Taking just 5 seconds to inspect any credit/debit card readers before you swipe could end up saving you from identity and credit card theft. I’ll show you what to look for before you swipe your next card. The con is called skimming. Skimming works by retrofitting a perfectly legitimate card reader (like an ATM) with a camouflaged counterfeit card reader. The counterfeit reader records all of your card’s information as it passes through. To give you an idea of what we are dealing with, here is a picture of an ATM with a skimmer overlaid on to the slot where you insert your card and a micro camera hidden behind a bogus white plastic piece above the PIN keypad. This ATM was reported to police on September 6, 2008. Image is Courtesy of Naples Police Department: Would you have known it was stealing card data? The purpose of this blog is to educate you on how to identify a skimmer. To that end I’ve compiled a portfolio of example photos made up of both basic and advanced skimmers. It is by no means all inclusive but should give you a heads up on what to look out for the next time you go to swipe your card. According to law enforcement, “Credit card skimming has been around for years and is a growing problem that seems to be getting worse.” Many of us take for granted that inserting your credit/debit card into an ATM or swiping it at the grocery store or gas station is a safe practice. And most of the time you’d be right. However, skimmers are increasingly being retrofitted to legitimate ATMs, gas pumps, grocery/department store checkout machines, restaurants, etc., etc., you name it criminals are trying to skim your credit card from it. Here’s a look at the insides of the micro camera that is capturing video of your keypad presses. Image is Courtesy of Naples Police Department:
This is how the skimming scam works:
- Thief buys his skimming gear online from one of a slew of sources for around $400. Keep in mind that these sources in most cases legitimate companies selling credit card readers to real merchants for point of sale devices. This brings up the first problem; the sale of this equipment is completely unregulated. Below are some screenshots of perfectly legitimate businesses selling card reader gear for legal purposes. But since there are no regulations, skimmers can also buy them. Example bundle includes both a card reader and a writer. This reader must be plugged into a USB port to work. Later I’ll show you fully self contained and even smaller readers.
- The first part the thief buys is a card skimmer that matches the device type he wants to attack. For example, the image shown here is a gas pump skimmer. It fits neatly INSIDE of the gas pump and connects to the circuitry of the real card reader. This one was found last year when a gas station skimming ring was uncovered in Arizona. A typical card skimmer has a magnetic strip reader and local flash memory to store all the card data. Newer advanced skimmers are now being fitted with 3G radios so they can transmit skimmed card data back real time over the cellular network. This eliminates the need for the thief to return later and collect his card skimmer with all of the data on it. This also reduces the chance that law enforcement can catch the thief by staking out a skimmed reader waiting for the thief’s return. Photo Courtesy of Arizona Department of Weights And Measures.
- The next part the thief buys is either a micro camera or a keypad overlay. This is so he can capture any data that the victim enters, for example a PIN. A micro camera can be placed somewhere nearby that has a good view of the keypad itself. It then records the video of each key press. Cameras can be camouflaged on the machine itself or mounted nearby, for example in the side of a brochure holder. Here is a photo of a micro camera embedded in a brochure holder. Notice the hole in the bottom side. The middle Image is the camera as it looks installed on the ATM. It looks down on the keypad to video you typing in your PIN. The bottom image is yet another hidden camera position to look out for. A keypad overlay accomplishes the same goal by resting over the top of the existing keypad. Overlays are extremely thin and look and feel just like the real thing. They also store each key press, along with a timestamp, on a local memory chip. When you press the fake keypad it simply depresses the real key below it making the machine still respond to input.
- Another common skimmer you should be aware of that works all by itself is a handheld micro skimmer. These are used for credit cards and not debit cards because credit cards don’t require a PIN. These self-contained skimmers are about the size of a pack of gum or smaller and can be used by anyone you hand your credit card to for payment. For example a waiter at a restaurant. This is why when you hand it over to someone you never want your credit card to leave your sight. The skimmer pictured is completely self-contained. It has a battery, 512K of memory which holds about 2500 swipes, and a magnetic reader.
- Now that the thief has your data they could either start using it online or, as happens more frequently, make a duplicate card using the stolen information. This is done using the last piece of gear called an MSR (magnetic stripe reader-writer). An MSR allows you to make your own cards. It writes the stolen data onto the magnetic strip of a new card.
- That’s it, pretty straightforward and deadly con. This image shows yet another fully skimmed ATM. Can you spot the skimmers?
- The bottom image shows a skimmed Red Box DVD rental. Watch out for this.
The bottom image is the reverse image of the keypad showing the micro electronics that record and store your key presses. This keypad just overlays flat over the top of the real keypad.
The bottom image is a look at a skimmer that is attached to a mobile device that can send off the collected data via txt messaging real time. This type of device is typically used in a card cleaner scam because it is so tiny and innocent looking. The thief will stick this skimmer horizontally somewhere around the real card reader with a label that says something like “Free Card Cleaner. Restore your cards magnet stripe here.” I think we’d be surprised at how many would do it.
The middle image shows a skimmer that fits conveniently in the palm of your hand.
The bottom image depicts some of the real world specs that are typical of the skimmers I’ve shown you so far. These little devices are self contained computers.
I’ve been giving security talks to Cisco users groups lately and thought it would be interesting to add a few slides on skimmers to my presentation. Before I presented I asked the audience how many have heard of skimmers. I was very surprised by the result. Only about 1/3 of the room said they had. This was surprising to me mostly because of the fact that my audience was comprised solely of technical professionals. Granted that few of them were security focused but still all of them were wise to the ways of technology and Identity theft. For example, if I would have asked who has heard of Phishing I’m sure everyone would have said yes. What is more disturbing perhaps is what the result would have been if I asked a group of “baby boomers” if they knew what a skimmer was? 5 Percent, maybe less, would say yes is my guess. This ad-hoc poll suggests to me that public awareness of the real threat posed by credit card skimming is almost non-existent and in need of help. Thus the reason I am writing this blog, to help get the word out. Now you, friendly reader, have been enlisted to help spread the word to your friends and family as well. There are several websites that have recommendations for defending yourself against card skimming and what to do if you become a victim. Here are two such sites Fightfraud.nv.gov Federal Trade Commission
So were you aware of this threat? Did you know it was becoming more common? Have you ever been skimmed before? What actions are you going to take during your next credit card swipe? Is anything safe these days. I guess if nothing else this makes brick and mortar shopping just as risky as Internet shopping wouldn’t you agree?
The opinions and information presented here are my personal views and not those of my employer.
More from Jamey Heary: iPhone raises Privacy concerns: it records screenshots every time you hit the home button Cisco enters the crowded AV and DLP client marketCisco's new ASA code allows you to securely take your Cisco IP Phone with you anywhereCisco targets Symantec, McAfee with its new antivirus client Google's Chrome raises security concerns and tastes like chicken feet a>Go to Cisco Subnet for more Cisco news, blogs, discussion forums, security alerts, book giveaways, and more.