How to protect against atm skimmers and skimming criminals.

Cyber ​​fraudsters use various methods of stealing payment card data during a transaction. This article discusses the most typical ways, as well as protective measures, so that you are not a victim of fraud of this kind.


What is a payment card skimmer

In the field of security, a skimmer refers to any hardware device for stealing information stored on payment cards when a buyer makes a transaction at an ATM, at a gas station, or at a payment terminal. Recently, however, the meaning of this term has been expanded, and the skimmer has come to mean any malicious application or code aimed at stealing information about payment cards, including while shopping in online stores.

Regardless of the type of skimmer (hardware or software), the attackers pursue similar goals, namely, deceiving the buyer when the information received is used to clone physical payment cards or make fake transactions on the Internet.

How do skimming devices work?

Physical skimmers are designed for specific models of ATMs, self-checkout counters and other payment terminals in such a way as to make detection difficult. Skimming devices come in various shapes, sizes and have several components.

Each skimmer always has a component for reading cards, consisting of a small chip that is powered by a battery. Typically, a skimmer is located inside a plastic or metal shell that simulates a real card reader of a target ATM or other device. This component allows the fraudster to copy information encoded on the magnetic strip of the card without blocking the actual transaction made by the user.

The second component of the skimmer is a small camera attached to an ATM or a fake keyboard for entering a PIN code located on top of a real keyboard. As you might guess, the purpose of this component is to steal a pin code, which, together with data stored on a magnetic strip, is used to clone a card and carry out illegal transactions in countries where such crimes are widespread.

However, since in many countries cards with chips were used, attackers also adapted their technologies and began to produce more complex skimmers. Some skimming devices are so thin that they can fit inside a card reader slot. Otherwise, these devices are called deep insert skimmers or deep penetration skimmers. Devices called “shimmers” are inserted into a card reader slot and are designed to read data from chips on cards. However, it should be noted that this technology is applicable only where the EMV standard (Europay + MasterCard + VISA) is incorrectly implemented.

Skimmers can also be installed completely inside ATMs, as a rule, by technicians with unclean thoughts or by drilling or making holes in the shell of an ATM and sticking these holes with stickers that look like part of the overall design. Visa’s report shows images of various types of physical skimmers found in ATMs around the world, as well as modified cash registers sold on the black market, which can also be used to steal information from the card.

How to protect yourself from payment card skimmers

Due to the wide variety of skimming devices, there is no universal way to avoid becoming a victim of intruders. The recommendations are as follows:

  • Avoid ATMs installed outside buildings or in places with poor lighting. To install skimmers, cybercriminals choose ATMs in poorly located places that are outside banks or stores and are not under the supervision of a large number of cameras. In addition, skimmers are usually installed on weekends when there are fewer prying eyes around. Therefore, try to withdraw cash on weekends only if absolutely necessary.
  • Before inserting the card, move or pull the card reader and keyboard to dial the PIN code and make sure that these components do not disconnect or move. As a rule, attackers use low-quality glue to attach the skimmer, since this device must subsequently be removed. On this video, shown as a professional in the field of cybersecurity detects a skimmer attached to the ATM on a street in Vienna.
  • Pay attention to strange signs: holes, pieces of plastic or metal that look out of place, components whose color does not match the rest of the ATM and stickers that are glued unevenly. If the ATM has seals for service locks, check for damage in these places.
  • When typing a pin code, close the keyboard with your hands so that the dialed numbers cannot get into the video of the malicious camera. This method does not help in the case of an on-board keyboard, but generally reduces the likelihood of a pincode theft.
  • If your card has a chip, always use card readers of terminals with chip support, instead of “rolling” the magnetic strip.
  • Track invoices for illegal transactions. If your card provides notifications via the application or SMS after each transaction, use these functions.
  • If functionality allows, set a cash withdrawal limit during one transaction or within one day.
  • Use a debit card attached to the account where there is a small amount of money, and replenish this account as necessary, instead of using a card attached to the main account, where all your money is located.

Software skimmers

Software skimmers are aimed at software components of payment systems and platforms, whether it is the operating system of a payment terminal or the payment page of an online store. Any application that processes unencrypted information about a payment card can be the target of malicious, sharpened by skimming.

Malicious applications that were targeted at payment terminals were used to commit the largest thefts of credit card data, including hacking by Target and Home Depot in 2013 and 2014 . The results were compromised by tens of millions of cards.

POS terminals have special peripheral devices, for example, for reading cards, but otherwise there are practically no differences from ordinary computers. In many cases, Windows-based terminals work in conjunction with a cash register application that records all transactions.

Hackers gain access to such systems using stolen accounts or exploiting vulnerabilities, and then install malware to scan the memory for patterns matching the information on payment cards. Hence the name of these malware is “RAM scraping”. Information about the card (with the exception of the pin code) is usually not encrypted when transferred locally from the card reader to the application. Accordingly, it is not difficult to copy this data from memory.

Web skimmers

In recent years, payment terminal manufacturers have begun to implement end-to-end encryption (P2PE) to enhance the security of the connection between the card reader and the payment processor, as a result of which many attackers switched their attention to another weak link: the payment scheme in online stores and other sites related to electronic commerce.

The new attack scenarios related to web skimming use injections of malicious JavaScript code into the pages of online stores in order to intercept card information when a user makes a payment. As in the case of POS terminals, unprotected data is intercepted during a transaction before being sent to the payment processor via an encrypted channel or before encryption and addition to the site database.

Hundreds of thousands of sites have already been skimmed, including well-known brands: British Airways, Macy’s, NewEgg and Ticketmaster.

How to protect yourself from software skimmers

You, as a user, are unlikely to be able to do something to prevent this kind of compromise, since you do not have control over the application in the payment terminal or code on the pages of the online store. Here, the responsibility for the safety of purchases rests entirely with sellers and developers of the technology used on the site created for the purpose of electronic commerce. However, you, as a buyer, can take additional measures to reduce the risk of card theft or to mitigate the consequences if compromise occurs:

  • Track your account statements and enable notifications from each transaction, if functionality allows. The faster you find “left” transactions and change your card, the better.
  • If possible, use out – of – band authorization during online transactions. The latest edition of the Payment Services Directive (PSD2) in Europe obliges banks to accompany online transactions along with two-factor authentication via mobile applications, as well as other methods. The term of the complaint under the new rules has expanded, but many European banks have already implemented this security mechanism. It is likely that financial institutions in the United States and other countries will also implement external transaction authorization in the future or, at a minimum, will offer this feature as an additional option.
  • During online shopping, use virtual card numbers, if the bank provides such an opportunity, or pay by mobile phone. Services like Google Pay and Apple Pay use tokenization. When using this technology, the current card number is replaced with a temporary number transmitted to the merchant. In this case, your card number will not leak.
  • Try to pay for purchases using alternative payment systems, such as PayPal , when you do not need to enter card information on the order page of the site where you make purchases. You can also make purchases on sites where, before entering card information, redirection to a third-party payment processor takes place, instead of processing this data by the store itself.
  • Because web-skimming uses malicious JavaScript code, endpoint security programs that inspect web traffic inside the browser can technically detect such attacks. However, web malware is often subjected to obfuscation and attackers are constantly making changes to their designs. Although an antivirus with the latest updates can help, it is not able to detect all attacks related to web skimming.
  • Although some large companies and brands fall victim to web skimming, statistically more often compromised are small online merchants due to a lack of funds for expensive server-side security solutions and code audits. From the point of view of the buyer, when shopping in large stores, the risk of compromise is lower.