Old Fraud, New Techniques - Skimming has never gone away

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.finextra.com/blogs/fullblog.aspx?blogid=11695

Earlier this year, the European ATM Security Team (EAST) reported on a
criminal gang that had been apprehended, who were known to use "Ghost
Terminals"; a standard point of Sale (POS) terminal that had been modified
to harvest card data (link to the article is here).

With this particular incident these terminals were utilised in Taxi's,
where the cardholder would pay for the fare by card, and during the
transaction the ghost terminal would copy the magnetic stripe and store the
PIN entered by the cardholder.

This will undoubtedly cause a problem with Issuers, as once fraud is
detected on a card the first course of action is to determine where the
point of compromise is. However, with these ghost terminals the transaction
will never go online and is in effect a non existent transaction. The
terminal in essence is a shell only, which acts and behaves like a terminal
but never performs a transaction. And as the terminal is not connected to
the acquirer, they will not be in receipt of any error messages that may
indicate that the terminal is not performing correctly. Such devices could
be utilised in many ways, in taxi's, at outdoor events, pop up shops, etc.

The fraudsters are essentially giving away stock or services for free in
the knowledge that they can reap better rewards through utilising the
stolen card information fraudulently. The cardholder has no idea it is not
a legitimate transaction; as far as they are concerned, they have made a
transaction and either got a receipt, or a message on the terminal screen
of a connection error and paid by cash.

Ultimately, this is a very sophisticated variation of a skimming attack,
and it goes to show that there is still opportunity for fraudsters to
facilitate this. For example, over the last few years, consumers have
become very aware of the anti-skimming kit's applied by banks to their
ATMs. These anti-fraud devices are very prominent, and designed to make
consumers and fraudsters aware that the ATM it is applied to is protected.
However, with the advent of 3D printing, there have been reports of 3D
prints that are similar to those anti-skimming devices being submitted to
3D printing companies for manufacture. In those cases, the manufacturer was
alert enough to not perform the print due to its possible use in criminal
activity, i.e. to support a skimming device.

Now that 3D Printers are on the market place, with some high end printers
able to print at high definitions, the potential to block the print through
a manufacturer is reducing. The opportunity for fraudsters to exploit this
improving technology has to be seen as a risk.

Elsewhere, with the level of technologically advancement reducing the size
of components, skimming devices are reducing in size. There is no long a
need for fraudsters to fabricate an entire false front of an ATM, when
technology allows the fraudster to build a skimming device with wireless
capability to send the data elsewhere. Also, with the utilisation of
Unattended Payment Terminals (UPT) there is further opportunity to target
devices that are invariably in areas that are not monitored closely, e.g.
unattended petrol stations or Car Washes that are in locations such as
industrial estates. Such sites, if not monitored fully are extremely
attractive to fraudsters.

So, ultimately, while card skimming seems to be an old technique, it is
still very much part of a fraudsters arsenal. And as components reduce in
size, and technology to transmit and store data improves; it will still
very much be a problem for issuers to contend with.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!