Detecting Credit Card Skimmers

Interesting research paper: "Fear the Reaper: Characterization and Fast Detection of Card Skimmers":

Abstract: Payment card fraud results in billions of dollars in losses annually. Adversaries increasingly acquire card data using skimmers, which are attached to legitimate payment devices including point of sale terminals, gas pumps, and ATMs. Detecting such devices can be difficult, and while many experts offer advice in doing so, there exists no large-scale characterization of skimmer technology to support such defenses. In this paper, we perform the first such study based on skimmers recovered by the NYPD's Financial Crimes Task Force over a 16 month period. After systematizing these devices, we develop the Skim Reaper, a detector which takes advantage of the physical properties and constraints necessary for many skimmers to steal card data. Our analysis shows the Skim Reaper effectively detects 100% of devices supplied by the NYPD. In so doing, we provide the first robust and portable mechanism for detecting card skimmers.

Boing Boing post.

Posted on October 5, 2018 at 6:44 AM • 19 Comments

Comments

Clive RobinsonOctober 5, 2018 9:22 AM

When I read the paper a while ago I found it interesting.

However whilst it was 100% effective, the opponent is dynamic intelligent and frequently well funded. Which makes me think they will not just try but find methods to subvert it. Because that is the nature of high stakes cat and mouse games.

That's not because I think the work was inadiquate I don't it's just that smart well resourced people can be quite ingenious, and there are a lot more attackers than there are defenders.

Cash machines like most locks are actually "mechanical devices" at heart, and it's a weak heart at best.

I've explained before that for reliability in all climbs and to stop "bind" the designers add in "slop" into designes. Unfortunatly that leaves "wriggle room" for others to play in, and they have and will where possible continue to do so.

crenshawOctober 5, 2018 10:39 AM

>>> "Detecting such devices can be difficult"


Why is it so difficult to detect these devices or defend against them ??


One would think that the engineers who design ATM's & point-of-sale devices are at least as smart as the crooks who routinely penetrate them. Yet all sorts of amateur crooks have good success defeating whatever protections the design-engineers may have built into their products.

Must not be much financial incentive for design-engineers & their companies to really harden their products against criminal activity ??

CallMeLateForSupperOctober 5, 2018 10:48 AM

Several months ago, my financial institution replaced all its ATMs with a type I had never seen. The width of the card slot matches the LONGER side of a card; you insert the card top-edge-first, and the card gets pulled, by motor, entirely inside the ATM. Thus the mag. strip is sideways as it enters the ATM.

I'd love to see the guts of this type of ATM.

Alexander October 5, 2018 10:59 AM

Well this is about Skimmers you place outside of the ATM.
The Bad Guys actually selling a lot of Inside Skimmer you attach in the Card reader slot .
No chance to detect them .
And look at the ATM Vendors .
Some of them no a lot of them are running Windows XP Embedded on their machines

CallMeLateForSupperOctober 5, 2018 11:16 AM

@Alexander
"Well this is about Skimmers you place outside of the ATM."

No. See Page 4, "Deep-Inserts"
Did you read the paper?

M WelinderOctober 5, 2018 12:08 PM

> Why is it so difficult to detect these devices or defend
> against them ??

Because the ATM designer/bank ("player A") has the first move in this game.

ATM skimmers ("player B1", "player B2", ...) can study that move (i.e., the ATMs) before they make their own move.

When one of the B players moves, there is an active vulnerability. That will remain the place until player A can design and deploy a countermeasure.

AlexanderOctober 5, 2018 1:23 PM

@CallMeLateForSupper

Yes i did.
And the info is old and not actual.
i dont know if your are into Threat Intel and know what is sold at the moment on Dark und Deepweb Markets.
But the technique described in the Paper is not actual any more.
The information is very scanty.
Cybercriminals are not in need to access the ATM to get the Data.

They are working with devices from Medicine Sector like a Endoscope to place skimmmer .

Shimmers for example are only used by 2 Entities .
By Entity i mean Threat Groups .
And we are not speaking about Eastern European Groups.

echoOctober 5, 2018 1:58 PM

Is it possible in theory to build a keyfob sized device to scan optically or laser or sonic and pattern match against a database to detect surface distortions indicating an overlay device is in place? Might this kind of system also be made to work with internally mounted skimmers?

ATMs do seem to need more physical tamper resistence too.

Assuming this works I wonder if this kind of countermeasure could be built in to the ATM. Image processing and tamper resistence might also benefit from this AI deep learning thingy.

Really all this boils down to is discovering if anything has changed in this abstract box surrounding the ATM.

FelixOctober 5, 2018 3:01 PM

"In so doing, we provide the first robust and portable mechanism for detecting card skimmers"

Well done, but can you make it in to an app for iPhone?

TonyOctober 5, 2018 6:06 PM

Can't we just move to the next step of debit/credit cards and make cards with just a chip? No mag stripe == nothing to skim.

PaulOctober 5, 2018 6:29 PM

I can't help wondering if ATMs are not going to go the way of public phoneboxes?

I no longer carry a wallet and increasingly rarely use cash. I carry, in the cover of my phone, a debit card and travel card for public transport which I can top up using an app on my NFC equipped phone. I am not keen on leaving a monetisable digital trail everywhere and would pay a bit more for digital cash.

ThothOctober 5, 2018 8:48 PM

@Clive Robinson

The card skimmer protection scheme is assuming that the card skimmer is going to read the card magstripe. If I know that the detector is going to detect multiple heads reading the card magstripe, if as an attacker, I could simply give a simple command and disable the magstripe interception.

This skimmer detection is completely unreliable and I have no time to comment on it until it makes to the front page of this blog forum.

Without magstripe interception, I could still hide spycams and fake PINpad overlays and still use the chip card interception method and still go undetected for a long while.

Also, more ATMs and remote financial machines are allowing the use of NFC and QR codes to withdraw cash and do transactions and these are additional vulnerable avenues that I can target.

Also, more banks are allowing credit card emulation over NFC and QR codes via smartphones and smart IoT devices like smartwatches and these are additional vectors of attacks by abandoning the somewhat more secure and less convenient form factor of a Properly Implemented card vs. a completely insecure and possibly backdoored ARM TrustZone powered mobile banking over smartdevices.

How robust is this paper describing protection .... I would rate it 40/100 marks.

Regarding financial transactions, it will only get worse as more smart devices replaces traditional banking methods via cards.

Security SamOctober 7, 2018 11:44 AM

Detecting the wiley credit card skimmer
Using a very robust detector skim reaper
Ensures your account is not getting thinner
And keeps your pockets from getting deeper.

lazyjackOctober 8, 2018 9:08 AM

How about getting rid of the magnetic stripe? We should have smart cards everywhere. While they have their own problems, skimming is not one.
I don't think magstripe was used on my card in the last 5 years at least. Even physical card access is history with NFC. But then, I'm in Europe, where these new technologies are pretty widespread.

OliveOctober 8, 2018 6:30 PM

(...)[Clive]However whilst it was 100% effective, the opponent is dynamic intelligent and frequently well funded(...)

Irony at it's best. Banks are the well funded ones, Not the attackers.

Clive RobinsonOctober 8, 2018 7:45 PM

@ Olive,

Hmmm, another new handle.

Irony at it's best. Banks are the well funded ones, Not the attackers.

But quite factual, the attackers are well funded and are not worried about investing money where they see an advantage in doing so. Which is why they are still happily taking money out of peoples accounts, with apparently little impediment.

The banks however are positively miserly when it comes to spending on security. I can not remember a time when they have ever spent sufficiently to solve a security problem.

As our host @Bruce has mentioned in the past, the banks main MO is "to externalise risk", to avoid expenditure, chosing where ever they can to blaim others for their own significant failings...

Stuart WardOctober 9, 2018 4:12 AM

Well this is only needed in countries with antiquated payment systems, like the USA. The rest of the world has moved to Chip & PIN and contactless technology. My bank requires that I specifically enable mag strip transactions in the case I am travelling to one of these backward countries.

Olive OilOctober 9, 2018 5:05 PM

@ Stuart Ward

Adding NFC on payment cards intertwined with EMV stacks as proven to be just a bad idea. You can get the mag strip data over NFC. Even if you signal your bank you don't want mag strip transactions one can still get your mag strip data. Your assumptions of mag strip not being of any use may fall apart when you start studying offline transactions, transactions on legacy systems and so to speak protocol deviations that at the end of the day may give you some headaches. Not to mention new relay attacks that NFC enables. Imagine you at starbucks having a nice cup of coffee at the same time I make a 20$ purchase on a completly different NFC payment enabled store. NFC just makes attackers life easier.

Little LambOctober 9, 2018 8:02 PM

@Olive Oil

at the end of the day may give you some headaches ... a nice cup of coffee ... a 20$ purchase

Change for $20 from a barista? I didn't think so, either. A hangover from yesterday's coffee that a fresh hot cup of coffee this morning is just the cure for?

How many "shots" was that? A flavor to it or is it some kind of extract or distilled liqueur?

Generally on the road, too. Drive off the property and at least turn the corner out of sight at the next stoplight before you get arrested for a DUI. Pull over and take a nap somewhere far enough away to avoid suspicion. Another cup of coffee will wake you up and get you a little further down the road.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.