Bruce Schneier
Schneier on Security
A blog covering security and security technology.
« Data Mining for Terrorists | Main | More on the ATM-Card Class Break »
March 9, 2006
Danish ATM-Card Skimming
Criminals are breaking into stores and pretending to ransack them, as a cover for installing ATM skimming hardware, complete with a transmitter.
Note the last paragraph of the story -- it's in Danish, sorry -- where the company admits that this is the fourth attempt they know of criminals installing reader equipment inside ATM terminals for the purpose of skimming numbers and PINs.
Posted on March 9, 2006 at 1:40 PM • 17 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
http://www.msnbc.msn.com/id/11731365/
They don't even need PINs anymore, now that they can just break into the retailer's point of sale systems and download hundreds or thousands of them all at once.
Posted by: Homeland Stupidity at March 9, 2006 1:53 PM
It's hardly sensible compared to what has been done to ATMs in Poland
http://www.policja.katowice.pl/bankomaty.htm
Why risk a break in??!!?? Adrenalin rush?
Posted by: moz at March 9, 2006 2:12 PM
This has been a problem in The Netherlands a couple of years ago. Putting new plastic slots on it, basically killed of the skimming. Heck, it was a CSI show. So a bank claiming it is only the fourth one, is not too smart.
Posted by: Raindeer at March 9, 2006 2:45 PM
Considering the huge investment in data mining operations coming from Eastern Europe, I'd suspect much of the compromised accounts are from r00ted joes and janes who bill-pay and bank online.
Posted by: 1915bond at March 9, 2006 2:52 PM
I should have included this link:
http://www.infoworld.com/article/06/03/03/...
Just one way (and quite ingenious) of lifting data from everyman.
Posted by: 1915bond at March 9, 2006 3:15 PM
The last paragraph says: "IT/Communications consultant Søren Winge from PBS tells us his company currently knows of four examples where criminals have attempted to install card reading hardware in ATMs to try to gain customer's card details."
Posted by: Kirit at March 9, 2006 10:12 PM
All these attacks on credit cards are because the current security standards are year out of date. Only a move to full smart card support will reduce the risk of fraud via technical hacks leaving the old faithfull social engineering
Posted by: drac at March 9, 2006 10:54 PM
I recall this is not the first such story in Denmark. Only that previously there were no transmitter. Instead the criminals would break in again later to steal the terminals to get the data.
I have no reference for this though (and anyway it would be in danish).
Posted by: Erik N at March 10, 2006 2:59 AM
Not in the news: The banks in Denmark issue chipcards as of more than a year ago, they still have the magnetic code also for backwards compatibility, and the new terminals also have magnetic code readers as well.
The mentioned attack attacks the magnetic code so this may push for faster enrolment of chip readers.
Posted by: Erik N at March 10, 2006 3:05 AM
Criminals here (in Greece) have a simpler way of doing bussiness:
They install tiny cameras above or near the ATMs. The vast majority of the people don't cover the keypad when entering the PIN, so the criminals get to record it. The account balance is also recorded if requested.
The victim is robbed shortly after the ATM transaction, usually by a couple of men riding a motorcycle. With the ATM card in hand, the crinimals go right away to an ATM, make the largest withdrawal they can (for most banks its €900 to €1200) and dispose the card immediately after that.
Posted by: Dimitris Andrakakis at March 10, 2006 3:52 AM
moz: The "install fake keypads and readers on top of the ATMs" happened in Denmark too a while ago.
Posted by: Beaufour at March 10, 2006 5:43 AM
In Hungary some fraudsters put a sticker onto the ATM with a nearby payphone number as the contact phone number for the bank, and made the ATM (half)swalow the card.
When the card didn't come back the victim called the number they believed to be the bank's and to identify themself they were asked the PIN.
Then they were told not to worry and that they can have the card back the next day in their bank.
After the victim had gone the fraudsters retrieved the card and used the PIN to withdraw as much money as they could.
Posted by: Akos at March 10, 2006 5:44 AM
I know you don't like video surveillance systems, but in this situation, a video surveillance system could catch the ATM-skimming-installation activity of the criminals.
The criminals could theoretically disable the surveillance system, but that's another addition to their breakin plan, and not necessarily an easy thing to do, and may provide a deterrent, influencing them to strike elsewhere.
Posted by: Caught on tape! at March 10, 2006 2:08 PM
Remember money is a fictional abstract concept used as a base of exchange for goods and services.
The more fictional and abstract the money becomes, the less meaningful theft becomes.
nantucket
Posted by: nantucket at March 14, 2006 4:49 PM
I don't this would be worth doing in the UK as we now have C&P universally. Correct me if I am wrong.
Posted by: Peter the Painter at March 16, 2006 2:56 AM
SORRY
I don't think this would be worth doing in the UK as we now have C&P universally. Correct me if I am wrong.
Dyslexia rules, KO.
Posted by: Peter the Painter at March 16, 2006 2:57 AM
Soon physical credit cards will be something of the past, have a look at www.unetan.com
Posted by: KobusP at June 6, 2006 7:09 AM
Post a comment
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.
|
| Blog Menu |
SearchBlog Home Page
Archives by Date2010 J F M
 |
| Latest Book |
more books by Bruce Schneier |
| Syndication |
|
Full Text Feed
Excerpts Feed |
| Translations |
|
German
Italian (selected entries) |
| Crypto-Gram Newsletter |
|
If you prefer to receive Bruce Schneier's comments on security as a monthly e-mail digest, subscribe to Schneier on Security's sister publication, Crypto-Gram.
read more |
Comments