What Happens When the 'Internet of Things' Comes to ATM Skimmers
When Cisco Systems CEO John Chambers extols the virtues of the so-called Internet of Things, this clearly isn't what he has in mind.
Criminals engaged in skimming -- stealing people's payment card information by tampering with ATM PIN pads and gas station credit-card readers -- are now exploiting wireless technology to pull off their schemes more easily, according to a report from Verizon that examined data breaches from 95 countries.
While cyber-crooks are known for stealing reams of information from the comforts of their home, skimming, on the other hand, requires a lot of physical effort on location. For example, thieves must visit the targeted ATM and install a fake PIN pad designed to trick consumers into providing card information. Security blogger Brian Krebs has long covered skimming and has images that show how realistic some of the devices look.
Then the scammers must retrieve the data. That's usually done by returning to the scene of the crime to uninstall the false fronts they've placed on the machines. All of this must be done without drawing attention from workers, customers or anyone walking by.
But now, hackers are modifying their methods by using Internet connections to send the contraband to themselves via e-mails and text messages that travel hundreds of feet or even across oceans, according to Bryan Sartin, director of the team that investigates data breaches for Verizon.
"Data breaches on the whole are getting less sophisticated and more repetitive, and this is one of those few areas where you see things getting more complex - it's definitely keeping us on our toes," Sartin said in an interview. "It just blows you away how sophisticated these folks are in thinking this stuff up."
Most skimmer attackers in 2013 were from Bulgaria, followed by Armenia, Romania, Brazil and the United States, according to the Verizon report, which looked at a total of 130 incidents from last year. The breaches mostly involved ATMs and gas pumps.
While skimming is a tiny fraction of overall cyber-crime, the techniques being used highlight the lengths hackers are willing to go to circumvent data-security protections. They want debit-card numbers and PINs, which are usually encrypted by the time they hit a retailer's server. That means the attacker must steal the data earlier.
"If you can get ahold of those two, that's the Holy Grail for the crook because it gives direct access to cash," Sartin said.
To that end, Sartin said PIN pads can be found with tiny circuit boards and memory chips that were soldered with a high degree of sophistication.
The criminals will even try to gain access to the ATMs or payment machines by infiltrating the companies that service the devices in order to scout targets. Under the pretense of coming out to fix a real problem with the machines, criminals have posed as technicians.
"Sometimes they actually repair the problem and in the process plant something like this," Sartin said.