As first reported in the Q3 2015 Data Breach QuickView Report, researchers at RBS have been tracking some interesting trends this year regarding skimming. While hacking has consistently taken the top spot as the leading cause of data breaches and fraud has usually occupied second place, skimming made an unexpected appearance in the number 2 position in the third quarter of 2015. Several state-wide efforts to find and remove skimming devices at gas stations and ATMs is a driving factor behind this increase.
Almost everyone by now has heard about skimming, and while there are many forms typically people think about it in terms of the double swiping of cards at both white tablecloth restaurants and fast food joints alike. Restaurants across the United States have long struggled with employee skimming and it’s easy to understand why. Customers typically hand over their card to a server that steps away to an obscure register to complete the transaction. Outside of the U.S., this seems crazy as payment in many cases is done right at the table and your credit card never leaves your sight. Even at the ubiquitous drive-thru window, the employee and register is partially shielded from the customer’s view while payment is made.
Reports of skimming issues have been ongoing since early 2010. However, back in June of 2014, ABC Nightline News did a story on the rise of skimming and provided quite a bit of video footage. They showed just how fast a double swipe could happen at a McDonald’s drive through. Customers and co-workers alike had trouble identifying the double swipe, even after knowing where to look. The story went on to say that approximately 70 credit cards per shift were able to be skimmed.
The ABC story further discussed the skimming issue with gas pumps and how it is causing quite a few of problems. Most people are stunned to hear - and see - that no special tools or equipment is needed to open up a pump. All a person needs is a universal key that is easily bought online. Newer skimming devices have advanced to the point where, once installed, there is no need to come back to claim them again as they can send pilfered data via wireless or cell signals.
But advancements in skimming technology doesn’t stop there. Skimmers are now being made to complement specific models of payment terminals. Recently, Brian Krebs reported on a skimming device that was discovered attached to a terminal at a self-checkout lane at Safeway grocery store in Maryland. The article included a picture of the device, as well as a link to a YouTube clip of a fraudster selling “Verifone condoms”.
For most people, the idea of installing a skimmer on a payment terminal inside a store seems like a very risky proposition. The assumption is it would take too long to properly install the device and would be too difficult to distract the clerk long enough to finish the task without being detected. No so.
Recently, a video has surfaced showing an installation of a skimmer inside a convenience store in Florida. It is a quick video but definitely worth watching to see how it happens.
After looking at the clip, there are several key items that jump out:
- There is a team involved in the process to get the device installed;
- It takes only a very small amount of distraction / misdirection to ensure nothing is noticed;
- The actually installation process was ridiculous fast;
- Nothing about the perpetrators’ behavior indicates malicious intent. In fact, the blue-shirted person smiles at the clerk and waits patiently to buy his two bags of potato chips.
- The register transactions are recorded as part of the video footage
Although it might have been good for the fraudsters to test the skimmer installation by paying with a credit card, they paid with cash as you might have expected.
As with most things related to cyber security it is an arms race. Skimming has been a sizable problem for many years. Chip-embedded cards and the related processing technology have yet to make an impact on skimming activity and given the ease of new skimmer technology, expect the cat and mouse game to continue.