court sentences Chip & PIN skimmers

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Card Teaser A group of UK-based card skimmers have been given lengthy jail sentences for modifying card-readers and stealing card data. In contrast to standard skimming using external devices affixed to ATMs for example, the gang modified card readers in petrol stations to steal data from Chip & PIN cards.

In the UK and Ireland, many cards still fail to encrypt communications with card readers, making it possible to eavesdrop on data and PIN numbers. Steven J. Murdoch and Ross Anderson of Cambridge University drew attention to this problem with low cost SDA chip cards back in 2008. According to a BBC report, the criminals burnt a hole in the rear of the terminals and inserted a memory device and Bluetooth receiver. In some cases garage staff are accused of having been party to the fraud.

When the perpetrators were arrested, investigators are reported to have found 35,000 sets of card data on the gang leader's laptop. The gang is reported to have used the cloned cards to cause losses totalling £725,000. Following the group's arrest, the number of cases of Chip & PIN fraud fell significantly.

There have been no attacks on EMV chip cards of this type in Germany, because the PIN is encrypted before being passed to the card. Using a fairly complex modification it is theoretically possible to steal PIN numbers entered on the keypad. Certainly there have been many known cases in which skimmers used modified terminals in DIY stores, supermarkets and garages to siphon off data. To date, however, ATMs have remained the primary target for skimmers, with criminals concentrating on reading magnetic strips in order to clone cards.

Modifications of terminals isn't just restricted to retailers – in late 2008 US investigators and MasterCard tracked down a group of criminals who were modifying card readers during manufacture. The devices were still able to pass security tests and, according to a Daily Telegraph report, hundreds were supplied to retailers. The data collected was forwarded to a criminal in Pakistan using a mobile phone signal. In response MasterCard sent a number of teams off around Europe equipped with scales to identify the offending terminals, which, due to the added modifications, weighed a few grams more than standard terminals.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit