Do you use ATM and Card swipe machine, then you must know how hackers are hacking your data through card skimming and shimming?
Skimmers are essentially malicious card readers attached to the real transactional terminals like ATM and POS (card reader), to steal data from every person that swipes their cards. It is a type of credit and debit card theft where cyber criminals use a small device to steal card information. When a credit or debit card is swiped through a skimmer, the device captures and stores all the details stored in the card's magnetic stripe i.e. the card number, expiration date, CVV and the card holder's full name. Cyber criminals use this stolen data to make online fraudulent activities with a counterfeit credit card.
The typical ATM skimmer is a device smaller than a deck of cards that fits over the existing card reader. The below picture shows a real-life skimmer in use on an ATM. You can see how the grey arrows are very close to the yellow reader housing, almost overlapping. That is a sign a skimmer was installed over the existing one.
Most of the time, the attackers will also place a hidden camera somewhere in the vicinity with a view of the number pad in order to record personal identification numbers, or PIN. The camera may be in the card reader, mounted at the top of the ATM, or even just to the side inside a plastic case holding brochures. Some criminals may install a fake PIN pad over the actual keyboard to capture the PIN directly, bypassing the need for a camera. The below picture shows the hidden camera and the skimmer keypad placed over the original keypad.
On February 8,2009, a customer at an ATM at a Bank of America branch in Sun Valley, Calif., spotted a silver, plexiglass device had been attached to the ATM card acceptance slot, in a bid to steal card data from unsuspecting ATM users. But the customer and the bank’s employees initially overlooked a secondary fraud device that the unknown thief had left at the scene i.e. a sophisticated, battery operated and motion activated camera designed to record victims entering their personal identification numbers at the ATM.
Door Skimming:
In many ATM counter, at the door, card inserting machine is seen, as shown in below figure. It is easy for criminals to get your card details from the door itself.
Card Shimming:
A shimmer, acts as a shim which sits between the chip on the card and the chip reader in the ATM or point-of-sale device and record the data on the chip as it is read by the underlying machine.
The increased use of card swiping machine in petrol bunk, hotel, shopping mall and in every small and big place has opened the way for cyber criminals to get our card details. Now for rupees 100, 500 we are swiping our card everywhere without having the idea that the machine can be tampered.
OTP Bypass:
And very surprisingly to bypass the OTP, the ATM server is first hacked and then the OTP is route to mobile number of hackers. The mobile number which has been used by the cyber criminals later get deactivated. Moreover, there are some foreign payment gateway where financial transaction can be done without OTP.
Now the question arises starting from village to city there are thousand numbers of ATM. In some ATM counter there is security and in some ATM, there is CCTV. But some ATM counters are open with no CCTV and security. Some ATM counters are out of service and not maintained from a long time. But still people go and swipe their card to draw their money in urgency and the machine gives the reply that it is temporarily out of service. But who will give us the guarantee that these ATM machines are not tampered? Similarly in petrol bunk, hotel, and shop everywhere without hesitation we are swapping our card. In these places everyday employees’ changes, so it will be very easy for the criminals to come as employee, insert the chip and collect the data where per day they can get thousands of data.
So now the time has come for Bank authorities to wake up and instead of giving only the message i.e. “Please do not share your OTP, pin and card details”, they should counter the criminals by the high end technologies because data can also be theft without sharing. They should also appoint employees to regularly audit the ATMs to check the ATM tampering. And also government should audit it through its cyber forensic department.
Government should also specially monitor and audit the card swiping machine. It should also apply some restriction to business man in its use.
Business persons also should take necessary precaution for the card swiping machine because in foreign countries it has been seen that criminals are coming as employees and inserting that chip. So it is very essential that the card swiping machine should be kept and monitor in CCTV surveillance. And it should be regularly checked whether it is tampered or not.
All ready from past few years lots of mass hacking is happening in India. But with only one message bank authorities are sleeping. This is also the time for consumers to raise the question to bank that how far their data is secured through this ATM and Card swiping machine?And consumers also should try to use their card in those ATMs which are in bank premises and secure through CCTV. But they should not use their card in any unused ATMs. Any irregularity in ATM should be informed to bank authority and police.