Credit card skimmers now need to fear the Reaper

Enlarge / The SkimReaper, shown here with a sample card-skimming device, can help law enforcement find and shut down card skimming operations. (credit: Sean Gallagher)

BALTIMORE—At the USENIX Security Symposium here today, University of Florida researcher Nolen Scaife presented the results of a research project he undertook with Christian Peeters and Patrick Traynor to effectively detect some types of “skimmers”—maliciously placed devices designed to surreptitiously capture the magnetic stripe data and PIN codes of debit and credit cards as they are inserted into automated teller machines and point-of-sale systems. The researchers developed SkimReaper, a device that can sense when multiple read heads are present—a telltale sign of the presence of a skimmer.

Nolen and his fellow researchers worked with data provided by the New York City Police Department (NYPD) to assess the types of credit-card-skimming gear currently in the wild. They uncovered four broad categories of skimming gear:

  • Overlays—devices that get placed on top of the slot for the ATM or point-of-sale system. They can be modeled to match a specific ATM type’s card slot or, in some cases, overlay an entire device such as a credit card reader at a retail point of sale. Overlays on ATM machines are sometimes accompanied by a keypad that is placed atop the actual keypad to collect PIN data.
  • Deep inserts—skimmers engineered to be jammed deep into the card reader slots themselves. They’re thin enough to fit under the card as it is inserted or drawn in to be read. An emerging version of this is a “smart chip” skimmer that reads EMV transactions passively, squeezed between the card slot and the EMV sensor.
  • Wiretap skimmers—devices that get installed between a terminal and the network they connect to. This suggests there’s a fundamental security problem to begin with.
  • Internal skimmers—devices installed in-line between the card reader of a terminal and the rest of its hardware. These, Scaife said, are more common in gas-pump card readers, where the attacker has a greater chance of being able to gain access to the internals without being discovered.

Overlays and deep inserts are by far the most common types of skimmers—and are increasingly difficult to detect. Police, Scaife noted, often find them only by looking for the cameras used by skimmers to capture PIN numbers, because most of the common detection tips—including trying to shake the card slot to see if it dislodges—are ineffective.

Read 3 remaining paragraphs | Comments

Biz & IT – Ars Technica