We use cards – credit and debit cards – for many types of online payments, to withdraw money from ATM machines, etc…, We use cards for both – card present transactions and card not present transactions. We present cards at shops, stores, restaurants, fuel pumps, hospitals, etc…, Anywhere we want to make a payment. The data stored on credit cards is very sensitive and if it falls into the wrong hands it can be misused – cloned cards can be created and used for purchases. Hence, it is very important to protect the physical card as well as the data on the card.
In cards, data storage can be done two ways – on magnetic stripes and on EMV (Europay, MasterCard, and Visa) chips. Earlier skimmers targeted magnetic stripe cards, and due to the vulnerabilities and innumerable successful attacks on magnetic chip cards, the industry is moving on to EMV chip-based cards. Usage of magnetic strip based cards are not being encouraged. Further on, magnetic strip cards will not be accepted.
Criminals try to steal the card or card data through many ways – physical stealing or through phishing. Physical stealing would mean theft, while phishing involves tricking the card holder to reveal the details of the card. Cyber criminals have found significant success in misusing stolen card data, and are forever finding out innovative ways to steal and acquire data. There is also a huge market for stolen card data on the Dark Net. It is thriving business. The cost of the card data depends upon the geographical location of the card, the type of card and the maximum purchase limit allowed.
The Process of Card Skimming
Card skimming involves harvesting of card data from a card reading terminal or using a specialized device to skim data. In the first type, cyber criminals insert and fix card reading devices inside ATM slots, self-swiping machines in fuel stations and card reading machines. Some of these devices are quite simple while some are too sophisticated. The skimmers read the data and store them, and this data is later extracted.
Skimming devices have evolved over the years – the early devices were bulky devices – some were used to cover the whole front of an ATM device, while others covered just the slot. In restaurants, these devices used to be kept out of sight under cash desks, where the card would be slyly swiped, and data would be stolen. Further skimmers were developed that were just the size of a matchbox. The latest skimmers are wafer-thin such that they can be inserted into the card slots of the machines. These devices are very difficult to detect as they are well hidden; they cannot be easily observed through visual-inspection.
The latest skimmers are so sophisticated that they have cameras and keylogging malware to record the keystrokes. While EMV cards are definitely more secure than magnetic stripe-based cards – they are not absolutely secure. Existing EMV cards also have magnetic stripes and all data that is stored on the chips is also stored on the stripe, from where they can be extracted. Cyber criminals are employing a “shimming” technique to extract data from EMV-chip cards.
Precautions to Protect from Card Skimming
Inspect the ATM device for anything suspicious – such as a camera focussed on the keypad, keypad overlay or card slot.
If the POS accepts cards with EMV chips then do not allow the transaction to be done through the magnetic stripe.
Further, more secure technologies are being developed – such as NFC and other payment options. Adopt such technologies.