INPAYMENTS_header_central11.jpg

scamming by skimming

Customers Should Be Aware Of Skimming

Skimmers are the petty criminals of the future, cyber versions of small crooks and pickpockets. Only, the damage they do is much bigger. 

In order to steal money in the electronic form, skimmers need to steal their victims’ personal information first. On top of that, today’s interconnected world makes it easy to spend the stolen money on a greater scale. Thus, when a skimmer is successful, the damage estimates usually run in $1.3 million, $3 million or even $20 million range.

While skilled computer experts willing to work for the dark side are needed for sophisticated cyberattacks, scamming by skimming is something that a lot of small time crooks all around the world can think of and pull off by themselves. One thing is crystal clear: they are experts in recognizing the weaknesses of ATMs and POSs on a small scale. 

European ATM Security Team (EAST) reported that average cash loss per card fraud attack in Europe is more than 48.000 EUR.

In 2015, a FICO study revealed that lack of monitoring of non-bank owned ATMs was fast recognized and the number of skimmer attacks on these surged by 546% in a single year, which accounted for 60% of all ATM frauds in US in 2015. In December of 2016, VISA warned that skimmers are attacking attended and unattended POS devices to collect payment information and PIN numbers. 

At the start of 2017, the European ATM Security Team reported that eighteen of its member states have experienced card skimming at ATMs. In five states, criminals attempted to put skimming devices inside of ATMs. This problem is also becoming international: nine countries within SEPA and 44 outside it have experienced losses due to skimming in 2017 so far.

INTERVIEW: BORIS JEREB

We talked to Boris Jereb, Head of technical department at the Slovenian Ministry of the Interior Police, whose specialties include electronic devices for different applications, mainly special devices for border surveillance and traffic control. His current role on forensic analysis of electronic devices started with analysis of mobile phones for criminal police, then he continued to work on skimming devices.

What are skimmers, how do they work and where can they be installed?

Skimmers or skimming devices are small electronic devices for capturing data from payment cards – as devices "in the middle" between customer (user) and machine, during procedure on an ATM or POS.

Skimming devices mostly consist of two separate devices, one for data capturing from the magnetic stripes on the payment cards and another for the video recording of pin numbers typed on ATM or POS keyboards. Skimming devices can also be built as an all-in-one devices.

INPAYMENTS_Boris_Jereb.jpg

How to spot and avoid credit card skimmers? 

Spotting a skimming device is not so easy. The quality of manufactured plastic or metal covers of electronics for data capturing from magnetic stripes is very good, therefore they cannot be spotted instantly. We can say the same for video recording devices of all shapes and forms of appearance. Maybe in some cases, where production of skimming devices is on a low technical level, ordinary people can spot an added device, enclosure, etc.

What do skimmers do with the data they collect? 

Actually nothing. They are only recording data and video for later analysis by Organized Crime Groups, OCG's. Skimming devices are, for easier understanding, made for the same purpose as USB memory sticks: to record data.

What are the best counter-measures for skimming today?

The best counter-actions available today are the knowledge and the awareness on how skimmers are installed and used by technical staff of all levels. Technicians should take care of how they install and maintain ATMs.

They should take into account all instructions of vendors of ATM's to comply with safety measures. Also, some countermeasure devices can be installed as add-on devices on ATMs. For instance, sensors to check slots for payment cards, video cameras for recording customer behavior in front of ATMs, and so on.

How can customers protect themselves from skimming?

Customers should be aware that skimming devices exist here and now. They should take care of how they type in PIN numbers and be aware if they are observed while using ATMs. Customer should always cover over the hand they are typing their PIN with, since this is a very effective and simple way of the so-called self-protection. Changing the PIN number is recommended, as is changing of passwords on PCs. Payment cards also must not be submitted or lent to an unknown person, for instance to help, if something looks wrong on an ATM.