Thwarting skimmers

Computer related security is something that's getting more & more media coverage everyday and rightfully so but the security mindset should not be limited to the computer on your desk, the smartphone in your pocket or the tablet on your night stand. Being security minded means more then your interaction on any of these devices while you access the web for information on an array of subjects from looking up the trailer for that upcoming movie to interacting with your bank to transfer money. It should also be something that is taught from an early age by schools and parents that have the know-how, which they are lacking at moment. Besides that having a certain level of paranoia is not a bad thing.

In this blogpost I'm going to touch on the security of doing something we have done for several decades, specifically withdrawing cash from the hole in the wall or rather a cashmachine (also ATM). Even though we use the method of paying cold hard cash less we still use cashmachines and this even relates to the in-store pay systems (point-of-sale). Where cybercriminals want to abuse your computer to access your online bankaccount and transfer your money via schemes like man-in-the-middle attacks, skimmers as the offline guys are called modify ATMs or other payment systems and use a more direct approach to get to your money.

The original term skimming goes back a long way but it breaks down to taking money from the top of a sum of money before reporting it to a (governmental) tax agency. The proper term is defalcation. And although the term skimming in regards to cashmachines has little to do with the original meaning it's still relevant and takes us back to my story. With skimming today we actually mean a bit more. Skimming basicly starts with the devices (skimmers) that are attached to a cashmachine to record or rather skim the bankcard's magnetic strip, record your input at the cashmachine specificity your pincode by either video or actually recording the keystrokes on the pin pad. All of this information is stored in the skimming device to be retrieved at a later time by the skimmers. With the information they can clone your bankcard and retrieve money from your account. Some of the more advanced skimming devices have a wireless module (like Bluetooth or mobile phone) incorporated into it so skimmers do not necessarily have to come back to the machine to get the data they want but rather retrieve it from a distance and avoid detection.

Most of the time you will be able to tell if a ATM has been fooled with but you will have to look for it. The more advanced stuff is near impossible to notice but there are some ways of preventing the skimmers from getting your pincode just by covering your pin input with your other hand while inputting the code. Sure they will be able to copy your bankcard but without the pin they can't get to the money. However the advanced skimming devices even cover the original pin pad making this little trick useless. However using ATMs in well-lit & public areas is a good start as skimmers tend to go for the remote areas that aren't used to frequently and where installation of skimmer device can go unnoticed for days. Favourites spots being petrol stations and the like. This way they can gather lots of card data and when they have enough they use (or sell) this data in one big swoop to limit the detection rate. If you do however discover an ATM has been tempered with report it to the bank and warn other people. In The Netherlands most banks have introduced region based security. Which prevents withdrawals from other countries then The Netherlands or Benelux countries (Belgium, Netherlands and Luxembourg). However you can allow certain regions via website of your bank. Some regions can even be allow for a period of time when you go on holiday. This has had a major impact in thwarting skimmers in The Netherlands which has seen a significant drop in skimming but also the use of the EMV chip instead of the magnetic strip has helped out a lot. However in The States & Canada they are still using the magnetic strip.

A new technology being used for skimming is 3D printing. This tech is opening new doors in ways we produce products. Just imagine you need a tool to fix something, instead of going to the DIY store you could just print it instead. Same goes for a lot of things like clothes, replacement parts, etc. There is even talk of space missions to Mars or the moon and using a 3D printer. On the surface of these celestial bodies we would utilise the raw minerals available to us to make equipment needed by printing them instead of shipping them for making equipment like a basecamp. This in turn saves on fuel and weight which is vital to space travel. But like any technology it can also be misused. Like producing exact copies of ATM components which makes it near impossible to detect foul play. And this is probably just the start.

I hope you have learn something by reading this blogpost and you will be more paranoid when you enter your pincode in the future at any ATM. I'd also like to thank Brian Krebs for supplying me with the photos and videos (Thanks Brian!), if you'd like to know more about skimming and see more picture, head over to his website.

Sources: