Go to page content


10 ways criminals get their debit card data

Dr. Charles Robertson, February 01, 2011

This week we are rebroadcasting our debit card fraud webinar that originally aired in September, 2010. If you haven't registered yet, you can get a spot here.

To complement the webinar, I thought I'd share 10 different ways that criminals attack their victims and get their debit card data. The better everyone understands the weaknesses, the more we can do to prevent card data theft. The sophistication required varies from little to lots, so criminals of all stripes are able to get in the act. If only the smartest could get involved, there'd be a lot less crime we'd have to fight.

For each attack, the potential size of impact varies as well. In some cases, there is only one victim. In others, there can be millions.

To actually use cards, the most useful piece of information is the PIN. This allows the criminal to directly access cash, and elicits less attention from suspicious merchants. But even without the PIN, the card data can be used.

So what are these 10 ways?

1. Steal cards

Attack sophistication: low     Scale of attack: small

The simplest way for a criminal to get card data is to steal someone's card. To get the PIN, the thief might shoulder surf or guess a weak password, such as a birthdate.

2. Steal machines

Attack sophistication: low     Scale of attack: moderate

A criminal might decide to steal either an ATM or POS terminal. Cash can be pulled from the ATMs, but both types of machines could store card numbers if misconfigured. A stolen machine is also valuable in order to learn about weaknesses or ways to physically attack it.

3. Offline account takeover

Attack sophistication: moderate     Scale of attack: small

Breaking into mailboxes and stealing bank statements or other personal information can let a criminal conduct identity theft. Often he'll try to change the victim's mailing address with the bank, order a new card, and activate it. If the bank has good processes in place that are adhered to, then this type of attack can be stopped.

4. Separate skimming device

Attack sophistication: low     Scale of attack: moderate

If a deft criminal can get a hold of a card for a few seconds, then he or she can swipe it through a reader and get its data.

5. Overlaid skimming devices

Attack sophistication: low     Scale of attack: moderate

In this case, the criminal places a card reader over the machine's intrinsic reader. He might also attach a video camera or a pin-pad overlay to capture the PIN.

6. Internal skimming devices

Attack sophistication: moderate     Scale of attack: large

More adroit criminals could place a skimming device inside a terminal, such as at a gas pump. The skimmer intercepts messages on the data lines, and is tough to detect without opening up machines.

7. Hijacked terminals

Attack sophistication: high     Scale of attack: moderate

A terminal can be hijacked by replacing the operating system with a compromised one. An avenue of attack might be available for those ATMs with remote control capabilities which are left in the default (and insecure) settings. Stolen machines might also be modified and then used to replace an existing, non-compromised terminal.

8. Ghost ATMs and fake fronts

Attack sophistication: moderate     Scale of attack: moderate

Why add a skimming device to a real terminal when you can just use your own fake one? Criminals have been known to place fake, modified terminals in public spaces where victims will use their cards but receive communication error messages. In reality the terminal has captured card data and PIN, and stored it for later retrieval.

9. Buying the data

Attack sophistication: low     Scale of attack: moderate to huge

With so many means of attack, there is a glut of card information on the market. Lazy criminals can simply buy card data, starting at $1 or less. Quality costs extra, but in the underground marketplace there are products for everyone.

10. Data breaches

Attack sophistication: high     Scale of attack: huge

Capable hackers are able to crack the security on merchants and other card data holders, and access large volumes of card data. With the heightened awareness of cybercrime, the industry has made strides in using more secure techniques for storing data (or in many cases, ensuring that they don't store it). This has made it harder for criminals, but there are still many opportunities for attacks.

I hope this has given you an appreciation of all the options of which a criminal can take advantage. In a future post, I'll detail some ways that a financial institution can fight back.

Are you aware of other ways a criminal can get data? What has your institution done to help reduce debit card fraud?

blog comments powered by Disqus