Top 4 Skimming Threats

From Hand-Held POS Devices to Dummy ATMs
Top 4 Skimming Threats
Credit and debit-card skimming can take many forms. Here are the top four credit and debit card skimming attacks hitting U.S. businesses, financial institutions and their customers.

See also:

#1: Hand-Held POS Skimming

The most common type of skimming attack is usually perpetrated by insiders -- a store clerk or waiter who uses a hand-held skimmer device that copies the cardholder data when a customer's card is processed. Once the thief has gets the data from the magnetic-stripe, it's downloaded it to a computer. From there, the card details are duplicated to create so-called "white" cards.

#2: POS 'Swaps'

Retailers are getting hit by so-called point-of-sale swaps, which involve a fraudster trading out an existing POS device with one that has been manipulated to skim card data. This type of attack is what led to the compromise of debit and credit cards used at Hancock Fabrics, as well as other retail locations over the six months.

#3: ATM and Unattended Self-Service Terminal Skimming

ATMs are compromised with skimming devices are placed over the ATM's card-reader. In some cases, other parts of the ATM fascia are covered, to better disguise the skimmer. The skimmer may rely on Bluetooth or cellular technology to remotely transmit card data. Fraudsters often double their efforts with the installation of pinhole-sized camera in brochure holders, light bars, mirrors or speakers to gather PIN details as they are entered. Once the fraudsters collect the PINs and the card numbers, they have enough information to compromise the cards. Pay-at-pump self-service petrol pumps also are susceptible to this type of attack. Authorities have investigated numerous reports of skimming at unattended self-service terminals in different parts of the United States. Separate pay-at-the-pump skimming attacks in Florida and Utah at more than 180 gas stations show the ease with which criminals can install skimming devices on self-service gas pumps and other unattended self-service terminals.

Pay-at-the-pump terminals are vulnerable, namely because they are relatively easy to access. The continued use of default codes or entry for access to the pump's enclosure make them easy targets. Criminals posing as technicians can easily access the terminal and install a skimming-like device inside the enclosure, which is undetectable from the outside. Once installed, these devices are connected directly to the terminal's key pad and card reader, so they collect all of the card data that is swiped and PINs that are entered.

#4: 'Dummy' ATMs

Though not quite so common today as they were 10 years ago, "dummy" or fake ATMs continue to pose concern for the industry. Often resembling smaller, more entry-level-like retail ATMs, these dummy ATMs are often purchased online and installed high-traffic areas. The machines do not dispense cash. Their sole function is to collect card data and PIN details. Oftentimes, these dummy ATMs are powered by car batteries, so that be mobile -- set up on street corners or briefly in front of a heavily visited retail site -- or plugged in to a nearby outlet.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.