Card Skimming Trends for 2011

Mag Stripes, POS Are Top Vulnerabilities to Fraud

By , December 21, 2010.
Card Skimming Trends for 2011

P

See Also: The Changing Landscape of Data Breaches & Consumer Protection in 2015

ayments card fraud is not expected to slow down anytime soon, especially from skimming attacks. Industry experts say card skimming at ATMs and points of sale is quickly reaching a tipping point in the United States, where lingering magnetic-stripe technology is making U.S. cardholders easy targets.

At the ATM, card skimming remains the No. 1 fraud threat. But as distinguished Gartner analyst Avivah Litan points out, skimming at point of sale devices is becoming increasingly troublesome. "POS fraud is rising, and it's likely because of skimming," Litan says.

Top Threats

Today's two most common skimming attacks occur at the POS, either by employees who use hand-held skimmers or fraudsters who swap legitimate POS devices for devices that have been manipulated to skim and transmit card data. That so-called swap attack is what led to the card compromise at Hancock Fabrics, reported earlier in 2010.

Pay-at-the-pump terminals and ATMs also rank high in the skimming chain because they are unattended. As Litan says, "They are usually a fraudsters' easiest target." Pay-at-the-pump has proven vulnerable because of easy accessibility. Default codes used to open gas pump enclosures have been exploited by criminals posing as technicians, for instance. Once inside, the criminal can install a skimming device and connect it directly to the terminal's key pad and card reader. It's undetectable from the outside, giving the device ample opportunity to collect card data in real-time, as the card is swiped and PIN entered.

Skimming at ATMs has not changed much over the last decade. Most ATMs are compromised when skimming devices are placed over their external card readers. But technology advancements at the ATM have made strides to curb those skimming attacks. Still, while the ATM might is not necessarily the primary point of compromise, it is the channel used most often by fraudsters for fraud redemption -- cash withdrawals.

Higher-Tech Schemes

One thing that is changing about skimming, regardless of where it's perpetrated, is its increased sophistication and use of advanced technology. Across the board, fraudsters rely more on wireless communications to transmit skimmed card data. Bluetooth or cellular technology is the preferred wireless mode of communication, says Jeremy King, European regional director for the Payment Card Industry Security Standards Council.

"Organized crime is getting more involved, and this is something we are watching closely," King says. "Improving awareness is important, and the PCI PED standard is addressing some of the global card skimming trends we are seeing. In 2008, we added unattended terminals to the standard to address those trends."

But the sophistication of organized crime goes deeper than technology, Gartner's Litan says. The emergence of so-called "flash attacks," which rely on coordinated, often international, efforts to simultaneously withdraw funds from multiple ATMs, is posing increased challenges for banks the world over.

Flash attacks, Litan says, "fly under the radar, because they involve several small withdrawal amounts that occur at the same time." Institutions, already forced to cut budgetary spending for fraud detection, are fighting an uphill battle. "Banks can stop it if they can figure out the point of compromise, but many have a hard time doing that with current fraud-detection solutions," she says.

A Need for Cardholder Authentication

Stronger cardholder authentication through contactless radio-frequency identification payments or contact chip technology such as EMV could solve the authentication dilemma. Even one-time pass codes embedded into plastic payments cards would be an improvement, Litan says.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Top U.S. Government Data Breaches

From an intrusion at the U.S. Postal Service to the NSA leaks by former contractor Edward Snowden,...

Latest Tweets and Mentions

ARTICLE Top U.S. Government Data Breaches

From an intrusion at the U.S. Postal Service to the NSA leaks by former contractor Edward Snowden,...

The ISMG Network