[BreachExchange] Installed Faster Than You Can Say Skimmer!

Audrey McNeil audrey at riskbasedsecurity.com
Tue Mar 22 21:10:17 EDT 2016


https://www.riskbasedsecurity.com/2016/03/installed-faster-than-you-can-say-skimmer/

As first reported in the Q3 2015 Data Breach QuickView Report, researchers
at RBS have been tracking some interesting trends this year regarding
skimming. While hacking has consistently taken the top spot as the leading
cause of data breaches and fraud has usually occupied second place,
skimming made an unexpected appearance in the number 2 position in the
third quarter of 2015. Several state-wide efforts to find and remove
skimming devices at gas stations and ATMs is a driving factor behind this
increase.

Almost everyone by now has heard about skimming, and while there are many
forms typically people think about it in terms of the double swiping of
cards at both white tablecloth restaurants and fast food joints alike.
Restaurants across the United States have long struggled with employee
skimming and it’s easy to understand why. Customers typically hand over
their card to a server that steps away to an obscure register to complete
the transaction. Outside of the U.S., this seems crazy as payment in many
cases is done right at the table and your credit card never leaves your
sight. Even at the ubiquitous drive-thru window, the employee and register
is partially shielded from the customer’s view while payment is made.

Reports of skimming issues have been ongoing since early 2010.  However,
back in June of 2014, ABC Nightline News did a story on the rise of
skimming and provided quite a bit of video footage.  They showed just how
fast a double swipe could happen at a McDonald’s drive through.  Customers
and co-workers alike had trouble identifying the double swipe, even after
knowing where to look.  The story went on to say that approximately 70
credit cards per shift were able to be skimmed.

The ABC story further discussed the skimming issue with gas pumps and how
it is causing quite a few of problems.  Most people are stunned to hear –
and see – that no special tools or equipment is needed to open up a pump.
All a person needs is a universal key that is easily bought online. Newer
skimming devices have advanced to the point where, once installed, there is
no need to come back to claim them again as they can send pilfered data via
wireless or cell signals.

But advancements in skimming technology doesn’t stop there. Skimmers are
now being made to complement specific models of payment terminals.
Recently, Brian Krebs reported on a skimming device that was discovered
attached to a terminal at a self-checkout lane at Safeway grocery store in
Maryland. The article included a picture of the device, as well as a link
to a YouTube clip of a fraudster selling “Verifone condoms”.

For most people, the idea of installing a skimmer on a payment terminal
inside a store seems like a very risky proposition. The assumption is it
would take too long to properly install the device and would be too
difficult to distract the clerk long enough to finish the task without
being detected. No so.

Recently, a video has surfaced showing an installation of a skimmer inside
a convenience store in Florida.  It is a quick video but definitely worth
watching to see how it happens.

After looking at the clip, there are several key items that jump out:

- There is a team involved in the process to get the device installed;
- It takes only a very small amount of distraction / misdirection to ensure
nothing is noticed;
- The actually installation process was ridiculous fast;
- Nothing about the perpetrators’ behavior indicates malicious intent. In
fact, the blue-shirted person smiles at the clerk and waits patiently to
buy his two bags of potato chips.
- The register transactions are recorded as part of the video footage

Although it might have been good for the fraudsters to test the skimmer
installation by paying with a credit card, they paid with cash as you might
have expected.

As with most things related to cyber security it is an arms race. Skimming
has been a sizable problem for many years. Chip-embedded cards and the
related processing technology have yet to make an impact on skimming
activity and given the ease of new skimmer technology, expect the cat and
mouse game to continue.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160322/b8469165/attachment.html>


More information about the BreachExchange mailing list