Tuesday, May 4, 2010

Guest Post - Nick Volpe - Skimming, we're not talking about milk, we're talking about ATM $$ theft

Nick Volpe is at student at Immaculata University.  He is also a cybersecurity research analyst intern for Fortalice®, LLC.

Here is his guest post regarding ATM Skimming






Research Outline  

Topic: ATM Skimming
Date: 2/23/10 

TEASER/TITLE: ATM Skimming is among the top forms of fraud 

SUMMARY PARAGRAPH: There are more than 360,000 ATMs in America. Some belong to banks and others belong to malls, stores, hotels, and airports. Despite the fact that most ATM skimming crimes happen at an ATM machine, the crime can also be committed at restaurants and retail establishments where ATM/debit or credit cards can be used. There are skimming devices that can read cards in retail points-of-sale or with a manual swipe by any person that comes in contact with your card.  

KEY FINDINGS


  • 2 types of ATM skimming
    • Devices that interact with ATM machine
      • Causes ATM to malfunction and not dispense cash
    • Devices that do not interact with ATM machine
      • Allows ATM to function normally
  • Using skimmed ATM card information, scammers can create fake duplicates and use them in ATM machines to withdraw money very quickly and easily
  • Many times ATM skimming scammers will using a card-skimming device in conjunction with a hidden camera to record the users PIN number when it is typed on the ATM keypad

BACKGROUND
 Crimes at ATMs started around 20 years ago when a person would be injured and their money stolen after using the ATM. As the crime got more sophisticated, it would be a person looking over another person’s shoulder to get their ATM card number and PIN. ATM Skimming has been a problem since the 90s. It has recently became a much more massive problem because of smaller and more mobile computing devices that allow the criminals to store lots of data they need to steal and sell many ATM cards and PINs.


There are 2 common types of ATM skimming. The first type interferes with the operation of the ATM machine and the other type does not interfere with it. The second type is simply a device that records the card and PIN information from the magnetic strip of the card without being suspicious. The first type, however, interferes with the ATM by replacing it’s built in card reader thus not allowing the ATM user to get their money which is much more suspicious.  

STRATEGIC PLANNING ASSUMPTIONS:

  •  Jitter is a new technology being utilized in brand new motorized card readers in ATMs. The technology ultimately randomizes the speed and direction of the card insertion/ejection which confuses or nullifies skimming devices that may be in use.
  • Criminals will bypass card readers to collect ATM card and bank account information by hacking into payment processing databases or other databases that store the same information
   
ANALYSIS:
Recent cases of ATM skimming include an Australian fast-food chain’s point of sale system which compromised about AU$2.5 million in October 2009. In November 2009, some new high-tech skimmers were discovered with Bluetooth transmitters to steal the stolen information. A terminal in a 


New Zealand car park was compromised and potentially exposed about 100,000 people in a short time period. Some co-operation has existed between USA and Europe to prosecute suspects in an earlier compromise of major US processor, RBS WorldPay.


Although much of the crime of ATM skimming started and is occurring in the UK and parts of Europe and Asia, much of the crime is happening right here in the US where stand-alone ATM machines are very common in many venues around the country. There are many tactics that criminals use to skim necessary information to perform the crime including cameras, wireless pin pads, Bluetooth transmitters, laptops, mobile devices, external card readers, skimmers, etc. At the same time ATM manufacturers, banks, and authorities are using their own tactics to combat the criminal activity including swipe card readers versus manual card readers, surveillance cameras, PIN encryption, etc. 

IMPLICATIONS:

  •  Avoid ATMs in public locations such as malls, hotels, and airports. Stick with ATMs in bank lobbies and ATMs monitor with security surveillance.
  • ATM skimming will continue to be on the rise as the crime becomes more and more lucrative with bigger and bigger amounts of money being scammed.
  • ATM card readers will get more and more advanced with emerging technologies but criminals will use other methods to steal ATM card information such as hacking into databases of payment processors that contain that necessary information.
   
RECOMMENDATIONS:

  •  Safeguard your ATM pin at all times
  • Never let a stranger give you assistance at an ATM
  • Always check statements to beware of fraudulent activity on the account
  • Inspect the machine before use and if the machine has any visual defects or something seems odd, don’t use it
  • Beware of people around you that may be able to see your information
  • If your ATM card is not returned after your transaction, contact your financial institution immediately
  • Never use an ATM that exhibits a sticky substance such as glue which is sometimes used to trap cards

SOURCES:

  1. "ATM Camera." Snopes.com. 01 Feb 2010. Web. <http://www.snopes.com/fraud/atm/atmcamera.asp>.
  2. Bruce, Laura. "Skimming the cash out of your account." Bankrate.com. Bankrate, Web. <http://www.bankrate.com/finance/checking/skimming-the-cash-out-of-your-account-1.aspx>.
  3. "ATM Skimming is on the Rise." Complaints Board. Consumer Complaints Board, Web. <http://www.complaintsboard.com/news-stories/atm-skimming-is-on-the-rise.html>.
  4. Russell, Douglas. "2009 - Skimming Review." ATMSecurity.com. 19 Jan 2010. DFR Risk Management, Web. <http://www.atmsecurity.com/monthly-digest/atm-security-monthly-digest/2009-skimming-review.html>.
  5. "How to Protect Against ATM Skimming." eHow. Demand Media, Web. <http://www.ehow.com/how_5025049_protect-against-atm-skimming.html>.
APPENDIX 
Timeline of 2009’s biggest data breaches at major financial institutions (including major skimming crimes): http://www.bankinfosecurity.com/articles.php?art_id=1766&pg=1

1 comment:

  1. This is a good one. I really like it. Thank you so much for sharing such an informative and interesting post.

    ReplyDelete