Audio ATM Skimming Comeback

Europe Reports Uptick in Skimming Devices that Record Card Details
Audio ATM Skimming Comeback

In its just released update about European ATM skimming trends, the European ATM Security Team says analog skimming devices that incorporate MP3 and MP4 players are on an upswing.

Skimming devices come in two basic forms: analog and digital. Analog devices rely on wave technology, such as sound waves, while digital devices rely on basic data, like binary code. And analog skimming devices that rely on audio technology are not new. They've been around since the early 1990s.

In 1992, hacking news site Phrack Magazine published a paper about how some mag-stripe card details include audio tones and offered details about how a hacker could easily record that card data with the right equipment.

McAfee consultant Robert Siciliano likens these card details to touch-tones on an analog telephone. "Each number [on the magnetic stripe] has a certain frequency that can be decoded," he says. With audio technology, fraudsters simply record that frequency.

Like many schemes, the method of skimming by sound disappeared for a while. But the use of MP3 and MP4 players adds a new twist. Rather than relying on cassettes, fraudsters have upgraded, now using MP3 technology to record card data as an audio file that's saved to a flash drive.

"Criminal hackers are a resourceful and adventurous bunch," Siciliano says. "The original fun-and-fame ego hacks are back. Plus, the technology behind an analog skimmer, in some cases, may be cheaper and easier to replicate than the advanced SMS or manual read skimmers."

Analog skimmers lost popularity for a while, but the downturn in the economy has likely fueled fraudsters' renewed interest.

Cash Trapping Continues

Another low-tech ATM fraud scheme that has continued to see renewed interest is cash-trapping. In May, EAST reported a 69 percent increase in ATM fraud incidents for the first half of 2011, relative to the first six months of 2010. The catalyst for the increase: a surge in ATM cash-trapping in 11 of the 23 European states' EAST reviews.

In a cash-trapping attack, an ATM's cash dispenser is manipulated so that cash requested during a legitimate ATM withdrawal is blocked or trapped. Once the user gives up and leaves the ATM, the fraudsters come back and remove the cash.

"Sometimes innovation means taking old schemes and breathing new life into them," Siciliano says. "Banks are often the last to innovate, especially when it comes to security."

In its November update, EAST says cash trapping was reported by nine European countries. "This type of attack is increasing," EAST says. "This reflects a continuance of the trend reported in EAST's most recent European ATM Crime Report." [See ATMs Hit by Cash Trappers.]

Non-EMV Markets

EAST estimates that about 77 percent of financial losses associated with ATM skimming attacks result from incidents perpetrated in non-European markets, especially those, such as the United States, where the Europay, MasterCard, Visa standard, better known as EMV, is not mandated.

From January 2011 through September 2011, financial losses linked to ATM skimming attacks were reported in 47 countries outside the Single Euro Payments Area and 12 countries within SEPA. According to EAST, the U.S. remains the top country for skimming-related losses, followed by the Dominican Republic, Russia and Brazil. Regional card-blocking, which involves card issuers blocking domestic payments cards for use outside Europe, has been successful at curbing losses.

"The risk of counterfeit EMV cards being used to withdraw cash fraudulently from ATMs in parts of the world that are not EMV-compliant remains high and is leading some European card issuers to implement additional security measures, such as regional card blocking," says Lachlan Gunn, coordinator of EAST.


About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.asia, you agree to our use of cookies.