Skimming: Old Crime, New Tools
Emerging Technologies, Trends Give Fraudsters Greater AccessIn nearly 30 years of payment card fraud, the types of attacks -- skimming at ATMs and point-of-sale terminals, theft of account numbers from data centers, as well as social engineering -- "have all been around since the 1980s," says Tom Wills, security and fraud senior analyst at Javelin Strategy & Research. The difference today, Wills says, is the technology being used is much more refined. And the targets are evolving, too.
There have been roughly 40 incidents of skimming or POS attacks reported so far in 2010. These incidents range from tried-and-true ATM skimming to insider crimes and the troubling new trend of pay-at-the-pump thefts impacting merchants, institutions and their customers.
In fact, more fraud schemes in general are now directed at retail businesses and financial institutions, says Linda Foley, executive director of the Identity Theft Research Center. Card compromises of every variety have increased this year, Foley says, and that even takes into account the assumption that a vast majority of incidents are never reported.
See the new Interactive Timeline of 2010 Skimming Incidents.
Growth Market
The growth of skimming at both ATM and at retail POS locations in the United States can be traced back to the introduction of the EuroPay, MasterCard, Visa and chip and PIN technologies that are taking hold in Europe. "The criminals move where it is easier to extract data," says Mike Urban, senior director of global fraud solutions at FICO. Thus, the migration to the U.S., where payment cards continue to rely on magnetic stripes, which are easier to skim.Also, the uptick in skimming and POS terminal swaps signals to Branden Williams, director of the Security Consulting Practice at RSA, the security division of EMC, "that maybe we are making some headway on hardening the exteriors of our companies, or it could just be the sophistication of the criminal." Also he says skimming, as a criminal act, is easier to pull off than a large external hack. Another reason he sees the increase in skimming is the trend toward smaller and smaller devices. "They're easier to blend in. What used to carry bulk and duct tape is now custom-made for a particular device."
Urban agrees that the targets have gotten smaller as the larger organizations have been locking down their environments, forcing criminals to target smaller businesses as a result. The POS swap "takes a little bit of guts to do, but can be done," Urban says, pointing to Hancock Fabrics' disclosure of this type of breach hitting some of its retail stores earlier this year.
Big to Small Targets
Outside of the terminal swap, the criminals are using the same techniques they used on the big retailers. While the larger retailers have realized the dangers that are exposing card data on an unprotected payment network after TJX and Heartland breaches, "the small business owner isn't even expecting these kinds of attacks, and isn't prepared for them," Urban says.While the notorious hacker Albert Gonzalez is behind bars for the TJX and Heartland breaches, Urban says there are hundreds, even thousands of criminals who are all aspiring to be "mini" Albert Gonzalezes. "His arrest made all of them more careful, and they are picking the smaller, less flashy targets."
The payments industry has come up with various measures such as Card Verification Values, Secure Electronic Transaction, EMV, 3D Secure (Visa's Internet Security protocol for card transactions) and the Payment Card Industry Data Security Standard, which have reduced fraud in some markets for some period of time, but not caused it to go away.
"The nature of fraud management is that you build a wall, and the bad guys build a higher ladder, then you build the wall higher, and so on forever," says Javelin's Wills. There are the occasional arrests and data breach disclosures, which might make it seem like there's a new rash of fraud. "But the truth is, the more things change, the more they stay the same," Wills says.
Types of Incidents
So far, the U.S. in 2010 has seen skimming and POS fraud incidents reported from 23 states. The types of incidents include:ATM Skimming: This crime strikes at a financial institution's automated teller machine or even at free standing ATMs in retail locations. There are numerous ways the criminals steal the card data, the most common being the card skimmer being placed over the existing card slot.
Hand-Held Skimming: These skimming devices are often used to steal card data at retail establishments such as at a restaurant. A rogue employee needs only to swipe a customer's card through a skimmer, which captures all of the magnetic stripe data about the card account. Some skimmers are as small as a cigarette lighter and are easy to hide.
Self-Service Skimming: This crime occurs at self-service terminals, including gasoline pumps, where consumers swipe or insert their credit or debit cards to pay for goods or services. Similar to ATM skimming, the criminals place either a card reader over the existing card slot, or open the machine and plug into the card reader device to copy card data from every transaction. Some are sophisticated enough to relay the stolen card data via wireless technology including "bluetooth" to the criminal's computer in a nearby location.
POS Device Tampering: This attack happens when fraudsters tamper with point-of-sale devices and PIN entry devices. Most criminals steal the POS or PED device from a specific retail location, manipulate it and then return to the retailer to swap out the functioning POS or PED device with the one that has been manipulated. Often, small skimming devices are placed inside the terminals, or the terminal's software is infected with malware. Either way, these devices then copy card data from each transaction swipe, and the fraudster returns after a period of time to replace the device, collecting the stolen card data.
Insider: This is either an employee or trusted third party that has access to the point of sale terminal, ATM or network where the card data is. Insiders also can include staff who may overhear card account numbers from a customer, such as a call center employee or salesperson.
Unknown: This description means that the investigators were unable to determine the exact method that the card data was stolen.
More about Skimming:
For more about anti-skimming, including our new timeline of 2010 skimming/POS incidents, please see:Managing Editor Tracy Kitten begin_of_the_skype_highlighting     end_of_the_skype_highlighting contributed to this report.