Where do carders get credit card data? Today we'll talk about one of the ways to steal magnetic card tracks and PINs to them.
You may have noticed that the ATMs you are used to at some point (several years ago) suddenly changed their appearance a little. Some strange structures appeared on the card collectors, and the card began to move out somehow unevenly, twitching. What happened?
It's just that at about the same time, all banks dramatically increased their protection against the so-called. skimming.
Skimming is a clever way to steal data from the magnetic stripe of plastic cards. Now I looked into the dictionary - and grinned: the persistent expression "to skim cream off" is equally applicable both literally and figuratively.
In order to steal the contents of the magnetic stripe, the carder makes a special device - a skimmer. It is installed in the card capture reader in such a way as to look as if it were part of an ATM, a part of the lining. But in fact, this device has a built-in magnetic read head. When you insert a card into the slot, you first insert the card into the skimmer (without knowing it). The ATM pulls the card into the card slot, and the card is rolled over the magnetic head of the skimmer. The electronics of the skimmer reads the signal and records it. The track is recorded and saved, the job is done. By the way, you can steal data both when the card moves inside the card capture reader, and in the reverse procedure.
But one track is not enough. I still need to get a PIN. As I wrote once before, take it out from somewhere impossible. One thing remains - to spy. Literally.
One way to steal PIN codes in this situation is to mount a mini-camera somewhere in the corner above the ATM monitor that "looks" at the PIN pad. After the data from the skimmer and from the camera gets to the carder, he analyzes what was entered by video. This is, of course, not the most worn-out way to steal your PIN. Firstly, the client can involuntarily block the PIN-pad keys with his hand, and secondly, the carder does not have many options where to hang the camera in the ATM so as not to arouse suspicion. Thirdly, there are ATMs in which the PIN-pad is protected by a factory-made plastic visor. In general, it is not so reliable. On the other hand, in this case, the hunt is usually not for a specific card, but for collecting a large amount of data, pairs of track + PIN. If part of the data is not decrypted and analyzed, it's okay,
Another way to steal a PIN is to install a fake keyboard in the form of an overlay. This is a much more reliable method, but it requires the manufacture of this very keyboard. The keyboard is made in such a way as to transfer mechanical impact to the ATM PIN-pad, but at the same time the device records which keys were pressed.
It is very important that the keyboard looks very similar to the original one, so that it does not stand out from the ATM design, but rather repeats the original one.
The overhead keyboard and the skimmer have their own electronics, which records all this, and maybe - and transmits information via a wireless communication channel.
The skimmer works only with the magnetic stripe of the card, and is not able to interact with the chip in any way. Firstly, there is no time to read data from the chip (the card gets into the card reader rather quickly), and secondly, it is pointless: transactions using the chip are protected very well, there is nothing to steal there. But if the card contains both a chip and a magnetic stripe, it already makes sense to steal the track, so that later it can be used in the fallback.
It is clear that there are not many protections against the installation of a skimmer. First of all, it is a change in the algorithm of the card capture reader. Usually a skimmer is a very small piece, there is simply nowhere to insert something else besides the magnetic head. It is not yet possible to integrate an adequate sensor of the speed of movement of the card, and even so that it is sufficiently accurate. Therefore, if you force the card capture reader to move the card unevenly and slowly, a simple skimmer will not be able to correctly read the data from the magnetic stripe.
The second obvious way is to change the lining of the ATM so that it would be impossible to install the skimmer unnoticed. In practice, both methods are used simultaneously. An overlay is installed on the card capture reader, which makes it impossible to invisibly install the skimmer on top of it, and the card capture reader moves the card unevenly to confuse a possible skimmer.
Unfortunately, skimmers are evolving too. And there are samples that are hidden right inside the card collector, they are so thin and compact.
The main security measure that should be used is vigilance
If possible, do not use unfamiliar ATMs. If necessary, choose ATMs in places where there are more chances for high-quality security and video surveillance. Familiar ATMs, try to remember what they look like so that inappropriate changes in the design would immediately alert you. And if something alarmed, it is better not to use it.Also, as far as I know, carders have a division of labor. Some make money by stealing information (card data, PINs) and then selling it, others buy and use this information - they make fake cards, where they record stolen tracks, etc. Therefore, in most cases, it is not a specific card or a specific cardholder that comes under attack, but the card whose data is easiest to steal and use. Therefore, any security measures are justified, because they significantly reduce the chance of being stolen specifically for your card.
