Card Skimming: How Safe is your PIN?

ATM

In short, not very safe. After having my AutoBank Card cloned about five years ago, I know the stabbing numbing fear when one discovers amounts being surreptitiously drawn out of one’s account. In my case I suspect that the culprit was an ATM at Hillfox. I was suspicious of the machine but in a rush, I used it anyway. Last week it happened to friends but in a restaurant.

 So how safe is one’s money and what steps can one take to prevent the illegal cloning of one’s cards?

 Main picture: How does one know whether this ATM has been tampered with?

This is what I learnt from these two episodes. In my case, two things. Firstly I was suspicious of the ATM machine for some reason but due to being in a hurry, I used it anyway. BIG MISTAKE. Within 24 hours a cloned card was drawing money out of my account. The second learning point was that I did not have automatic smsing activated on my current account but only on my credit card. To do that, I had to go to a branch of Standard Bank. I would thought that standard practice would have been to automatically enable that functionality on all accounts. In fact I would go so far as suggest to the Banks that the transaction notifications are sent both to one’s cellphone & to one’s email address. If this was applied across the board, one would readily be able to detect sim swops.

3_25pepintskim

In the case of my friends they enjoying a meal at a restaurant in Randpark Ridge. After inserting the card in the Card Reader in the presence of my friends, they were informed that the card machine was not working. The waiter then went to find another machine. How sneaky? How is anybody to know that the first machine was in fact a Card Skimming Machine.

This is what advice an article in ByBroadbank has to offer.

To avoid falling victim to card skimming, it helps to know the difference between a real point-of-sales device and a skimmer.

How-to-spot-a-card-skimmer-1-640x1295

First Calgary Financial has simple advice: if you cannot insert your chip card with your thumb pointed at the device and have your thumb remain fully on your card, do not enter your PIN.

Whilst appreciating this advice, how is the average person aware that a card machine is not in fact a card skimmer? As normal card readers are prone to failure periodically, does one now have to call into question whether the card is a card skimmer?

What about ATM machines? How safe are they?

According to MyBroadband ATMs are being attacked through the use of external skimming devices, which are plugged into ATM network cables. NCR has issued a warning about network cable card skimming attacks on ATMs, where customers’ card data is stolen.

Card skimming at ATMs

Card skimming at ATMs

In a security update, NCR said it has received reports that NCR and Diebold ATMs are being attacked through the use of external skimming devices.

“These devices are plugged into the ATM network cables and intercept customer card data. Additional devices are attached to the ATM to capture the PIN,” said NCR.

NCR said that in one attack, a keyboard overlay was used to attack an ATM, while a concealed camera was used at a Diebold ATM.

“PIN data is then likely transmitted wirelessly to the skimming device.”

NCR said these attacks represent a trend where criminals are finding new methods to skim magnetic strip cards.

“These alternative methods avoid placing the skimmer on the ATM bezel, which is where most anti-skimming technology is located.”

 

 ATM Card Skimmer

Thin ATM card skimmer

Thin ATM card skimmer

The device is powered by a lithium coin battery, and is shown below.

These devices are typically used in conjunction with a small camera to capture a user’s PIN, which gives criminals the ability to clone a card and withdraw cash at will.

Thin card skimmer (source: Krebs on Security).

Stealing your PIN using thermal technology

ATM keypad thermal image

ATM keypad thermal image

Armed with a smartphone and a thermal imaging attachment, criminals can easily steal your PIN.

Because you leave behind a thermal signature when you press buttons, criminals can use a smartphone with a FLIR ONE thermal imaging attachment to figure out your PIN.

Because there is a time lapse between the time you press the first and last buttons, it is easy to figure out what your PIN is.

The image below shows an example of how easy it is to see what a person’s PIN is using this technology.

ATM keypad thermal image

Luckily there is a way to stop criminals from stealing your PIN using this method – just lightly touch some other keys on the keypad.

The following video show how the technology works, and how to avoid falling victim to this PIN theft attack.

Handheld card skimming devices

Handheld card skimming devices

Handheld card skimming devices

Handheld card skimming devices are widely used by criminals to steal bank card information from victims at ATMs.

Criminals typically use social engineering – like telling a victim they are from a bank – to convince victims to swipe their cards through a skimming device.

An accomplice who is loitering around the ATM then “shoulder surfs” to steal the victim’s PIN.

The stolen card information is used to manufacture a counterfeit card, which, when matched with the PIN, is used to make fraudulent transactions.

The images below show some examples of handheld skimming devices which you should watch out for.

Handheld card skimming devices

 

ATM-mounted card skimming devices

ATM mounted card skimming devices

ATM mounted card skimming devices

ATM-mounted card skimming devices work similarly to handheld card skimming devices, but are fitted on an ATM.

These devices are difficult to recognise as they are manufactured to match the look of the ATM it is installed on.

Before you withdraw money at an ATM, you should always inspect the machine and cover the number pad with your free hand when entering your PIN.

Here are some commonly-used ATM-mounted card skimming devices.

ATM card skimming devices

Stealing your PIN at an ATM

ATM Spy Cameras

ATM Spy Cameras

There are many ways through which criminals can steal your PIN at an ATM – looking over your shoulder, installing a small camera, and even installing a fake keypad.

The first two are widely used in South Africa, but according to Sabric they have only recorded one incident where a fake keypad was recovered off an ATM.

However, just like with card skimming devices, anyone withdrawing money from an ATM should be on the lookout for shoulder surfers, small cameras, and fake keypads.

 

 

 

Advice

Perhaps the only solutions are vigilance and the use of OTPs. In case of many of these card skimming tricks, even vigilance will not suffice. The only fool proof solution currently available is the use of One Time Pins with all Credit Card and ATM transactions.

That is until the next scam is devised by the devious criminal minds.

Sources:

All are from ByBroadband:

How to spot a card skimmer at a restaurant: 

http://mybroadband.co.za/news/security/170401-how-to-spot-a-card-skimmer-at-a-restaurant.html

The new way criminals are card skimming at ATMs:

http://mybroadband.co.za/news/security/156139-the-new-way-criminals-are-card-skimming-at-atms.html

Watch out for these card skimming and PIN theft tricks criminals use:

http://mybroadband.co.za/news/banking/128194-watch-out-for-these-card-skimming-and-pin-theft-tricks-criminals-use.html


1 Comments

  1. Hi Dean, I am using different credit cards for different purposes e.g. I am using one card (with a rather low credit) for Internet purchases only. Through measures like that I try to spread the risk. The best way is to pay Cash but then, you can still be held up

    Reply

Leave a Comment.