Tomcat
Professional
- Messages
- 2,695
- Reaction score
- 1,060
- Points
- 113
A new way of stealing data and money from bank cards has been identified - shimming. Now, instead of the previously used cumbersome overlays on the slot of the ATM (skimmer) plastic card receiver, fraudsters use a flexible board that is inserted through this slot into the ATM. This was announced by Cisco Systems specialist Jamie Heery in the Cisco Security Expert blog with reference to the company that manufactures Diebold cannons.
The mechanism for introducing the “shim” is as follows: a carrier card is inserted into the card reader, with which a thin “shim” is connected to the contacts that read data from the cards, after which the carrier card is removed. Further, data is read from the real cards, which is written to the "pwm". The data is used to produce duplicate cards from which fraudsters can withdraw funds.
The main difference between the new method and the previous one, skimming, is that the "shim" is invisible to the ATM user. The thickness of the "shim" must not exceed 0.1 mm, and it itself must be flexible enough to fit into an ATM.
As can be understood from this description, such devices are difficult to manufacture, but Jamie Heery has information that at least one criminal group has already established the production of "shims". According to Hiri, a new method of fraud has already been introduced in some European countries.
“However, we do not yet know anything about its use in Russia,” said Ivan Strigin, systems engineer at Diebold in Russia and the CIS. - To combat all known methods of skimming attacks on ATMs (including shimming), we already have a portfolio of anti-skimming solutions and a remote monitoring service Diebold ATM Security Protection Suite. The portfolio includes a special device that creates an electromagnetic field around the ATM and prevents a skimmer or shimmer from reading information from the magnetic stripe of a bank card in card readers, so that the cardholder's data is reliably protected. "
Thus, shimming in Russia has not yet come to replace skimming - the use of devices installed on a card reader in an ATM with the subsequent forgery of the card. “Attackers love to use mechanical devices as well. For example, criminals install hooks and probes in a card reader, cards get stuck in an ATM, and it becomes possible to steal them. This type of fraud is called phishing, ”said a Diebold spokesman.
In Russia, other methods of ATM fraud are also used. For example, in order to steal PIN codes and personal information of customers, criminals install miniature video cameras near ATMs. “In addition, criminals can intercept PIN codes when they are sent from the keyboard to the internal computer. For these purposes, wire taps in ATMs are used or the electromagnetic radiation of the ATM wiring is remotely recorded, says Ivan Strigin. "Various methods of capturing and retrieving banknotes from an ATM presenter are also common."
Another method requires more skill - manipulation of the operating system of ATMs. In order to steal money and obtain information about accounts, fraudsters need to invade the computer network of ATMs. “In addition, hackers create small programs called viruses and worms that spread themselves over the Internet and can cause serious damage to the computer inside the ATM,” the expert lists.
Although there are no statistics on fraudulent attacks on ATMs in Russia, it is safe to say that there are not very many facts of “card” fraud in Russia compared to their total number in the world, as the head of the administration and support of the card system of the department of card programs said. "Moskommertsbank" Alexey Drucker. “Most of the fraudulent transactions with cards issued in Russia take place abroad,” the expert says. “In other words, most of the information theft also takes place abroad. For example, when a person on vacation paid in a cafe or hotel, and the information was stolen. "
Alexander Vishnyakov, Director of the Card Business and Remote Servicing Department of Unicredit Bank, said: “I have great doubts that this technology will become widespread in our country. Judging by the description, this is technically quite difficult to implement, and, accordingly, quite expensive. It is much easier for fraudsters to make skimming devices more invisible. "
If you can give some traditional advice against skimming, such as: do not tell anyone the PIN-code, connect an SMS-notification about the state of the account, use an ATM that is under video surveillance and in a crowded place, pay attention to its appearance, and also not leave a receipt from an ATM, then a simple user cannot protect himself from shimming. “In the case of shimming, you won't be able to see any external devices,” says Alexey Drucker from Moskommertsbank.
“The main recommendation is to acquire chip cards that are protected from this type of fraud. In this case, this is the most reliable way, and it is no coincidence that our bank is switching to chip cards this year, ”said Alexander Vishnyakov from Unicredit. “This, of course, will not be able to prevent reading the magnetic strip of the card and its subsequent copying, but it will help the client to return his money later,” adds the expert of Moskommertsbank. - The fact is that it is impossible to copy information from the chip, at least at the moment such facts have not been recorded. When using such a card, the ATM client is obliged to authorize using the data of the chip, not the magnetic stripe, and in case of impossibility of authorization using the chip, create a transaction of the Fallback type. " This means, that in almost 100% of cases of fraudulent transactions, the responsibility will fall on the acquiring bank that owns the ATM. In other words, the client will have a much better chance of opposing such an operation, Drucker concluded. In addition, fraudsters prefer not to get involved with counterfeiting such cards, as it is too complicated and expensive, notes Denis Khrenov, Vice President of Interkommerts Bank.
“To be honest, despite the desire to maximally protect the client, his card and the introduction of new technological solutions, the level of fraud is not decreasing,” said Dmitry Orlov, vice president of the First Republican Bank. “As the main recommendation, it is probably worth advising clients to use the card more often as a payment instrument, and not as a means of receiving cash.”
The mechanism for introducing the “shim” is as follows: a carrier card is inserted into the card reader, with which a thin “shim” is connected to the contacts that read data from the cards, after which the carrier card is removed. Further, data is read from the real cards, which is written to the "pwm". The data is used to produce duplicate cards from which fraudsters can withdraw funds.
The main difference between the new method and the previous one, skimming, is that the "shim" is invisible to the ATM user. The thickness of the "shim" must not exceed 0.1 mm, and it itself must be flexible enough to fit into an ATM.
As can be understood from this description, such devices are difficult to manufacture, but Jamie Heery has information that at least one criminal group has already established the production of "shims". According to Hiri, a new method of fraud has already been introduced in some European countries.
“However, we do not yet know anything about its use in Russia,” said Ivan Strigin, systems engineer at Diebold in Russia and the CIS. - To combat all known methods of skimming attacks on ATMs (including shimming), we already have a portfolio of anti-skimming solutions and a remote monitoring service Diebold ATM Security Protection Suite. The portfolio includes a special device that creates an electromagnetic field around the ATM and prevents a skimmer or shimmer from reading information from the magnetic stripe of a bank card in card readers, so that the cardholder's data is reliably protected. "
Thus, shimming in Russia has not yet come to replace skimming - the use of devices installed on a card reader in an ATM with the subsequent forgery of the card. “Attackers love to use mechanical devices as well. For example, criminals install hooks and probes in a card reader, cards get stuck in an ATM, and it becomes possible to steal them. This type of fraud is called phishing, ”said a Diebold spokesman.
In Russia, other methods of ATM fraud are also used. For example, in order to steal PIN codes and personal information of customers, criminals install miniature video cameras near ATMs. “In addition, criminals can intercept PIN codes when they are sent from the keyboard to the internal computer. For these purposes, wire taps in ATMs are used or the electromagnetic radiation of the ATM wiring is remotely recorded, says Ivan Strigin. "Various methods of capturing and retrieving banknotes from an ATM presenter are also common."
Another method requires more skill - manipulation of the operating system of ATMs. In order to steal money and obtain information about accounts, fraudsters need to invade the computer network of ATMs. “In addition, hackers create small programs called viruses and worms that spread themselves over the Internet and can cause serious damage to the computer inside the ATM,” the expert lists.
Although there are no statistics on fraudulent attacks on ATMs in Russia, it is safe to say that there are not very many facts of “card” fraud in Russia compared to their total number in the world, as the head of the administration and support of the card system of the department of card programs said. "Moskommertsbank" Alexey Drucker. “Most of the fraudulent transactions with cards issued in Russia take place abroad,” the expert says. “In other words, most of the information theft also takes place abroad. For example, when a person on vacation paid in a cafe or hotel, and the information was stolen. "
Alexander Vishnyakov, Director of the Card Business and Remote Servicing Department of Unicredit Bank, said: “I have great doubts that this technology will become widespread in our country. Judging by the description, this is technically quite difficult to implement, and, accordingly, quite expensive. It is much easier for fraudsters to make skimming devices more invisible. "
If you can give some traditional advice against skimming, such as: do not tell anyone the PIN-code, connect an SMS-notification about the state of the account, use an ATM that is under video surveillance and in a crowded place, pay attention to its appearance, and also not leave a receipt from an ATM, then a simple user cannot protect himself from shimming. “In the case of shimming, you won't be able to see any external devices,” says Alexey Drucker from Moskommertsbank.
“The main recommendation is to acquire chip cards that are protected from this type of fraud. In this case, this is the most reliable way, and it is no coincidence that our bank is switching to chip cards this year, ”said Alexander Vishnyakov from Unicredit. “This, of course, will not be able to prevent reading the magnetic strip of the card and its subsequent copying, but it will help the client to return his money later,” adds the expert of Moskommertsbank. - The fact is that it is impossible to copy information from the chip, at least at the moment such facts have not been recorded. When using such a card, the ATM client is obliged to authorize using the data of the chip, not the magnetic stripe, and in case of impossibility of authorization using the chip, create a transaction of the Fallback type. " This means, that in almost 100% of cases of fraudulent transactions, the responsibility will fall on the acquiring bank that owns the ATM. In other words, the client will have a much better chance of opposing such an operation, Drucker concluded. In addition, fraudsters prefer not to get involved with counterfeiting such cards, as it is too complicated and expensive, notes Denis Khrenov, Vice President of Interkommerts Bank.
“To be honest, despite the desire to maximally protect the client, his card and the introduction of new technological solutions, the level of fraud is not decreasing,” said Dmitry Orlov, vice president of the First Republican Bank. “As the main recommendation, it is probably worth advising clients to use the card more often as a payment instrument, and not as a means of receiving cash.”
