SKIMMING Talking Points – JULY 2014

Skimming

  • The copying of electronically transmitted full track data on the magnetic strip of a credit card, to enable valid electronic payment authorization to occur between a merchant and the issuing financial institution.
  • The stolen data/information is re-encoded on “white plastic” or counterfeit cards to make unauthorized withdrawals

Skimming is popular for the following reasons:

  • The equipment is available over the Internet.
  • The software and hardware are very user friendly and extremely mobile
  • The skimmed information can be transmitted via e-mail anywhere in the world within hours after it is skimmed
  • Cardholders are not aware that they have been victimized until they receive statements showing the fraudulent charges

Common Skimming Locations

  • Restaurants
  • Hotels
  • Gas Stations (affixed to pumps)
  • ATMs (affixed to machine)

Why are these locations so popular?

  • Heavy customer volume
  • Credit card is common payment method
  • Multiple employees (difficult to identify suspect)
  • Employee turnover (co-conspirators easy to recruit)
  • Covertly placed (gas pumps and ATMs)

Evolving Trends

  • Crimes are getting more complex with larger fraud losses
  • Increasing use of new technologies
  • Multiple suspects involved in higher percentage of investigations
  • Organized crime and international links such as in Eastern Europe (i.e. Ukraine, Romania, Bulgaria, etc.)

Wireless Skimming

  • The advent of wireless technology has led to passive wireless skimming, where perpetrators plant skimming devices that broadcast account information wirelessly in gas pumps, ATMs, and point of sale terminals.
  • These devices minimize physical interaction with the skimming device, increasing the odds that the skimmer will operate undetected.
  • Even if a wireless skimmer is found, it can be difficult to identify its owners.

What Can Financial Institutions Do?

  • Member education - instruct members to cover their PIN, and be cognizant of their interaction with the ATM.
  • Photograph the ATM for comparison.
  • Conduct random inspections of the ATM.
  • Recognize periods of down time for the ATM may have been an attempt to install a skimmer.
  • Retrieve photos from surveillance cameras for law enforcement.

ATM/Credit Card Skimming – Q & A

How pervasive is credit card skimming?

There is no concrete way to know how many incidents of skimming take place on a given day. However, the crime is widespread and continues to grow. This type of crime is primarily driven by easy access to the type of devices used to commit the crime and the proliferation of self-serve Point of Sale (POS) terminals and the growing use of the internet to purchase items online. In April of 2013, Vladislav Horhorin “BadB” was sentenced in Washington DC for operating an online forum that sold stolen credit card track data using shopping cart technology. The suspect’s computer contained approximately 4.5 million bank card numbers. And in July 2014, the U.S. Secret Service arrested Roman Seleznev, one of the world’s most prolific traffickers of stolen financial information. Seleznev was indicted in the Western District of Washington in March 2011 for hacking into point of sale systems at retailers throughout the United States between October 2009 and February 2011.

Is it usually debit or credit cards? Do you have a break down? How much money is taken? Break down between ATM, gas pumps, restaurants, etc?

These questions could be better answered by the credit card industry. Also, the Secret Service will not draw any correlation between the economic downturn and any fluctuations in the amount of skimming we see.

However, Secret Service investigations revealed that credit card and debit card account data are a prime target for cyber criminals. In 2013,payment card data, personally remains at the top of the list when it comes to data theft, as reported by Trustwave, a private industry partner.

Who are the criminals?

There is no profile. The types of criminals we investigate range from individual suspects to large organized groups, from local criminals to international organized crime syndicates. The large organized crime groups, like those found in Eastern Europe, tend to get the most attention because of the large dollar losses associated with the fraud.

How long has this kind of theft been going on?

As long as there have been credit cards, criminals have been finding ways to defraud credit card companies and their customers by compromising the information contained on the cards or in their magnetic strips. Evolving technology have afforded criminals new avenues with which to steal the information. Not only have advancements in technology made it easier to capture credit card and debit card data, but the proliferation of ATMs, pay at the pump gas terminals, and other self-serve POS terminals has increased the opportunity for thieves to compromise these devices.

What are the latest trends these crooks are using?

Like most crimes, skimming has evolved as criminals have tried to stay one step ahead of law enforcement. When this crime first began to emerge as a major issue, the typical skimmer tended to be a collusive merchant. A clerk in a convenience store or a waiter in a restaurant with a hand held Mag Strip Reader (MSR) who would swipe your credit card when you weren’t looking and capture your credit card information. They would then take that information and use it to re-encode cards with captured information or sell the number on-line. But now, with the proliferation of self-serve POS terminals like gas pumps and ATMs, criminals no longer have to be present to commit the crime. Because of advances in skimming technology, MSRs have become smaller and much more sophisticated. Criminals are now able to attach them to a variety of POS terminals, leave them in place for an indeterminate amount of time, and either return to collect the information, or download it wirelessly without ever having to touch the device again. They also attach miniature pinhole cameras near ATMs to capture pin numbers. Criminals are using blue-tooth technology to transmit and obtain card data from point-of-sale terminals or other skimming devices.

Are there places where it is more likely to happen?

Skimming is a crime of opportunity. Self-service gas pumps at stations that don’t get constant traffic are vulnerable because they are easy to access and readily available. However, any POS terminal can be compromised if a criminal has access to it. Criminals tend to target gas pumps and ATMs because not only can they capture your card number, there is a possibility they will obtain your pin number as well.

Is there any way a consumer can tell if a machine has been compromised?

With current technologies, skimming devices and cameras may be difficult to identify. Consumers should stay away from ATMs that appear to have been altered. If anything on the front of the machine looks crooked, loose or damaged, it could be a sign that someone has attached a skimming device or a camera. It’s also a good idea to tug on the card entry slot and keypad and to run a finger over the card entry slot to see if they are loose or if there are any protrusions that seem out of place. Finding either could be an indication of a skimmer or card reader that’s been placed in/on top of the authentic device. It is always safer to use a known ATM in a secure location.

What kind of tips can you offer consumers to protect themselves for this kind of thing?

  • Try to keep your card in sight.
  • Never let anyone leave your presence with the card, if you can help it.
  • Keep your ATM card in your possession at all times.
  • Never give your PIN to anyone.
  • As you key in your PIN, cover the keypad with your other hand to block anyone, or a camera, from viewing the numbers you type.

Will the implementation of Chip and Pin technology reduce fraud with regard to payment cards?

Chip and Pin, also known as EMV technology, is certainly a security improvement over the magnetic stripe cards that we still see here in the United States; however, the implementation of this security feature, which requires a Personal Identification Number (PIN) for payment card purchases, would not prevent data breaches of payment card information from retailers, including the recent breaches of payment card data from major U.S. retailers. In fact, criminals could still use the card data to conduct “card not present” transactions, which includes online transactions.