Skimming — now also in Wallis

The System Security course that I’m currently taking always manages to make my Fridays interesting. Yesterday we heard about security in filesystems, most of which I already knew. But afterwards in the exercise hour we told about skimming, an attack on your credit card when you use an ATM (automated teller machines, those machines where you can withdraw cash from your credit card).

The exercises are actually often more interesting than the lectures themselves, for there we hear some real-world stuff. Yesterday Stefan Frei showed us a presentation about attacks on ATMs, both skimming attacks and other more brute-force attacks where people run away with the entire machine!

The ATM before the skimming device is installed The modified ATM with the skimming device installed Skimming attacks are a relative new form of fraud where people snatch the information stored in the magnetic stripe on credit cards, together with the PIN code. They do this by installing a small camera and a small card reader in the ATM. The fake card-reader is put infront of the real card reader, and the bad guys will thus get hold of the information in the magnetic strip when you insert your card in the ATM. An example taken from a British ATM is shown on the right: at the top you see the original ATM, and at the bottom the ATM with the card reader installed.

See how those fake card readers look very professional and similar to the rest of the machine? We’re not talking about something held together with dutch tape here…

When you input your PIN the camera captures that — with both the magnetic strip and the PIN there’s nothing that prevents them from making a duplicate of your card and then simply walk op to the nearest ATM and withdraw money from your account. A rather scary scenario!

In the presentation we saw some photos of the next generation of skimming devices. The “funny” thing about those is that you cannot see them! They measure just a tiny bit more than your credit card, which means something like six centimeters wide, five milimeters height, and four milimeters deep. And that includes batteries, the card reader, radio antenna, and the circuits to make the whole thing run!

One could think that this is just some weird trick which only occurs in countries far, far away, but no — it happens right here in Switzerland! The first case of skimming has just been discovered in Wallis… So if you still have a magnetic stripe on your credit card, then watch out where you stick it into.

The newer card which uses a chip are not in danger from skimming attacks, since the data stored on the chip cannot be read out without interacting with the chip. The chip uses digital signatures to ensure that it’s really talking with an authorized ATM and not just some rouge skimming device. Of course most of these chip-enabled credit cards still have a magnetic strip on them to be compatible with legacy ATMs, so one still has to be careful…

3 Comments

  1. Zee:

    This article is interesting. However, I cannot open those web sites of the links in the article.

  2. Martin Geisler:

    You are right — the links seem outdated. But try searching for ‘ATM skimming’ and you’ll find lots of links to similar sites.

  3. Düsiblog:

    EC-Karte am Geldautomaten kopiert - Skimming…

    Worum geht es?
    Der Freundin eines Freundes ist es nun also passiert. An einem schönen Samstag in der Hauptfiliale einer großen deutschen Bank in der Innenstadt. Ein manipulierter Geldautomat, viele geschädigte Kunden. Konto leer geräumt und überz…

Leave a comment