Audio ATM Skimming ComebackEurope Reports Uptick in Skimming Devices that Record Card Details
Skimming devices come in two basic forms: analog and digital. Analog devices rely on wave technology, such as sound waves, while digital devices rely on basic data, like binary code. And analog skimming devices that rely on audio technology are not new. They've been around since the early 1990s.
In 1992, hacking news site Phrack Magazine published a paper about how some mag-stripe card details include audio tones and offered details about how a hacker could easily record that card data with the right equipment.
McAfee consultant Robert Siciliano likens these card details to touch-tones on an analog telephone. "Each number [on the magnetic stripe] has a certain frequency that can be decoded," he says. With audio technology, fraudsters simply record that frequency.
Like many schemes, the method of skimming by sound disappeared for a while. But the use of MP3 and MP4 players adds a new twist. Rather than relying on cassettes, fraudsters have upgraded, now using MP3 technology to record card data as an audio file that's saved to a flash drive.
"Criminal hackers are a resourceful and adventurous bunch," Siciliano says. "The original fun-and-fame ego hacks are back. Plus, the technology behind an analog skimmer, in some cases, may be cheaper and easier to replicate than the advanced SMS or manual read skimmers."
Analog skimmers lost popularity for a while, but the downturn in the economy has likely fueled fraudsters' renewed interest.
Cash Trapping Continues
Another low-tech ATM fraud scheme that has continued to see renewed interest is cash-trapping. In May, EAST reported a 69 percent increase in ATM fraud incidents for the first half of 2011, relative to the first six months of 2010. The catalyst for the increase: a surge in ATM cash-trapping in 11 of the 23 European states' EAST reviews.
In a cash-trapping attack, an ATM's cash dispenser is manipulated so that cash requested during a legitimate ATM withdrawal is blocked or trapped. Once the user gives up and leaves the ATM, the fraudsters come back and remove the cash.
"Sometimes innovation means taking old schemes and breathing new life into them," Siciliano says. "Banks are often the last to innovate, especially when it comes to security."
In its November update, EAST says cash trapping was reported by nine European countries. "This type of attack is increasing," EAST says. "This reflects a continuance of the trend reported in EAST's most recent European ATM Crime Report." [See ATMs Hit by Cash Trappers.]
EAST estimates that about 77 percent of financial losses associated with ATM skimming attacks result from incidents perpetrated in non-European markets, especially those, such as the United States, where the Europay, MasterCard, Visa standard, better known as EMV, is not mandated.
From January 2011 through September 2011, financial losses linked to ATM skimming attacks were reported in 47 countries outside the Single Euro Payments Area and 12 countries within SEPA. According to EAST, the U.S. remains the top country for skimming-related losses, followed by the Dominican Republic, Russia and Brazil. Regional card-blocking, which involves card issuers blocking domestic payments cards for use outside Europe, has been successful at curbing losses.
"The risk of counterfeit EMV cards being used to withdraw cash fraudulently from ATMs in parts of the world that are not EMV-compliant remains high and is leading some European card issuers to implement additional security measures, such as regional card blocking," says Lachlan Gunn, coordinator of EAST.