10 Ways Criminals Get Debit Card Data
Criminals are more organized and sophisticated than ever before. Attacks on ATM machines range from simplistic to highly organized efforts involving multiple ATMs across the country, hundreds of fraudulent cards and criminal gangs spanning the globe.
So, how do criminals get your customers' debit card data? Here are 10 different ways:
- Steal cardsAttack sophistication: Low / Scale of attack: Small
The simplest way for a criminal to get card data is to steal someone's card. To get the PIN, the thief might shoulder surf or guess a weak password, such as a birthdate.
- Steal machinesAttack sophistication: Low / Scale of attack: Moderate
A criminal might decide to steal either an ATM or POS terminal. Cash can be pulled from the ATMs, but both types of machines could store card numbers if misconfigured. A stolen machine is also valuable in order to learn about weaknesses or ways to physically attack it.
- Offline account takeoverAttack sophistication: Moderate / Scale of attack: Small
Breaking into mailboxes and stealing bank statements or other personal information can let a criminal conduct identity theft. Often they'll try to change the victim's mailing address with the bank, order a new card, and activate it. If the bank has good processes in place that are adhered to, then this type of attack can be stopped.
- Separate skimming deviceAttack sophistication: Low / Scale of attack: Moderate
If a deft criminal can get a hold of a card for a few seconds, then they can swipe it through a reader and get its data.
- Overlaid skimming devicesAttack sophistication: Low / Scale of attack: Moderate
In this case, the criminal places a card reader over the machine's intrinsic reader. They might also attach a video camera or a pin-pad overlay to capture the PIN.
- Internal skimming devicesAttack sophistication: Moderate / Scale of attack: Large
More capable criminals could place a skimming device inside a terminal, such as at a gas pump. The skimmer intercepts messages on the data lines, and is tough to detect without opening up machines.
- Hijacked terminalsAttack sophistication: High / Scale of attack: Moderate
A terminal can be hijacked by replacing the operating system with a compromised one. An avenue of attack might be available for those ATMs with remote control capabilities that are left in the default (and insecure) settings. Stolen machines might also be modified and then used to replace an existing, non-compromised terminal.
- Ghost ATMs and fake frontsAttack sophistication: Moderate / Scale of attack: Moderate
Why add a skimming device to a real terminal when you can just use your own fake one? Criminals have been known to place fake, modified terminals in public spaces where victims will use their cards but receive communication error messages. In reality the terminal has captured card data and PIN, and stored it for later retrieval.
- Buying the dataAttack sophistication: Low / Scale of attack: Moderate to Huge
With so many means of attack, there is a glut of card information on the market. Lazy criminals can simply buy card data, starting at $1 or less. Quality costs extra, but in the underground marketplace there are products for everyone.
- Data breachesAttack sophistication: High / Scale of attack: Huge
Capable hackers are able to crack the security on merchants and other card data holders, and access large volumes of card data. With the heightened awareness of cybercrime, the industry has made strides in using more secure techniques for storing data (or in many cases, ensuring that they don't store it). This has made it harder for criminals, but there are still many opportunities for attacks.
Unfortunately, as debit card use continues to grow, criminals will find new ways to steal the data.
Want to read more about Debit Card Fraud? Why not download:
- Debit Card Fraud for Dummies: A handy, easy-to-read guide on the growing threat of debit card fraud to financial institutions.
- The Growth of Debit Card Fraud at the Gas Pump - A Verafin White Paper: This white paper explores the problem of gas pump skimming and how progressive transaction monitoring can help financial institutions.
Interested in learning how Verafin's fraud detection software helps financial institutions battle against Debit Card Fraud? Download our Debit Card Fraud Feature Sheet here.
If you would like to chat with us about how we can help, drop us a line at firstname.lastname@example.org, or give us a call at 1-866-781-8433.