According to a story on bankinfosecurity, ATM and pay at the pump terminal attacks will increase in 2017.
Localized skimming attacks, whether waged against ATMs or self-service gas pumps, continue to wreak havoc on banks and credit unions. "It's death by a thousand cuts," one executive with a leading card issuer on the West Coast tells me.
As 2016 drew to a close, we got yet another reminder of the problem when federal prosecutors announced that a Romanian man pleaded guilty to using counterfeit cards to steal $127,000 from several New York banks in 2015, according to The Associated Press. The defendant, Illie Sitariu confessed to authorities that he and an unnamed accomplice stole card data and PINs with skimming devices and pinhole cameras they had attached to various ATMs, including those owned by Capital Region, First Niagara Bank, Trustco Bank and Berkshire Bank, according to court records.
The continued rollout of EMV support at merchant Point Of Sale terminals has forced a shift in the target.
U.S. retailers are working overtime to get their EMV POS terminals up and running. Merchants that are still accepting mag-stripe cards have seen significant upticks in chargebacks for counterfeit fraud since October 2015, when the EMV fraud liability shift took effect. In 2017, those retailers want to reduce their chargebacks as much as possible.
[...] Today, ATMs and self-service gas pumps are the easiest targets because most of these terminals are still not yet accepting chip transactions. And that likely won't change until they're impacted by the fraud liability shift.
For ATMs, Visa's liability shift takes place in October 2017. (MasterCard's shift was October 2016, but MasterCard has not reported totals for ATMs that are now accepting chip transactions on its cards.) For self-serve gas pumps, the liability shift for both Visa and MasterCard is not until October 2020.
[...] And the biggest skimming worry in 2017 will be attacks like the one waged by the Romanian and his unnamed accomplice in New York.
Skimming attacks that capture magnetic-stripe details and PINs enable fraudsters to clone debit cards that can be used at ATMs for fraudulent cash withdrawals. It's not a new scheme or a complicated one; but it is a scheme that has proven effective and profitable for criminals.
Related Stories
According to an article in BankInfo Security, Visa and Mastercard have given fuel pump terminal vendors an additional 3 years to add support for EMV.
Visa and MasterCard announced this week that they are pushing back their liability shift dates for counterfeit card fraud that results at non-EMV chip-compliant U.S. pay-at-the-pump gas terminals to October 2020 from October 2017.
That news is an early Christmas gift for convenience-store operators and the petrol industry, even though if it leaves issuers on the hook three years longer for counterfeit fraud that might result from a hack or skimming attack at self-serve gas pumps.
But I wonder how much fuss issuers will make about the extension. Counterfeit card fraud at gas pumps pales relative to retail point-of-sale and ecommerce fraud. And despite what we heard five years ago about pay-at-the-pump skimming reaching nearly "epidemic" proportions, we hear much less about it today. That's not to say it's gone away, by any means; but it no longer appears to be a looming epidemic
Visa and MasterCard made the right decision to give gas pumps a break on EMV. The question now is, will the three year extension be enough?
(Score: 2) by donkeyhotay on Thursday January 05 2017, @03:13PM
Lately, I've taken to getting cash when I'm buying stuff at the store, pharmacy, etc. It seems less likely for there to be a skimmer at the register. Plus those places use the EMV technology. Am I right, or are these locations just as vulnerable.
(Score: 1, Informative) by Anonymous Coward on Thursday January 05 2017, @03:53PM
They are vulnerable. They are less vulnerable than a gas pump or atm because there are more people around. But think of all the times that a checkout line is closed. An experienced thief can install a skimmer in a matter of seconds so there is plenty of opportunity to install them.
Here's info on skimmers found at walmart. [krebsonsecurity.com]
(Score: 2) by DeathMonkey on Thursday January 05 2017, @07:06PM
Those Walmart skimmers appear to only work when a card is swiped. The GP says he is using a chip card so his method is more secure and not just via more eyes on the terminal.
(Score: 0) by Anonymous Coward on Thursday January 05 2017, @09:59PM
Chip without pin isn't inherently all that more secure than swiping.
Especially since most chip terminals have swipe fallback.
So all you gotta do is make your fake terminal pretend to fall back.
(Score: 1) by nitehawk214 on Thursday January 05 2017, @04:12PM
The problem is that stores with skimmers installed are not the ones taking losses, so they simply don't need to care about it. The skimmed cards are taken elsewhere to commit fraud.
Until someone starts holding companies that have skimmers liable somehow, nothing will change.
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 2) by FatPhil on Thursday January 05 2017, @04:16PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 4, Informative) by bootsy on Thursday January 05 2017, @04:47PM
Alas stores do have skimmers as you cannot always trust their staff. One of my local stores was raided by police a few years ago as some of the staff had been happily skimming details and sending them onwards to have cards cloned.
The usual trick with chip and pin is to send the clone over to the US where just the magnetic strip is needed at present.
It's disconcerting when your bank calls you to ask why you are using your bank card 3000 miles away from where you physically are.
It is possible to rig the chip so that it always sends back true as well. When you type in your code into the terminal, it asks the chip on the card if the code is valid. There have been attacks where the chip is replaced with a device that always says whatever is typed is correct.
(Score: 3, Interesting) by FatPhil on Thursday January 05 2017, @05:04PM
1) UK Bank phones me at home in the midlands, asks for my lodger, who I explain is on holiday. They ask "where to?", and I say "how can I trust you, I don't know your the bank", and then then said "um, erm, uh, ahh, erm, is it possible he's getting cash-back at a whole bunch of petrol stations?", to which I say "yes, that's him all over, he hates going to banks. He's heading down south?". "Yup". "OK, that's no fraud, that's him on holiday". "Thank you." >click<. I like the way we leaked just a small bit of information at a time to finally come to a mutually trusted conclusion without either end actually authenticating each other (the "um, err" bit was actually a couple more steps that I forget). We both knew just enough about him to trust that the other also knew non-public things about him.
2) US bank phones my g/f in the UK saying "Did you use your card at a gas station in Texas recently?". "Nope, I'm in the UK." "Probably another card generated with a random number, then. You're only liable for the first $50." "I'm not fucking liable for anything you runts!" "Oh, shit, you caught us out, indeed you aren't actually liable for card fraud, but we try and get away with that $50 whenever we can." (which might be a slight paraphrase). What Bullshit Artists!
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by FatPhil on Thursday January 05 2017, @10:15PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Thursday January 05 2017, @11:25PM
We left the UK in 1776, you chump. Up yours, as well.
(Score: 2) by FatPhil on Friday January 06 2017, @01:26AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by dry on Friday January 06 2017, @05:01AM
Saw a show on skimmers a while back. It's surprising how fast a card reader can be swapped or modified in a store while the cashier is distracted. Swapped back at the end of the day as well.
(Score: 2) by FatPhil on Friday January 06 2017, @10:53AM
How you switch one on the end of a cable, I'm not sure.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by dry on Sunday January 08 2017, @03:19AM
It's been awhile and Imight be misremembering but I believe they were actually modifying the reader in the case of wired ones.
(Score: 2, Interesting) by nitehawk214 on Thursday January 05 2017, @04:56PM
Ahh, here is the reason. http://krebsonsecurity.com/2016/02/the-great-emv-fake-out-no-chip-for-you/ [krebsonsecurity.com]
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 0) by Anonymous Coward on Thursday January 05 2017, @10:47PM
Not Trump. I was guessing it would be Trump.
(Score: 4, Informative) by FatPhil on Thursday January 05 2017, @04:27PM
No they haven't. They've been sitting on their arses for *two decades* whilst the rest of the civilised world was installing chip-and-pin. Even the normally-tardy UK banks have been issuing nothing but chip and pin cards for a decade, over a decade behind countries like France.
So, it's come to this? I, a Brit, have complemented France.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 1, Informative) by Anonymous Coward on Thursday January 05 2017, @05:54PM
My pedantometer made me learn something today!
Website late to the domain game... but clarifies complement and compliment [elearnenglishlanguage.com]
The brits really do complement the french. One has better food, the other has better attitudes, and even after all the wars you all connected yourselves with a giant tunnel! Truly a match made... somewhere.
(Score: 2) by GungnirSniper on Thursday January 05 2017, @06:50PM
A big tunnel like that only needs one well-placed hit to take the whole thing out, and even better can take out the enemy troops using it.
I've read that the reason US retailers don't like the current chip and pin system is that every transaction must be processed immediately, which is slow. In Europe, they can batch the transactions and do them later, so it's faster at the point of sale.
Tips for better submissions to help our site grow. [soylentnews.org]
(Score: 2) by bob_super on Thursday January 05 2017, @08:24PM
The chip can authenticate the pin, and stores successful and missed attempts.
You don't need to dial in to approve the transaction. The chip generates a unique code that tells the bank that the card and pin were present.
80's tech...
(Score: 2) by GungnirSniper on Friday January 06 2017, @02:30AM
I know it *can* but the current PCI regs are that it has to happen like a magnetic swipe.
Tips for better submissions to help our site grow. [soylentnews.org]
(Score: 1, Funny) by Anonymous Coward on Thursday January 05 2017, @09:16PM
https://floodthechunnel.org.uk/ [floodthechunnel.org.uk]
(Score: 2) by FatPhil on Friday January 06 2017, @01:25AM
Sometimes the remote verification of the transaction happens quicker than the local PIN verification stage. Both of which together are quicker than the time it takes me to get my wallet back out of my back pocket because I stupidly put it back there after getting the card out. At no point has the need for immediacy been the thing that slows things down, except in the very rare (<1/100) cases where there's been a complete failure, which is only something like a 5s timeout, in which case the bank has not verified I have the funds to pay, and I certainly don't want a transaction to proceed in that case, as I don't want to go overdrawn because they trusted me as I've got a pretty face.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 1, Funny) by Anonymous Coward on Friday January 06 2017, @04:18AM
The brits really do complement the french. One has better food, the other has better attitudes...
Something I read on the internet: "You really should pity the Canadians. They could have had French cooking, British culture and American technology. Instead they got French technology, British cooking and American culture>"
(Score: 1, Interesting) by Anonymous Coward on Thursday January 05 2017, @06:16PM
I think the grocery store is the only place I go that doesn't have a business card stuck in the chip slot with "swipe only" written in magic marker.
Thing is, about 6 months ago or so, they were all taking chip transactions. Then they stopped. The 2-5 minute wait for the transaction to happen probably did it.
(Score: 2) by gidds on Friday January 06 2017, @01:02PM
2–5 minutes??? Someone's doing it wrong, then!
Here (UK), even in restaurants and corner shops it rarely takes more than 20–30 seconds. Everything's been chip-and-pin for yonks; I don't think I've swiped a card* for, well, probably over a decade. In fact, I'd be surprised if it was still an option in most places.
(* Financial cards, that is. I still have to swipe an ID card to get into work. And I'm excluding the cinema which dispensed pre-paid tickets after swiping the card used to buy them, as that was just purely for identification and not a transaction.)
For a country that prides itself on technological progress, the USA can seem really backward at times!
[sig redacted]
(Score: 0) by Anonymous Coward on Friday January 06 2017, @08:59AM
What is this so-called "liability shift" referenced four times in the summary by not defined?