Keep your credit cards safe from skimmers

Credit card skimming is a major threat to credit and debit card users. Here's what you need to know

You're in a restaurant, enjoying a deep conversation. Peripherally, you see the waiter take your credit card and return a few minutes with a slip for you to sign. You think nothing of it until a few hours later when you receive a call from your bank: Someone is racking up serious debt on your credit card, mostly for electronics purchases. Is it you?

Skimming, a form of high-tech financial fraud, is on the rise worldwide. It relies on sophisticated data-reading electronics to copy the magnetic stripe information from your credit card or debit card. It can capture both your credit card number and your PIN. And it's happening not just at restaurants but at neighborhood gas pumps and ATM machines.

High-Tech Theft

Today a criminal merely has to slip an electronic magnetic strip reader over the existing card slot at an ATM, or replace a point of sale device. When you slide your plastic in, the skimming device reads it first, and then the actual card reader does -- at which point the transaction proceeds as expected. But now a crook has an exact copy of your card data without your even realizing it.

Older card-skimming devices required criminals to return and collect the information periodically, exposing them to risk of discovery. But newer skimmers can broadcast the card data to the thieves either by Bluetooth (which has a short range) or by GSM cellular. This enables the thieves, who may be sitting in a car nearby or in a building on the other side of the planet, to capture the account numbers live as the account holder makes a purchase or a withdrawal.

Pay at the Pump

Gas stations may be the most vulnerable outposts. Pumps today are largely automated and often unattended, giving criminals plenty of opportunity to embed skimming devices in them late at night. In Grand Junction, Colorado, a maintenance worker found skimming devices inside three gas pumps. And in 2010, a law enforcement investigation found that 180 gas stations from Salt Lake City to Provo, Utah, had skimmers inside their pumps. One Sandy, Utah, customer told the local TV station afterward, "I can't tell the difference between the fake one or the real one, so yeah I would stick my card in it."

Skimming attacks became so prevalent in Arizona in 2009 that the governor ordered state patrol officers to inspect gas stations along major highways.

ATMs Problematic, Too

ATMs are vulnerable for the same reasons that gas pumps are: They're exposed and unattended. Criminal organizations have targeted ATMs throughout Europe and have started hitting major cities in the United States, too. In a presentation at Black Hat USA 2008, security researchers Nitesh Dhanjani_and Billy Rios showed pictures of a warehouse full of ATM card readers and keyboards, in molded plastic of every color to match any ATM on the market today.

Responding to the threat, South Africa's Absa bank experimented with adding pepper spray anti-tampering systems at 11 of its most commonly skimmed ATMs; unfortunately, maintenance crews attempting to service the machines have sometimes triggered the spray.

Elusive PINs

Collecting credit card data is a relatively simple matter of capturing the account number. But debit cards are even more desirable to thieves because the bad guys can plunder a bank account quickly and completely without the account holder's realizing what's happening. The card networks monitor credit card usage, and they have rigorous risk- and fraud-prevention policies in place. In contrast, debit cards are linked directly to a bank account, though obtaining the PIN associated with a debit card is somewhat more difficult.

The most common high-tech ways to steal PINs are with tiny cameras mounted within a fish-eye mirror and with an electronic mesh overlaid on the keyboard. Criminals are often caught while mounting or removing such cameras, but recently they've figured out less obvious ways to steal PINs.

PINs may be four or six digits long. When you key in your PIN, software at the ATM or point of sale automatically converts it into a one-way algorithm called a hash. Then, if someone captures the data steam, they'll see only the resulting hash value, not the original four or six digits. By itself, a hashed PIN is a useless string of numbers. You can't type in the hashed PIN as it appears on your debit card or within a database inside a bank network, because those digits will be converted into yet another value. Instead, you have to find a way to generate that hash value, and until recently that wasn't practical.

In 2008 the FBI disclosed that attackers had used the PINs of Citibank account holders during a crime spree in Manhattan. According to the FBI documents, attackers had located the PIN data in a data breach, analyzed and decrypted the algorithm used, and then generated a table of all the possible four- and six-digit PIN codes that that algorithm might produce -- what's called a Rainbow Table in cryptography. The criminals didn't have to match an accountholder's PIN exactly; they only needed the four or six digits that would produce the same hash value.

Royal Bank of Scotland

Even if criminals can reproduce the encrypted hash value, they cannot withdraw more than certain amount during a single transaction or within a certain period -- unless someone inside the bank's network adjusts those values. That happened on November 8, 2008, when a gang of criminals robbed the US payment processing arm of The Royal Bank of Scotland group, RBS Worldpay, from both the inside and the outside. Within a 12-hour window they withdrew an estimated $9.4 million from ATMs in 230 cities across the globe. Meanwhile, someone else on the inside increased the daily withdrawal limits on individual accounts -- in one instance to half a million dollars.

Ane Estonian suspect was extradited to the US in August 2010. Another suspect, 28-year old Victor Pleshchuk, received four years' probation from a Russian court the following month. A third, unnamed suspect remains at large.

Protect Yourself at an ATM

Since the 2008 attacks, banks and credit card networks have improved their back-end security systems considerably. ATM manufacturers now offer better data protection through updated technology. For instance, privacy filters cause ATM screens to blur when viewed at an angle, to prevent over-the-shoulder eavedropping. Some ATMs sink the keyboard to prevent spy cameras from seeing your PIN, and jiggle inserted cards to prevent skimmers from reading them.

Even so, when standing at an ATM, if you have any reason to suspect that the machine may be compromised, don't use the machine. You may want to run your finger along the card slot to see whether anything comes loose or feels mismatched. If so, report it to the bank and find another ATM to handle your transaction.

Safety at the Point of Sale

Compromises at point-of-sale terminals are much harder to detect, especially at gas pumps. Your safest course is use a credit card instead of a debit card when paying for gasoline, since the card networks will detect and stop fraud quickly. Credit card consumers are often covered by zero liability programs; but with debit cards, that may not be the case, depending on your bank.

Skimming is just the latest scam. As word gets out -- and as the payment and ATM industry gets wiser -- the criminals will move on. Until then, it's caveat emptor: Let the buyer -- or card user -- beware.

Further Reading...

• "A 21st-Century Credit Card "

• "Five Tips for Safe Holiday Shopping"

• "What It's Like to Steal Someone's Identity"

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about CitigroupFBIManhattanPhoenixWorldpay

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert Vamosi

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts