To get into the skimmers area of interest, just use a bank card. How do these criminals operate and how do you protect your bank account from them?
Who among us doesn't know to be wary of pickpockets? If in childhood the care of handling a wallet on the street was not taught by my father and mother, then sooner or later life itself intervenes in the educational process. It's the same story with malicious hackers on the Internet, any child will tell you everything about them right away.
Much less well-known among the people are carders that use skimmers. And in vain — the chance of suffering at their hands is very high. This type of card thieves specializes in stealing card details using inconspicuous equipment placed directly on ATMs — in fact, skimmers. Despite the coordinated efforts of the police, banks and payment systems, the amount of funds stolen from card accounts is growing every year.
Carders are a bit of pickpockets (requires sleight of hand) and quite a bit of hackers: this type of fraud is impossible without using a computer and other high-tech achievements.
To get into the zone of interest of criminals, just use a bank card to withdraw cash. Preferably not equipped with a chip — this greatly facilitates the process of emptying your account. It is also very good to refuse SMS notifications, stick the card in the first ATM that comes across in the gateway, and dial the PIN code proudly, so that everyone can see. Thieves will say a big human thank you to you.
But seriously, this illegal business has grown and improved a lot recently. Its essence has remained the same: read the magnetic track data from the bank card unnoticed, look at the PIN code, make a clone of the card and withdraw maximum money from the account. But the technology of information theft has changed a lot.
The first element in the chain is equipment manufacturers and sellers: those who assemble ready-made solutions from components available on the market. Interaction with the buyer usually takes place via the Internet, and the product is delivered by mail — this is safer.
Equipment suppliers provide the buyer not only with user manuals, but also with recommendations from the category of "best practices"
To make sure that skimming equipment offers are widespread, just type a simple query in any search engine. Sets of a device that reads information from a plastic card, designed for hidden installation, overlays on the ATM keyboard (for removing the PIN code), a device for cloning cards and special software are now offered for $1.5–2 thousand. A couple of years ago, a similar technique, according to the observation of a well-known security expert Brian Krebs, could cost about ten thousand dollars.
In general, no hacker knowledge is required from the buyer- suppliers provide not only user manuals, but also recommendations from the category of "best practices". The instructions are so detailed that they even include tips on how to" rock " the skimmer's battery pack before using it to maximize battery life!
First, the products of experienced criminal suppliers differ little from the original ATM elements. A layman will simply not notice the difference between a real receiving card tray and its "modified" version — the same plastic, the same color, only the shape is slightly different.
This similarity is achieved by adapting to specific, most common ATM models, since any regional market has its own favorite banks with the largest possible number of ATMs and customers. Of course, there are also ways to bypass the special overlays that banks use to deal with the installation of skimmers.
Secondly, there are criminal readers that are simply not visible: they are installed inside the ATM through the card slot. This innovation is noted in a recent report of the profile non-profit organization European ATM Security Team. Moreover, some of these devices do not even bother to independently read the magnetic track of the card, but simply brazenly parasitize the electronic stuffing of the ATM!
Manual removal of stolen data also becomes yesterday. New models of skimmers include a GSM module that sends encrypted information (protection from competitors!). a magnetic track to the base via a regular cellular network.
The camera is imperceptibly attached directly above the ATM keyboard or somewhere slightly to the side — plastic trays and racks in which banks place various marketing waste paper are especially loved by carders. These interior elements are so familiar that the eyes of potential victims will hardly catch on to them.
However, if the person withdrawing money is vigilantly covering the keyboard with his hand, the camera becomes of little use. In addition, video information is not very convenient to transmit and process — manual labor is required.
The gradual drop in prices for thin keyboard panels (now they cost less than a thousand euros on the black market) makes the situation more alarming. Cover the keyboard with your hand, do not cover it — the pads will fix the PIN code in any case. Sending a four-digit SMS to the database is also much easier than messing with a video, and the process is much better automated.
The keyboard pad, of course, protrudes slightly a few millimeters above the original surface. But few people will "sniff" the pinpad and look for gaps in its installation. And from above, everything looks very decent — they try to make the panels using the same materials (steel, high-quality paint) as the original ATM keyboards.
Another technological trick from the arsenal of carders is the special protection of the software they use to decode information and write clone cards. Thus, criminals insure themselves against interference from competitors and capture by law enforcement officers.
In response to entering an incorrect password, the program does not report that it is incorrect, but simply closes. Carder gives the police any plausible password and says that it is a completely harmless program that he recently downloaded. But the trouble is-it doesn't start. To prove that the program was used for illegal activities, it will require time-consuming code analysis, which requires qualified specialists.
However, technology is only half the battle. Many skimming operations still require manual labor and are very risky. We will talk about them in the second part of this article, and at the same time give tips on how to protect your bank account from such criminals.
In the first part of the article, we looked at the technologies that bank card catchers use. Today we will talk about the most dangerous manipulations for criminals and how to protect yourself from skimmers.
In the first part of this article, we looked at new technologies and devices that are being adopted by carders - "catchers" of bank cards. Now let's talk about the most dangerous manipulations for this category of criminals, and in the end we will definitely give tips on how to reduce the risk of being a victim of these bad people.
An experienced person spends about 30 seconds installing criminal equipment in an ATM. Of course, this is done only after a thorough reconnaissance, analysis of the location of security cameras, selection of the optimal "quiet hour" and with the help of an assistant monitoring the approaches to the object.
The criminal sets up a skimmer.
A competent "installer" is not so easy to catch by the hand. A calm, respectably dressed gentleman will claim that he only noticed a strange thing on the ATM and wanted to check his suspicions before calling the police. Go prove the opposite, especially if the tube of glue and other special tools have already been reset. In particular, for this reason, all bank instructions instruct really decent citizens not to touch anything suspicious, but to immediately sound the alarm.
In addition to ATMs, other terminals that accept bank cards also enjoy the well-deserved attention of carders. These are vending machines at gas stations, kiosks for selling transport tickets, vending machines, and so on. As a rule, such devices are looked after less than ATMs. And ordinary people do not expect a trick from them — the lack of manipulation with cash is relaxing.
If no one paid attention to the "improved" ATM and the bank security service did not work, then the criminal system works until the battery charge is depleted — and this is up to a thousand stolen cards.
The most greedy carders then remove the equipment to recharge, and the smartest ones just drop it — less risk. The cost of equipment is still repeatedly justified by the catch, which can reach many tens of thousands of dollars.
Receiving money using cloned cards is a separate high-risk business, and it is often also outsourced. As a rule, several people participate in the process — in criminal jargon they are called "mules".
Sometimes mules work directly for the carder, giving him the proceeds and receiving their percentage. Sometimes they just buy a package of stolen magnetic tracks online and operate completely independently, often in a completely different country.
The ease of stealing money from bank cards is largely due to the primitiveness of security technology
The information recorded on the magnetic track, in fact, is not protected by anything, and the main secret that certifies the legality of the transaction is a rather vulnerable, very short PIN code. There are several more recent improvements to the security technology, but they still remain optional.
Of course, payment systems and banks did not think about this problem today. Much more secure cards of the EMV standard, which in addition to the magnetic stripe also include a specialized chip, have already become widespread in Europe more than 20 years ago.
The difference here is that the chip can't just be copied like a magnetic stripe. At the request of the terminal, the chip creates a unique one-time key each time. This key can be intercepted, but it will no longer be valid for the next transaction.
Security researchers have discovered a number of vulnerabilities in EMV cards, but it is very difficult to use them in practice. So the criminals who specialize in skimmers would be sitting around doing nothing, if not for one "but". Switching to cards with a chip is a very long, complex and expensive process that involves many different aspects.
After all, everyone should switch: payment systems, banks, businesses that accept cards, manufacturers of payment terminals, ATMs, and so on. Therefore, in many countries of the world, even quite developed ones, many cards and terminals are still used without EMV support.
So even if your card is equipped with a chip, it doesn't mean that you can't steal money from it. To ensure compatibility with older terminals (as well as increase fault tolerance), a transaction with an EMV card can be made without using a chip, according to Magnetic stripe.
The bank can also reimburse the client for the stolen money, especially if, according to the rules, responsibility for a fraudulent transaction can be shifted to someone else-the payment system, the ATM owner, or the insurance company. Or it may turn out quite differently, and the responsibility will be shifted to the user, there are a lot of such stories.
Therefore, the rescue of drowning people, as usual, is primarily in the hands of the drowning people themselves.
Be careful. A bank card is a very convenient tool, but there are situations when the ease of using it turns against us. And remember: sometimes it's better to be funny than to regret your own sloppiness later.
(c) kasperskydaily.com
Who among us doesn't know to be wary of pickpockets? If in childhood the care of handling a wallet on the street was not taught by my father and mother, then sooner or later life itself intervenes in the educational process. It's the same story with malicious hackers on the Internet, any child will tell you everything about them right away.
Much less well-known among the people are carders that use skimmers. And in vain — the chance of suffering at their hands is very high. This type of card thieves specializes in stealing card details using inconspicuous equipment placed directly on ATMs — in fact, skimmers. Despite the coordinated efforts of the police, banks and payment systems, the amount of funds stolen from card accounts is growing every year.
Carders are a bit of pickpockets (requires sleight of hand) and quite a bit of hackers: this type of fraud is impossible without using a computer and other high-tech achievements.
To get into the zone of interest of criminals, just use a bank card to withdraw cash. Preferably not equipped with a chip — this greatly facilitates the process of emptying your account. It is also very good to refuse SMS notifications, stick the card in the first ATM that comes across in the gateway, and dial the PIN code proudly, so that everyone can see. Thieves will say a big human thank you to you.
But seriously, this illegal business has grown and improved a lot recently. Its essence has remained the same: read the magnetic track data from the bank card unnoticed, look at the PIN code, make a clone of the card and withdraw maximum money from the account. But the technology of information theft has changed a lot.
Business only
If once criminals independently made skimmers from improvised components, clumsily adapted them to the receiving trays of ATMs, and then risked being caught in the process of manually removing data, now everything is different. The industry has long moved away from the relatively romantic period of self-made crackers, today it is a well-established business with a high degree of specialization.The first element in the chain is equipment manufacturers and sellers: those who assemble ready-made solutions from components available on the market. Interaction with the buyer usually takes place via the Internet, and the product is delivered by mail — this is safer.
Equipment suppliers provide the buyer not only with user manuals, but also with recommendations from the category of "best practices"
To make sure that skimming equipment offers are widespread, just type a simple query in any search engine. Sets of a device that reads information from a plastic card, designed for hidden installation, overlays on the ATM keyboard (for removing the PIN code), a device for cloning cards and special software are now offered for $1.5–2 thousand. A couple of years ago, a similar technique, according to the observation of a well-known security expert Brian Krebs, could cost about ten thousand dollars.
In general, no hacker knowledge is required from the buyer- suppliers provide not only user manuals, but also recommendations from the category of "best practices". The instructions are so detailed that they even include tips on how to" rock " the skimmer's battery pack before using it to maximize battery life!
Wonders of technology
Advances in technology and large-scale demand have made it possible to significantly improve criminal electronics in recent years. Security experts usually advise consumers to inspect the ATM for any oddities. But gradually these recommendations start to lose their relevance.First, the products of experienced criminal suppliers differ little from the original ATM elements. A layman will simply not notice the difference between a real receiving card tray and its "modified" version — the same plastic, the same color, only the shape is slightly different.
This similarity is achieved by adapting to specific, most common ATM models, since any regional market has its own favorite banks with the largest possible number of ATMs and customers. Of course, there are also ways to bypass the special overlays that banks use to deal with the installation of skimmers.
Secondly, there are criminal readers that are simply not visible: they are installed inside the ATM through the card slot. This innovation is noted in a recent report of the profile non-profit organization European ATM Security Team. Moreover, some of these devices do not even bother to independently read the magnetic track of the card, but simply brazenly parasitize the electronic stuffing of the ATM!
Manual removal of stolen data also becomes yesterday. New models of skimmers include a GSM module that sends encrypted information (protection from competitors!). a magnetic track to the base via a regular cellular network.
Take care of your HEALTH
Until now, getting a PIN code remains a relatively weak link in the chain. As a rule, miniature "spy" cameras are used for this, and sometimes quite ordinary mobile devices like the iPod Touch player are used for this — it is valued for its thin body and good battery.The camera is imperceptibly attached directly above the ATM keyboard or somewhere slightly to the side — plastic trays and racks in which banks place various marketing waste paper are especially loved by carders. These interior elements are so familiar that the eyes of potential victims will hardly catch on to them.
However, if the person withdrawing money is vigilantly covering the keyboard with his hand, the camera becomes of little use. In addition, video information is not very convenient to transmit and process — manual labor is required.
The gradual drop in prices for thin keyboard panels (now they cost less than a thousand euros on the black market) makes the situation more alarming. Cover the keyboard with your hand, do not cover it — the pads will fix the PIN code in any case. Sending a four-digit SMS to the database is also much easier than messing with a video, and the process is much better automated.
The keyboard pad, of course, protrudes slightly a few millimeters above the original surface. But few people will "sniff" the pinpad and look for gaps in its installation. And from above, everything looks very decent — they try to make the panels using the same materials (steel, high-quality paint) as the original ATM keyboards.
Another technological trick from the arsenal of carders is the special protection of the software they use to decode information and write clone cards. Thus, criminals insure themselves against interference from competitors and capture by law enforcement officers.
In response to entering an incorrect password, the program does not report that it is incorrect, but simply closes. Carder gives the police any plausible password and says that it is a completely harmless program that he recently downloaded. But the trouble is-it doesn't start. To prove that the program was used for illegal activities, it will require time-consuming code analysis, which requires qualified specialists.
However, technology is only half the battle. Many skimming operations still require manual labor and are very risky. We will talk about them in the second part of this article, and at the same time give tips on how to protect your bank account from such criminals.
In the first part of the article, we looked at the technologies that bank card catchers use. Today we will talk about the most dangerous manipulations for criminals and how to protect yourself from skimmers.
In the first part of this article, we looked at new technologies and devices that are being adopted by carders - "catchers" of bank cards. Now let's talk about the most dangerous manipulations for this category of criminals, and in the end we will definitely give tips on how to reduce the risk of being a victim of these bad people.
Outsourcing bid
Most of the work of a carder does not require high qualifications. However, some operations, such as installing equipment, carry significant risks. Therefore, these functions are often outsourced to the appropriate specialists.An experienced person spends about 30 seconds installing criminal equipment in an ATM. Of course, this is done only after a thorough reconnaissance, analysis of the location of security cameras, selection of the optimal "quiet hour" and with the help of an assistant monitoring the approaches to the object.
The criminal sets up a skimmer.
A competent "installer" is not so easy to catch by the hand. A calm, respectably dressed gentleman will claim that he only noticed a strange thing on the ATM and wanted to check his suspicions before calling the police. Go prove the opposite, especially if the tube of glue and other special tools have already been reset. In particular, for this reason, all bank instructions instruct really decent citizens not to touch anything suspicious, but to immediately sound the alarm.
In addition to ATMs, other terminals that accept bank cards also enjoy the well-deserved attention of carders. These are vending machines at gas stations, kiosks for selling transport tickets, vending machines, and so on. As a rule, such devices are looked after less than ATMs. And ordinary people do not expect a trick from them — the lack of manipulation with cash is relaxing.
Criminal Harvest
After installing the equipment for criminals, it is a hot time for "harvest". They need to have time to clone as many cards as possible before the bookmark is detected — After detection, the risk of blocking the bank's already "caught" cards increases. To quickly monitor the situation, an observer is often placed not far from the ATM — in a car or in a cafe across the street.If no one paid attention to the "improved" ATM and the bank security service did not work, then the criminal system works until the battery charge is depleted — and this is up to a thousand stolen cards.
The most greedy carders then remove the equipment to recharge, and the smartest ones just drop it — less risk. The cost of equipment is still repeatedly justified by the catch, which can reach many tens of thousands of dollars.
Receiving money using cloned cards is a separate high-risk business, and it is often also outsourced. As a rule, several people participate in the process — in criminal jargon they are called "mules".
Sometimes mules work directly for the carder, giving him the proceeds and receiving their percentage. Sometimes they just buy a package of stolen magnetic tracks online and operate completely independently, often in a completely different country.
Simplicity is worse than theft
The ease of stealing money from bank cards is largely due to the primitiveness of security technology. The first payment cards with a magnetic stripe appeared in a completely different era-almost half a century ago, when the availability of devices for reading and cloning cards was out of the question.The ease of stealing money from bank cards is largely due to the primitiveness of security technology
The information recorded on the magnetic track, in fact, is not protected by anything, and the main secret that certifies the legality of the transaction is a rather vulnerable, very short PIN code. There are several more recent improvements to the security technology, but they still remain optional.
Of course, payment systems and banks did not think about this problem today. Much more secure cards of the EMV standard, which in addition to the magnetic stripe also include a specialized chip, have already become widespread in Europe more than 20 years ago.
The difference here is that the chip can't just be copied like a magnetic stripe. At the request of the terminal, the chip creates a unique one-time key each time. This key can be intercepted, but it will no longer be valid for the next transaction.
Security researchers have discovered a number of vulnerabilities in EMV cards, but it is very difficult to use them in practice. So the criminals who specialize in skimmers would be sitting around doing nothing, if not for one "but". Switching to cards with a chip is a very long, complex and expensive process that involves many different aspects.
After all, everyone should switch: payment systems, banks, businesses that accept cards, manufacturers of payment terminals, ATMs, and so on. Therefore, in many countries of the world, even quite developed ones, many cards and terminals are still used without EMV support.
So even if your card is equipped with a chip, it doesn't mean that you can't steal money from it. To ensure compatibility with older terminals (as well as increase fault tolerance), a transaction with an EMV card can be made without using a chip, according to Magnetic stripe.
That is why the United States, where the EMV system is being implemented on a large scale only now, has been leading the world in the number of skimming cases for many years, the European ATM Security Team notes. Other risky countries include Indonesia and Thailand, while Bulgaria and Romania have a bad reputation in Europe.
The bank can also reimburse the client for the stolen money, especially if, according to the rules, responsibility for a fraudulent transaction can be shifted to someone else-the payment system, the ATM owner, or the insurance company. Or it may turn out quite differently, and the responsibility will be shifted to the user, there are a lot of such stories.
Therefore, the rescue of drowning people, as usual, is primarily in the hands of the drowning people themselves.
Rules of survival
Unfortunately, there is no absolute guarantee against theft of money from the card, but following a few simple rules can significantly reduce the risk.- If the card is not equipped with an EMV chip, then it is better to abandon it. Most likely, the bank will replace it with a chip card at your request. The chip doesn't guarantee full protection, but it does slightly reduce the risk.
- Subscribe to SMS notifications about card operations. The sooner you find out that your money is missing, the more likely it is that you will be able to get it back.
- If you are not an avid traveler, ask your bank if it is possible to restrict the geography of transactions (you can simply "include" the desired country during your vacation). This is a very effective measure, which has already proved its worth in a number of European countries.
- Don't use a card that has a lot of money on it everywhere. The fewer payments it makes, especially in new and unfamiliar places (for example, when traveling abroad), the better. For high-risk transactions, you can create a separate card with a small amount.
- Choose ATMs in crowded, well-lit, and secure locations — such as a bank's premises. Conversely, avoid free-standing street terminals and ATMs in the back streets of shopping centers.
- When you enter the PIN code, stand closer to the ATM and cover the keys with your hand. Keyboard overlays are still relatively rare, and there is a much higher risk that you will be captured on camera or spied on by an observer behind your back. Do not forget to periodically change your PIN code (at the bank's office or at a reliable ATM), especially after risky operations.
- Pay attention to all sorts of oddities in the ATM device and its surrounding environment. Not all carders are professional, and not all use perfect equipment. And, of course, you should not roll your card through the "magnetic stripe cleaner" located next to the ATM — oddly enough, a lot of people are being led to this simple trick.
- Recalculate the money issued by the ATM. There are special traps that are placed in the bill tray and are able to cling to individual banknotes. If the ATM refuses to return the card, this may also be a sign of fraud — call the bank immediately, without leaving the terminal. Similar criminal schemes became widespread in Europe after the introduction of EMV protection.
- Do not let your card out of your sight when making payments in restaurants and shops — there are many compact hand-held scanners, and entering a PIN code in such places is easy to see.
- Don't show the card to strangers or post photos of it, even on one side. A lot of Internet sites allow you to make a payment without the CVV2 code (it is printed on the back of the card), not to mention the lack of support for two-factor authentication (one-time SMS passwords).
Be careful. A bank card is a very convenient tool, but there are situations when the ease of using it turns against us. And remember: sometimes it's better to be funny than to regret your own sloppiness later.
(c) kasperskydaily.com
