What is a payment card skimmer
In the field of security, a skimmer refers to any hardware device used to steal information stored on payment cards when a customer makes a transaction at an ATM, gas station, or payment terminal. However, recently the meaning of this term has been expanded, and under the skimmer began to mean any malicious application or code aimed at stealing information about payment cards, including during purchases in online stores.Regardless of the type of skimmer (hardware or software), cybercriminals pursue similar goals, namely, to deceive the buyer when the information obtained is used to clone physical payment cards or make fake transactions on the Internet.
How skimming devices work
Physical skimmers are designed for specific models of ATMs, self-service checkouts and other payment terminals in such a way as to make it difficult to detect. Skimming devices come in many shapes, sizes, and have multiple components.Each skimmer always has a card reader component consisting of a small microcircuit that is powered by a battery. Typically, the skimmer is contained within a plastic or metal shell that mimics the actual card reader of the target ATM or other device. This component allows the fraudster to copy the information encoded on the magnetic stripe of the card without blocking the actual transaction made by the user.
The second component of the skimmer is a small camera attached to an ATM or a fake PIN keypad that sits on top of a real keypad. As you might guess, the purpose of this component is to steal a pin code, which, together with data stored on a magnetic stripe, is used to clone a card and perform illegal transactions in countries where this kind of crime is widespread.
However, as chip cards began to be used in many countries, attackers also adapted their technology and began to make more sophisticated skimmers. Some skimming devices are so thin that they fit inside a card reader slot. In other words, these devices are called deep insert skimmers or deep penetration skimmers. Devices called "shimmers" are inserted into a card reader slot and are designed to read data from chips on cards. However, it should be noted that this technology is applicable only where the EMV standard (Europay + MasterCard + VISA) is incorrectly implemented.
Skimmers can also be installed entirely inside ATMs, usually by technicians with a dirty mind, or by drilling or punching holes in the ATM shell and sealing the holes with stickers that appear to be part of the overall structure. Visa's report shows images of various types of physical skimmers found at ATMs around the world, as well as modified POS terminals sold on the black market that can also be used to steal information from a card.
How to protect yourself from payment card skimmers
Due to the wide variety of skimming devices, there is no one-size-fits-all way to avoid falling prey to intruders. The recommendations are as follows:- Avoid ATMs installed outside buildings or in areas with poor lighting. To install skimmers, attackers choose ATMs in poorly populated places, outside banks or shops and not under the supervision of a large number of cameras. In addition, skimmers are usually installed on weekends, when there are fewer prying eyes around. Therefore, try to withdraw cash on weekends only if absolutely necessary.
- Before inserting the card, wiggle or pull the card reader and keypad to dial the pin and make sure these components do not detach or move. Typically, attackers use poor quality adhesive to attach the skimmer, as this device must be removed afterwards. On this video, shown as a professional in the field of cybersecurity detects skimmer attached to the ATM on a street in Vienna.
- Look out for odd signs: holes, pieces of plastic or metal that look out of place, components that don't match the color of the rest of the ATM, and stickers that are not evenly applied. If the ATM has seals for service locks, check for damage in these places.
- When typing a pin code, cover the keyboard with your hands so that the dialed numbers cannot get into the video of a malicious camera. This method will not help with an overlay keyboard, but will generally reduce the likelihood of pin theft.
- If your card has a chip, always use a chip-enabled terminal card reader instead of rolling the magnetic strip.
- Track invoices for illegal transactions. If your card provides notifications via the application or SMS after each transaction, use these functions.
- If the functionality allows, set a cash withdrawal limit during one transaction or within one day.
- Use the debit card attached to the account that contains a small amount of funds and top up this account as needed, instead of using the card attached to the main account where all your money is.
Software skimmers
Software skimmers target the software components of payment systems and platforms, be it the operating system of a payment terminal or the payment page of an online store. Any application that processes unencrypted information about a payment card can become the target of a malware tailored for skimming.Payment terminal malware has been used to carry out some of the biggest thefts of credit card data, including hacks in 2013 and 2014 at Target and Home Depot. As a result, tens of millions of cards were compromised.
POS terminals have special peripherals, for example, for reading cards, but otherwise there are practically no differences from ordinary computers. In many cases, the terminals work on the basis of Windows in conjunction with a cash register application that records all transactions.
Hackers gain access to such systems by using stolen accounts or exploiting vulnerabilities, and then install malware to scan memory for patterns that match payment card information. Hence the name of these malware "RAM scraping". Card information (with the exception of the pin code) is usually not encrypted when transferred locally from the card reader to the application. Accordingly, it is not difficult to copy this data from memory.
Web skimmers
In recent years, vendors of payment terminals have begun to implement end-to-end encryption (P2PE) to improve the security of the connection between the card reader and the payment processor, as a result of which many attackers have turned their attention to another weak link: the payment scheme in online stores and other sites related to electronic commerce.New web skimming attack scenarios inject malicious JavaScript into online store pages to intercept card information when a user makes a payment. As with POS terminals, unprotected data is intercepted during a transaction before being sent to a payment processor via an encrypted channel or before being encrypted and added to the site's database.
Hundreds of thousands of sites have already been web skimmed, including well-known brands such as British Airways, Macy's, NewEgg and Ticketmaster.
How to protect yourself from software skimmers
You, as a user, are unlikely to be able to do anything to prevent this kind of compromise, since you have no control over the application in the payment terminal or the code on the pages of the online store. Here, the responsibility for the safety of purchases lies entirely with the sellers and developers of the technology used on the site, created for the purpose of e-commerce. However, as a buyer, you can take additional steps to reduce the risk of card theft or mitigate the impact of the consequences if compromise occurs:- Track your account statements and turn on notifications from each transaction, if the functionality allows. The sooner you find "left" transactions and change the card, the better.
- If possible, use out-of-band authorization during online transactions. The latest revision of the Payment Services Directive (PSD2) in Europe obliges banks to accompany online transactions along with two-factor authentication through mobile applications, as well as other methods. The deadline for a complaint under the new rules has been extended, but many European banks have already implemented this security mechanism. It is likely that financial institutions in the US and other countries will also introduce external transaction authorization in the future, or at least offer this feature as an additional option.
- When shopping online, use virtual card numbers, if the bank provides such an opportunity, or pay from your mobile phone. Services like Google Pay and Apple Pay use tokenization. When using this technology, the real card number is replaced with a temporary number transmitted to the merchant. In this case, your card number will not leak.
- Try to pay for purchases using alternative payment systems, such as PayPal, when you do not need to enter card information on the order page of the site where you make purchases. You can also make purchases on sites that redirect to a third-party payment processor before entering card information, instead of processing this data by the store itself.
- Because web skimming uses malicious JavaScript code, endpoint security programs that inspect web traffic inside a browser can technically detect such attacks. However, web malware is often obfuscated and cybercriminals continually make changes to their designs. Although an antivirus with the latest updates may help, it may not be able to detect all web skimming attacks.
- Although some large companies and brands fall victim to web skimming, statistically, small online merchants are more likely to be compromised due to lack of funds for expensive server-side security solutions and code audits. From the shopper's point of view, the risk of compromise is lower when shopping in large stores.
