Schneier on Security
A blog covering security and security technology.
« Data Mining for Terrorists |
| More on the ATM-Card Class Break »
March 9, 2006
Danish ATM-Card Skimming
Criminals are breaking into stores and pretending to ransack them, as a cover for installing ATM skimming hardware, complete with a transmitter.
Note the last paragraph of the story -- it's in Danish, sorry -- where the company admits that this is the fourth attempt they know of criminals installing reader equipment inside ATM terminals for the purpose of skimming numbers and PINs.
Posted on March 9, 2006 at 1:40 PM
• 17 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
They don't even need PINs anymore, now that they can just break into the retailer's point of sale systems and download hundreds or thousands of them all at once.
This has been a problem in The Netherlands a couple of years ago. Putting new plastic slots on it, basically killed of the skimming. Heck, it was a CSI show. So a bank claiming it is only the fourth one, is not too smart.
Considering the huge investment in data mining operations coming from Eastern Europe, I'd suspect much of the compromised accounts are from r00ted joes and janes who bill-pay and bank online.
The last paragraph says: "IT/Communications consultant Søren Winge from PBS tells us his company currently knows of four examples where criminals have attempted to install card reading hardware in ATMs to try to gain customer's card details."
All these attacks on credit cards are because the current security standards are year out of date. Only a move to full smart card support will reduce the risk of fraud via technical hacks leaving the old faithfull social engineering
I recall this is not the first such story in Denmark. Only that previously there were no transmitter. Instead the criminals would break in again later to steal the terminals to get the data.
I have no reference for this though (and anyway it would be in danish).
Not in the news: The banks in Denmark issue chipcards as of more than a year ago, they still have the magnetic code also for backwards compatibility, and the new terminals also have magnetic code readers as well.
The mentioned attack attacks the magnetic code so this may push for faster enrolment of chip readers.
Criminals here (in Greece) have a simpler way of doing bussiness:
They install tiny cameras above or near the ATMs. The vast majority of the people don't cover the keypad when entering the PIN, so the criminals get to record it. The account balance is also recorded if requested.
The victim is robbed shortly after the ATM transaction, usually by a couple of men riding a motorcycle. With the ATM card in hand, the crinimals go right away to an ATM, make the largest withdrawal they can (for most banks its €900 to €1200) and dispose the card immediately after that.
moz: The "install fake keypads and readers on top of the ATMs" happened in Denmark too a while ago.
In Hungary some fraudsters put a sticker onto the ATM with a nearby payphone number as the contact phone number for the bank, and made the ATM (half)swalow the card.
When the card didn't come back the victim called the number they believed to be the bank's and to identify themself they were asked the PIN.
Then they were told not to worry and that they can have the card back the next day in their bank.
After the victim had gone the fraudsters retrieved the card and used the PIN to withdraw as much money as they could.
I know you don't like video surveillance systems, but in this situation, a video surveillance system could catch the ATM-skimming-installation activity of the criminals.
The criminals could theoretically disable the surveillance system, but that's another addition to their breakin plan, and not necessarily an easy thing to do, and may provide a deterrent, influencing them to strike elsewhere.
Remember money is a fictional abstract concept used as a base of exchange for goods and services.
The more fictional and abstract the money becomes, the less meaningful theft becomes.
I don't this would be worth doing in the UK as we now have C&P universally. Correct me if I am wrong.
I don't think this would be worth doing in the UK as we now have C&P universally. Correct me if I am wrong.
Dyslexia rules, KO.
Soon physical credit cards will be something of the past, have a look at www.unetan.com
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.