The much talked about EMV (Chip and PIN) adoption happening in North America is being done in the name of improving security for consumers, merchants, and card issuers alike. Unfortunately, adoption of Chip and PIN just creates pressure for the bad guys to innovate. As we predicted in an earlier blog post, we are starting to see ‘card trapppers’ emerge again, because the physical card itself has now become more valuable.
This week, Brian Krebs broke a story on a new kind of ATM ‘shimmer’, found in Mexico: http://krebsonsecurity.com/2015/08/chip-card-atm-shimmer-found-in-mexico/.
A shimmer is a type of skimmer, which acts a shim that sits between the chip on the card and the chip reader in the ATM — recording the data on the chip as it is read by the ATM. Physical proximity and access to the card itself has once again become highly important to criminals.
We are also seeing criminals using other more sophisticated techniques in their skimming and other scams. These include:
- New readers, equipped with a GSM module which sends encrypted data cards through mobile phone networks.
- Leveraging miniature spy cameras installed above the ATM keyboards or somewhere in the lobby of the bank to obtain PIN codes.
- Cheap fake cashier numerical panels (they can be purchased for less than 120 dollars on the black market). These automatically capture a PIN code, without any manual labor involved. These duplicate panels use the same type of metal and paint color as the original, making them extremely difficult to identify.
- Criminals are now using SMS to get money from ATMs in bulk. Leveraging a smartphone connected via USB to the cashier, they send two messages, one to activate malicious code (Ploutus), and the second with a valid command to effect the delivery of the money.
- At restaurants, criminals using electronic soldering tools to replace the card chip with a cell phone sim card, while the waiter is processing your payment.
This list could go on ad-infinitum. The goal here is not to keep banks chasing after the latest scheme. It is to make both individuals, as well as those responsible for the overall fraud rates within financial organizations, understand that ‘Chip” transactions should not automatically be considered ‘safe’ or ‘approved’. Banks must evolve their fraud posture to take into account the fact that criminals are at work every day trying to develop their own innovation, to take advantage of new technologies as soon as they become available.