Placing a skimmer on Gas Station Card Scanner in less than 3 seconds

Attack ATM is very simple for criminals, a video released by Miami Beach Police shows two men installing a credit card skimmer in less than 3 seconds.

In October, the CENTRAL MEANS OF PAYMENT ANTIFRAUD OFFICE (UCAMP) of the Italian Ministry of Economy and Finance released the annual report on Payment card frauds.

This year I was one of the experts who worked on the MEF – Annual Report on Payment Card Frauds No. 5/2015, an interesting document full of detailed data on the phenomena of payment card frauds. The document focus on payment card frauds (unrecognized transactions) issued in Italy and used everywhere.

Credit card frauds are a global emergency, ATMs are a privileged target of cyber criminals worldwide, we discussed several times about illegal practices used by crooks to steal credit card data. ATM hacking, ATM malware and also about ATM skimming are the most common type of attack against these machines.

Unfortunately, the attack against an ATM is very simple for criminal organizations, a video recently released by Miami Beach Police shows two men installing a credit card skimmer at a local gas station in less than three seconds.

The video shows how a criminal crew goes into action while the store clerk is serving one customer, which it is actually an accomplice.

The man keeps is face far from the camera, protecting it with a cap while the accomplice tampers with the ATM.

Just three second to completely compromise payment card terminal by attaching a skimmer that allows the crooks to steal credit card data from every customer of the store.

In the specific case, the skimmer was storing the stored card data locally, for this reason, the criminals will return to dismount the device. The most sophisticated gang user skimmers that are able to transfer data via Bluetooth once it has been stolen from the card.

Card data are then offered in the cyber criminal underground or to clone payment cards and use them to purchase items that can be resold quickly, like electronic devices, gift cards and luxury items.

The theft of credit card data is a particularly worrying phenomenon, especially in the US where the merchants are slightly moving to the EMV standard that is considered more secure because new payment cards will use a built-in chip to authorize the transactions.

Payment card frauds in the U.S. account for nearly 50 percent of global fraud losses, according to the Nilson Report; security experts maintain that the main reason is that the country is the last in the world to implement the EMV (EuroPay, MasterCard, and Visa).

Fortunately, the situation is changing also in the U.S., where the banking consumers are about to benefit from EMV against payment frauds, too.

 

The deadline for the move to EMV was October 1, 2015, but my merchants are still in delay and in many cases retailers still allow customers to swipe their cards.

Despite the enormous improvement introduced with EMV, we cannot consider it as a complete remediation against card frauds, in particular against “Card-Not-Present” (CNP) frauds.

EMV still doesn’t protect users when dealing with e-commerce or mobile commerce platforms.

“The reality is EMV credit cards cannot prevent PoS RAM Scraper attacks. EMV was developed to prevent credit card counterfeiting and not RAM scraping. If the EMV credit card’s Tracks 1 and 2 data are sent to the PoS system for processing, it will become susceptible to RAM scraper attacks because the decrypted data resides in RAM,” states a blog post published by Trend Micro.

Pierluigi Paganini

(Security Affairs – EVM card, cybercrime)