You might have heard about it. You might even have experienced it. Skimming fraud is a very simple yet very clever way to abuse credit card credentials in order to steal money. When you discover the fraud, it is usually too late – your bank account is empty. Nobody likes it for sure, but how does it work and what can one do to prevent it?
Credit card fraud has been around almost since the invention of the credit card. In the course of time, the security of the card itself was upgraded to new standards several times. For example, holograms, U.V. coating and embossed text are only some of the security features that have been added over the years to prevent making of fake credit cards. However, these security features do not prevent cloning of a genuine credit card!
Con men will usually aim for the weakest link. So, if you want to empty someone’s bank account and get immediate cash, the best way is to, probably, steal the credit card or – and this is where skimming fraud comes in – make a clone of it. And here is how to do it.
In order to make a realistic clone, several pieces of information are needed. The credit card number, of course, is the most important piece. But this alone is no longer sufficient, as transactions are now protected with an additional element. In Europe, most of the time, physical transactions need a secret PIN code which only the actual card holder would know. Transactions over the internet are protected with similar security elements, such as the CSC (Card Security Code).
Today, most real-life card transactions are made through EMV (Europay Mastercard Visa), a protocol based on communication with an electronic chip which is inside the credit card. While EMV is now mandatory for all bank ATMs in Europe, credit cards still include a magnetic stripe where the mandatory information (with the exception of the PIN code) is stored on. However, with today’s existing technologies, this magnetic stripe can be easily replicated. Why is it still being kept then? Well, every time you have to deal with security in applications for everyday use, your good old friend from the backward compatibility dept. is going to stick its nose in it. Then, add a pinch of politics (lobbying) and business concerns (replacement costs) to it and you’ve got the answer: you must carry along this unsecure 40-year old magnetic stripe, otherwise, depending on the place, the card may simply not work!
So, the first part of skimming consists of copying the magnetic stripe. This is done by adding a piece of hardware which resembles the card reader to the front panel of an ATM. When the card is inserted in the ATM, this piece of hardware will read the magnetic stripe on the fly and store information in the memory. Such skimming devices can run for days without being noticed and store thousands of credit card numbers and owners’ names.
The skimming mastermind is not there yet as he now needs the secret PIN code as well. Two techniques can be used to get it. The first one is to hide a small camera somewhere near the compromised ATM. For example, it could be on the top of it, behind a piece of plastic, looking like a real part of the ATM. This camera is synchronized with the skimming device and will record fingers typing the PIN code on the keyboard of the ATM. With today’s huge storage capacity in flash memory (think of a USB stick), such a camera is able to record several hours of video. With an addition of a motion detector, capacity increases to days. It may sound like you need the gadgets of James Bond but these little video cameras are now available at any electronics store for a mere 20 dollars.
Another way to retrieve the PIN code is to add a fake keyboard to an ATM. This fake keyboard looks exactly like the real one except that it records typing, effectively acting as a man-in-the-middle between the user and the machine.
So, as a card holder, what should you do? It is considered good practice to check an ATM for added hardware before inserting a credit card. This, in fact, should become a habit when using a credit card on any public payment terminal in banks, shops, parking lots or train stations. Illusion can be so real, take your time to inspect the terminal! The skimming device as well as the camera or the keyboard typically are held in place by a double-sided tape. But one thing is certain – ATMs are not meant to fall apart. They can withstand hundreds of thousands of transactions a day. A loose keyboard should always raise suspicions.
If you find a skimming device, avoid touching it, unless absolutely necessary. Do not use your credit card or cancel the transaction if you have not yet entered your PIN code. You should try to alert the owner of the ATM or the police. But be forewarned – the bad guys are usually nearby, watching. They may as well try to get their property back by distracting you; for example, offering you help or pretending to be employees of the bank. If this happens, do not object, except if you work as a bodyguard or have a black belt in martial arts. Your life is worth more than a piece of plastic.
Kudelski Security Research 
Thank you for this Very interesting and informative article
Excellent overview and thanks for increasing the public awareness levels !
Thanks for the heads-up!
Fortunately the burglar association as step in and convinced the VISA and Mastercard (and probably others) and now a days almost all Credit Cards include a NFC chip in it… so the thief’s can just get the data directly from the persons without even needing to have physical access to the cards or even seeing them! Just a good antenna and few electronics and you are in “business”.
The Credit Card company’s are definitely doing anything and everything they can to allow people to be in trouble without having any choice other than stop using the thing completely.
And governments are doing nothing to protect people from this criminals that produce this absolute insecure technology!