What is Skimming?
Skimming is a fraudulent activity that involves the illegal transfer of payment data from the point-of-sale to another unauthorized location. Some examples of skimming include the stealing of PIN codes and credit card numbers or conducting ATM Skimming attacks. Criminals normally use this data to carry out fraudulent purchases by copying it on forged cards. Skimming can be done in different ways and skimming attempts can easily go unnoticed by the victims.
Skimming can take place through a number of techniques such as installing hidden cameras to monitor PIN codes as they are typed, using skimming devices to record and store data from magnetic stripe, or even stealing a POS terminal for tampering purposes and then putting it back to its place before anyone else finds out.
Payment Cards or ATM Skimming Attacks
This is the most common type of skimming. In this technique a criminal swipes your credit or debit card through a card reader which records and stores all your payment card information through its magnetic stripe. In case of ATM skimming attacks, PIN code is then usually obtained through a secretly installed small camera or by an individual who is “shoulder surfing”. This information is then either sold to professional scammers or entered into a counterfeit card in order to make fake purchases. A thief can also use this information to make purchases online or over the phone.
In some cases, dishonest employees have also been found to be involved in card skimming. Employees at retail counters are often approached and bribed by identity thieves to help them in retrieving debit or credit card information. This can be done by either changing debit PIN pads or by using skimming devices which can easily be purchased from the market at low price. Usually a dishonest employee would wait till your attention is diverted from the counter and swipe your card through a card reader behind the counter. Apart from retail outlets, portable card readers are also used in restaurants by waiters who can easily retrieve your card information at the time of your bill payment. In all these cases, the card owner has little or no control while the card is being handled and hence, this type of skimming attacks are very common and easily go unnoticed.
Point of Sale Terminals Skimming
In this type of skimming technique, criminals usually try to access payment data by attacking POS (Point of Sale) terminals, with the help of installing electronic equipment in the terminal or related devices. Most of the times, the skimming equipment is very small in size and cannot be easily detected by merchants or cardholders.
According to historical evidence, attackers are most likely to target that terminal which can be easily accessed and is mostly unattended, e.g. at fuel pumps. Once the attackers have access to the terminal hardware, they use it to learn about its security features and develop ways to overcome those features. The terminals are then installed back in their place and all cardholder data is easily accessed by these technically equipped criminals.
Some of the skimming devices are even equipped with wireless technology such as Bluetooth and GSM. With the help of these, criminals can transmit data to far away locations where they have little or no chances of being caught.
In this technique, hackers install malware, most commonly in ATM machines, with outdated or poorly installed software. This malware allows the attackers to easily get control over user information, which is then sent to a remote location to be retrieved at a later time for launching ATM skimming attacks. The ATMs are either directly infected by physically booting a malware CD or by launching Advanced Persistent Threat (APT) attacks.
Advanced attackers can also perform skimming by intervening in a wireless network during the transfer of payment data. In case of unencrypted information or an insecure wifi, data can easily be accessed and retrieved by an attacker.
In some cases mobile POS terminals transmit payment data to a Bluetooth access point. If the access point is unsecured or not encrypted, information can be easily accessed by a hacker while it is being transmitted. In other cases, contactless payment methods are used in which purchase is made wirelessly through mobile phone Bluetooth feature. In this case, even though credit card is never swiped physically, card information can be sniffed while the transaction takes place if the Bluetooth interface is not secured.
In this skimming technique, a skimming device is attached to the criminal’s smartphone or tablet jack and the user is falsely provoked to enter their PIN into the smartphone. This allows the criminal to get all cardholder data along with the PIN. It is always recommended to enter PINs only on devices that are approved by PCI PTS.
Some skimming thieves use the NFC (Near Field Communication) app in their smartphones to access credit card information from individuals in close proximity. The information can even be accessed while the credit card is not in use and can be read with the help of NFC. If you want to check whether your credit card is prone to a skimming attack with a smartphone, check the back side. If it has the words “PayPass” or “Blink” written over it, or if there is a sign of nested triangular arcs, it means that your cardholder data is vulnerable.
Threats of Skimming Attacks
Though skimming itself is a major threat to the payment card industry, it brings further risks and threats for merchants, banks and other payment networks. Apart from financial loss to both the customer and the service provider, it also severely damages the reputation of the latter. The PCI Security Standards Council has recently issued best practices guide for skimming prevention. According to this, skimming attacks pose threats to all affected parties in the following ways:
When consumers become victims of a skimming attack, it affects them as much as any other merchant or payment network. The loss of their personal financial data causes them inconvenience in future transactions as well. Not only does the buying pattern of the consumer get affected, they are also forced to move to conventional methods of payment, and minimizing the use of debit and credit cards at points of sale. This in turn causes concern for banks and merchants in terms of lost customer confidence and lack of reliability on their part.
According to PCI Security Standards Council, skimming fraud is among the top three frauds that need to be catered by merchants. Even one event of successful skimming attack can completely put merchants out of business by destroying their brand image. Consumers nowadays have become more conscious in terms of their data security and prefer to go for reliable and trustworthy merchants with a strong reputation. In the event of a skimming attack, merchants are liable to pay additional fines, attend to court proceedings, incur investigation and system upgrade costs, and suffer the loss of existing and potential customer due to an already damaged reputation.
To Banks and Payment Networks
In recent years, ATM cskimming has been particularly on the rise as more organized groups of criminals are now adopting this practice. Banks and other networks involved in payment card services not only suffer financially but also lose the confidence, trust and loyalty of their customers. After a skimming attack has been made successful, additional costs arise such as attack investigations, card replacement costs, monitoring and compliance requirements, etc. Criminals are posing more challenges to banks as they are developing new skimming techniques, faster than the ability of the banks to develop counter strategies.
Guidelines and Best Practices
It is important for merchants and banks to develop counter measures in order to stay secure from skimming attacks. The PCI-SSC has developed a set of standard guidelines and best practices in this regard.
Physical Location Best Practices
The physical location of merchants and banks plays a significant part in the possibility and frequency of potential fraud. Merchants and banks select their locations based upon a number of factors but their basic priority should be to choose a location that guarantees the safety and security of their physical assets, staff, customers and the business itself.
Banks and merchants need to ensure their physical location and asset security from the following perspectives.
Secure your Physical Assets
In securing terminals and terminal infrastructure from the threats of skimming, merchants and banks need to adopt the following best practices:
- Physically install your terminals at places where they are least reachable by unauthorized individuals and can be easily monitored.
- Secure your terminals and PIN pads by locking them up with the help of locking stands to their counters. This will prevent their removal. Some locking stands also come with alarms. In case of any attempt of removal, the alarm will go off and notify the authorities.
- Install a hiding screen to your PIN Entry Devices for customers who enter their PIN codes in order to keep them hidden from others.
- Treat your PIN pads like cash and keep them hidden under the counter, out of sight.
- Weigh your equipment at regular intervals and compare the actual weight to the vendor specified weight in order to pinpoint the installation of any additional bugging equipment.
- Regularly check for any hidden pin-hole cameras around your terminal location.
- Install surveillance cameras in all of your POS terminal locations. These cameras should be installed at such a place that they are not able to detect or record the PIN entries and only record any suspicious activity.
- Never use default or common passwords for your administration and configuration menus. For keeping a password, follow the guidelines suggested by PCI SSC.
- Build an incident response plan for reporting any possible ATM skimming attacks attempts.
- Regularly inspect all your equipment to look for any tampering and keep changing the individuals responsible for this routine checking of devices.
- Cover all wirings and cables of the terminals to avoid wire tampering.
- Protect all wireless networks including Bluetooth and Wi-Fi with passwords and other security controls. Follow the PCI SSC standards while allocating passwords.
- Apply encryption on cardholder data while it is being transmitted.
- Secure all telephones and electrical cabinets with locks and periodically check that their safety is ensured.
- Store surveillance camera images for a period of minimum 90 days, as according to the PCI DSS guidelines.
- Inspect all terminals if you find any camera to be broken, damaged or out of function as it may be a result of a possible skimming attack.
- Apply cable locks to your terminals. This is a strongly recommended best practice as cable locks help prevent the criminal from moving the terminal or cable from their location and hence, minimizes the chances of skimming at terminals.
Secure the Surroundings of your Terminals
Besides securing your physical location and terminals, it is also important to secure the surroundings of your terminal location as it can allow criminals to carry out skimming attacks. Terminals based upon new technology allow the encryption of cardholder data as it is being transmitted, but there are still certain setups which transmit unencrypted data.
Merchants and banks should
- Stay well aware of which terminals in their network transmit clear text data.
- Check terminal connections and cabling pathway to look out for any replacements or insertion of a card reading device by a skimmer.
Some terminals are connected to their host via internet to allow for quick transactions. These terminals are therefore, subject to malware and DOS attacks. For such terminals, cabling should be covered and should not be labeled as terminal cables. If labeling is a must, it must be done so in a coded language so that an outsider does not understand.
Record Data of your Equipment
It is also important to keep a record of all your equipment and devices and regularly update it. Periodic inspection of the equipment and checking it against the recorded data will help to identify any changes in the equipment. Banks and merchants need to adopt these best practices to ensure their equipment safety.
- Check the serial number on your PIN pad daily to see if it has not been replaced by another one. PIN pads can be easily purchased without any regulation and skimmers install their own PIN pads to collect cardholder data. This data is then transmitted through wireless networks.
- Take photographs of your terminal devices from all angles, including labels and serial numbers. Take new photographs after six months and compare them with the older ones to identify any differences.
- Record the exact location of all your terminal devices in stores. Regularly check for any change in their location.
- Record the number of connections (leads, aerials) that are normally linked with each terminal. Take photographs of these connections to have a proof of their type and number.
- Uniquely identify each terminal by marking them with an Ultra violet security pen.
Terminal Purchase, Update and Removal
- Always buy terminals that are approved by PCI PTS Security Evaluation Program and are in accordance with the PCI DSS. To ensure that the new terminal complies with the standards, check its model number, hardware version and firmware version.
- When updating terminal software, always allow authorized staff to carry out the process. During this process, make sure that all log and control sheets are properly recorded and twofold control is observed at all stages of updating.
- Old terminals that need to be removed should be shipped back to the dealers either directly or through a secure shipping process. All application data, operating systems, tags and labels should be removed from the terminal before disposal. An authorized vendor should be assigned to dispose off all electronic equipment and waste should never be disposed in the merchant premises.
Wireless Terminals and PIN Entry Devices
Wireless Terminals allow merchants to undertake debit and credit card transactions without having a telephone network. Wireless terminals are portable and can be removed from their locations for the convenience of the customers. For example at restaurants, a server can bring a wireless terminal to a customer’s table and allow him to use his debit or credit card there. Whereas this helps to prevent skimming attempts from the employee, wireless terminals are also vulnerable because criminals can detach and tamper them and put them back in place before anyone notices. It is therefore, important to adopt the following measures and best practices when using wireless terminals:
- Keep a record of how many terminals are in use on each particular day and which employee is handling a particular terminal at a specific time.
- Apply security patches and updates to wireless terminals to avoid criminals from wirelessly accessing them.
PIN entry devices need to be secured from criminals, along with their surroundings. Once PIN is securely entered, it gets transmitted in encrypted form. The real chance of PIN code being captured by a criminal is either at the time of entry or through a pin-hole hidden camera installed above the terminal. It is important for merchants to understand which areas normally the criminals install the hidden cameras in. These include false ceilings above the PIN pads, charity boxes nearby, leaflet cabins, etc. Such items should never be placed near the PEDs and the surrounding areas should always be free of any boxes or storage areas where a hidden camera can be installed. Train the staff to always check for obvious signs. Since it is very hard to spot small hidden cameras, staff should be made aware to look for any changes in ceiling such as removal or changing of tiles, etc.
Technical Best Practices to Prevent Skimming
All merchants and banks need to fulfill specific technical criteria for the protection of their point-of-sale (POS) and PIN Entry Devices (PED). The PCI Security Standards Council has developed security standards for the development and testing of POS and PEDs which ensure that the security measures on these devices are constantly updated.
For merchants and banks, it is important to adopt the following best technical practices to ensure skimming and fraud prevention:
- Equipment fulfilling PCI SSC requirements must be used. These requirements can be found at the official website of PCI SSC.
- Update your Payment application software regularly as older version may not ensure compliance with PCI Data Security Standards.
- Implement risk management best practices to avoid skimming as they will add further to the already applied security measures.
- Maintain a list of all devices along with their serial numbers and keep updating that list as new equipment gets installed. Counter check randomly to make sure that correct data has been recorded.
- Install tamper proof seals on the PIN pads or keyboards of your devices used for ATM card transactions and regularly inspect them to prevent ATM skimming attacks. In case these seals are missing or seem tampered with, immediately contact law enforcement.
Skimming has become a widespread phenomenon in recent few years and fraud cases related to skimming have been on the rise worldwide. Skimming brings bad reputation to the merchants and banks, and in turn also causes inconvenience for the affected customers. It is therefore, important for the merchants and banks, as well as their employees and customers, to be well aware of the threats of skimming and adopt best practices to avoid and deal with them. These best practices include technical measures, physical security measures, and employee monitoring and control. Only by understanding and adopting these best practices, merchants and banks will be able to regulate the process of skimming prevention within their business environment.