CAPÍTULO III: METODOLOGÍA Y TÉCNICA
3.2 Técnica e Instrumento de Recopilación de Datos
1. Card Skimming
One of the most popular ways to access a consumer’s account information is to skim the information from the card. ‘Card skimming’ is the most frequently used method of
454 Ibid.
455
Robert Siciliano, Flash Attacks: Big Money for Payment Card Scammers (2011) Infosec Island <http://www.infosecisland.com/blogview/10006-Flash-Attacks-Big-Money-for-Payment-Card-
Scammers.html>.
456 There are some banking practices in Indonesia where merchant transactions can be concluded without
PIN or signature requirement. See Ramson Daniel, Low Security Kartu ATM Mandiri [Low Security of Mandiri's ATM] (22 March 2012) Myzone: Ruang Jurnalisme Anda <http://myzone.okezone.com/content/read/2012/03/22/6883/low-security-kartu-atm-mandiri>.
457 For PIN guessing information, see Chapter Four / section 4.2.2.1 below and accompanying text. 458
There are a growing number of allegations from the banking industry that this fraud method is perpetrated or masterminded by someone who is familiar with ATM components. However, the suspect list can be quite long since many different parties might be involved in the ATM life cycle, such as the person in charge of maintenance, replenishment, bank staff, and so on. Some ATM top hats are actually doors can be accessed from behind or from the side, which renders efforts to identify the perpetrators using CCTV cameras useless.
105 illegally obtaining card track data on the magnetic stripe.459 To capture the data stored in the card’s magnetic stripe, criminals use a device called a ‘skimmer’.460
Even though payment card fraud methods vary, ATM skimming remains one of the payment card industry’s greatest threat. According to one theft expert, Robert Siciliano, around USD350,000 was being lost worldwide daily to instances of ATM skimming in 2011, an amount that can only have increased.461
Fraudsters still target ATMs as their primary target, simply because they offer the greatest monetary reward.462 Unrestricted physical access to ATM components introduces risk. The most obvious risks are related to the card reader and PIN pad on the front of the ATM, which can be compromised by fraudsters.463 With ATM skimming method, fraudsters set up a card reader or skimmer and attach it to the ATM on bank premises (or elsewhere such as at a petrol pump, restaurant or retailer). This electronically captures magnetic stripe information when consumers conduct transactions.464
Diebold Incorporated asserts that ‘criminals place a hard-to-detect, small overlay device on top of the card slot of ATMs or POS equipment’.465 Because a skimmer is relatively small, it can be sophisticated and disguised to fit over a legitimate slot (a factory installed card reader) on ATMs and designed to look like a normal part of the ATM (or other payment terminal).466 Further, Diebold Incorporated explains how skimming process take place:
459
Diebold Incorporated, ‘White Paper: ATM Fraud and Security’, above n 348, 25. In the Indonesian context, see Herdaru Purnomo, Pembobolan Via Alat Pembayaran Kartu Sudah Capai Rp. 12 Miliar [Payment Card Theft Damaged Reached Rp12 billion] (8 June 2011) Detik.com <http://finance.detik.com/read/2011/06/08/080958/1655426/5/pembobolan-via-alat-pembayaran-kartu- sudah-capai-rp-12-miliar>.
460 Diebold Incorporated, ‘White Paper: ATM Fraud and Security’, above n 348, 47. See also Barwise
and Bachfeld, above n 377.
461 Kitten, ATM Skimming Threats Evolve, above n 349. Note: This figure was cited in 2011. US
commentators have noted that the rate continues to escalate, even in the US: Robin Sidel, , ‘Theft of Debit-Card Data from ATMS Soars: Thieves are stealing information to make counterfeit plastic”, Wall Street Journal, 19 May 2015, <http://www.wsj.com/articles/theft-of-debit-card-data-from-atms-soars- 1432078912>. Debit card compromises at ATMs on bank premises rose 174%, while those at non-bank machines rose 317%, and are not expected to fall until new technology is more widely in place.
462 Kitten, ATM Skimming Threats Evolve, above n 349. 463 Telford and Kulik, above n 445.
464
ConsumerReports.org, above n 44. See also Mohammed, above n 195, 2167; Levi and Handley, above n 343.
465 Diebold Incorporated, White Paper: Battling Card Fraud through Chip and PIN Technology, above n
209, 2. See also Diebold Incorporated, ‘White Paper: ATM Fraud and Security’, above n 348, 25.
466
Model Criminal Code Officers' Committee of the Standing Committee of Attorneys-General, 'Final Report Model Criminal Code on Chapter 3 - Credit Card Skimming Offences' (2006)
106
When the consumer inserts his card into the card reader, the skimmer captures the card information before it passes into the ATMs card reader to initiate the transaction. The transaction continues in a normal fashion. When removed from the ATM, a skimmer allows the download of personal data belonging to everyone who used the ATM. An inexpensive, commercially available skimmer can capture and retain account numbers and PINs for more than 200 ATM cards. Typically, criminals design skimming devices to be undetectable by consumers.467
Skimmer devices vary in size, shape and capabilities. As Masters and Turner have explained, they vary from ‘standalone pocket devices to devices that are incorporated into [the] keyboard’. Some skimmers are extensively used for legal purposes but some others are used for extravagant fraudulent activities. Masters and Turner further distinguished skimmer devices into three types, namely, basic skimmers,468 magnetic stripe card reader encoders,469 and re-packaged skimmers.470 Magnetic stripe card readers or skimmer devices are abundant in the marketplace, both in the brick-and- mortar and on-line world. Originally, skimmers were marketed for legitimate business retail purposes; however, because of their relatively small size, mobility/portability and user-friendly operation, they also have become increasingly used for fraudulent activities.471
<http://www.lawlink.nsw.gov.au/lawlink/SCAG/ll_scag.nsf/vwFiles/MCLOC_MCC_Chapter_3_Credit_ Card_Skimming_Report.pdf/$file/MCLOC_MCC_Chapter_3_Credit_Card_Skimming_Report.pdf> 3; See also Mohammed, above n 195, 21617.; Barwise and Bachfeld, above n 377.
467 Diebold Incorporated, ‘White Paper: ATM Fraud and Security’,
above n 348, 2–5. According to Diebold Incorporated, there are three kinds of card skimming attacks that can occur:
• External card skimming – placing a device over the card reader slot (motorized or dip) to capture consumer data from the magnetic stripe on the card during a transaction. This is the most common form of card skimming.
• Internal card skimming – gaining access to the top hat of the ATM to modify the card reader or replace the original card reader with an already modified one for the purpose of obtaining consumer card data during a transaction.
• Vestibule card skimming – in locations where the ATM is located within a vestibule, skimmers are placed on the vestibule door card access reader to capture cardholder data from the magstripe where the card is read so an unwary consumer inserts their card into the vestibule instead of on the ATM.
468
These basic skimmers are normally used by fraudsters to secretly capture consumer cards in restaurants or shops, by hiding them behind the desk or inside a pocket. When a consumer is distracted, the fraudster swiftly swipes the card in the skimmer. This mini skimmer generally only has the capability to capture and store magnetic card information. It does not have capability to encode or write the data onto a magnetic stripe card.
469 Unlike the basic skimmer that is normally only capable of reading and storing magnetic stripe
information, magnetic swipe card encoders generally have greater capabilities, such as being able to read and write magnetic stripe data.
470
Masters and Turner, above n 216, 18.
107
Figure 6: Mini Magnetic Stripe Card Reader
MSR-500M (Mini-123).472 This device can store up to 2048 records of data.
Source: Masters & Turner
Mini DX4 Portable Mag-Stripe Swipe PVC Card Reader.473 This device can store 3000 data records.
Source: ebay.com.au
Magnetic swipe card encoders — besides being used to create magnetic stripe card for legitimate businesses, such as for hotel cards, retail shops and so on — are also usually used to create clone cards for unauthorised payment card transactions. This type of skimmer is able to write card skimming information onto new or used magnetic stripe card. Many variants of this kind of skimmer are available on the market.474
Figure 7: MSR206 Magnetic Swipe Encoder
Source: Masters and Turner475
Masters and Turner explain that repackaged skimmers are where fraudsters typically dismantle the skimmers from their standard manufactured packages and incorporate them into false ATM fascias and ATM slot adaptors.476 Further, they note that usually the fake fascias are of such quality that they exactly resemble a genuine part of the ATMs (especially on the user interface side). Only the reverse side of the fascias shows ‘the haphazard build quality’ (see Figures 8 and 9 below)).477
472 Ibid.
473 Mini00 DX4 Portable Magnetic Stripe Swipe PVC Card Reader (23 February 2013) ebay
<http://www.ebay.com.au/itm/Mini00-DX4-Portable-Magnetic-Stripe-Swipe-PVC-Card-Reader-
/251003524960?pt=AU_CashRegisterAccessories&hash=item3a70f9d760>. This mini DX4 can be bought online for around AUD200.00.
474 Ibid.
475 Masters and Turner, above n 216, 18. 476
Ibid.
108
Figure 8: The Extracted Components of a Mini-123 Card Reader Removed from its Manufactured Packaging and Repackaged for Use in a Fake ATM Fascia
Source: Masters & Turner478
Figure 9: Imitation ATM Fascia – Front and Rear View
Source: Masters & Turner479
Figure 10: Various ATM Skimmers on the ATM
An ATM skimmer that fits over the card insert slot.
An ATM skimmer panel that fits directly on top of the real ATM
Source: Brian Krebs480
Some skimmers are so advanced that they incorporate features such as the ability to send an SMS text message to the fraudster’s mobile phone whenever a new card is
478
Ibid.
479 Ibid.
480 Brian Krebs, ATM Skimmers, Part II (2 February 2010) www.krebsonsecurity.com
<http://krebsonsecurity.com/2010/02/atm-skimmers-part-ii/>. See also Thieves Create More Sophisticated ATM Card Skimmers (27 April 2012) Mashable <http://www.youtube.com/watch?v=_2H- _zAudn8>.
109 swiped,481 so the fraudsters do not even have to dismantle the skimmer from the ATM in order to download the stolen data. Even now, many sellers offer tiny card readers (for example, the MSCR710) for purchase online. This tiny card reader, if used by fraudsters as a skimmer, will be of great benefit to them. Due to its tiny shape, it is easy to fit to any kind of case, has low power consumption, and greatly increased storage capability (data for up to 32,000 cards).482 Even the seller acknowledges that the device can be used for illegal purposes and warns the potential buyers in its disclaimer (in red font) that the card reader is sold only for legal purposes and not for use as a card payment skimmer. 483
Figure 11: Rear of an ATM Skimmer with SMS Capability
Source: Brian Krebs484
When the skimmer is installed in an ATM, the device then records and stores the electronic information from the magnetic stripe of the authentic payment cards as they
481 Brian Krebs, Would You Have Spotted the Fraud? (15 January 2010) www.krebsonsecurity.com
<http://krebsonsecurity.com/2010/01/would-you-have-spotted-the-fraud/>.
482 For instance, mycardreader.com sells magnetic stripe card reader with interrupted swiping support
with the size just width: 2mm, length: 6mm and height: 11mm, and costs ‘only’ USD1,500 each. See MSCR710 (MyCardReader.com <http://mycardreader.com/18-mscr710.html>.
483
Ibid. See the disclaimer wording:
Disclaimer: Our magnetic card readers are intended for legal use only. Even though our magnetic card readers can be used as a debit or credit card reader and can read any type of magnetic stripe bank cards, we will not sell them to be used for skimming as debit or credit card skimmers. The buyer understands that the magstripe card reader being purchased is not for illegal use. That he/she will safeguard the use and distribution of this device and make an effort to prevent illegal use from occurring.
We are not and will not commercialise this product if we know or suspect that it will be used for unlawful purposes.
110 are inserted into the ATM slot.485 The data skimmed from a number of swiped cards is then stored in the skimmer device to be accessed or reproduced on a counterfeit card later.486 This data is then downloaded to a computer when the skimmer is dismantled, or the data can be sent to the fraudsters that reside near the ATM via a wireless network.487 Skimming of magnetic stripe information is a significant problem because it provides criminals with so much readily usable information for conducting unauthorised transactions.488
To combat the proliferation of ATM fraud using skimmer devices, most banks throughout the world (including in Indonesia at the encouragement of its central bank)489 choose to equip their ATMs’ card reader slot with an anti-skimmer device. Generally, ATM anti-skimming devices take the shape of ‘green or blue semi- transparent plastic casings that protrude from the card acceptance slot to prevent would- be thieves from easily attaching skimmers’.490
Figure 12: Anti-Skimming/‘Duck Snout’ at a Bank ATM in Sumatra (Indonesia)
Source: Sriwijaya Post/Syahrul Hidayat491
485 Sullivan, ‘The Changing Nature of US Card Payment Fraud’, above n 262, 1024. See also: Financial
Fraud Action UK, above n 346, 28; Model Criminal Code Officers’ Committee of the Standing Committee of Attorneys-General, above n 466, 3; Diebold Incorporated, White Paper: Battling Card Fraud through Chip and PIN Technology, above n 209, 2.
486 Model Criminal Code Officers’ Committee of the Standing Committee of Attorneys-General, above n
466, 45.
487 Barwise and Bachfeld, above n 377. 488 Iannacci and Morris, above n 20, 61.
489 After the ATM skimming deluge in Indonesia in 2010 (described previously), Bank Indonesia
encouraged all banks to enhance their ATM security to cope with the associated fraud and to compensate all bank consumers who lost their funds. Following BI’s direction to improve ATM operational security, all the banks that were victims of recent ATM fraud became committed to implement a variety of increased security features, including (among others) the installation of PIN covers at ATMs, installation of anti-skimmer and ‘jitter’, as well as fitting CCTV cameras to ATM booths that did not already have CCTV in place.
490 Krebs, ‘Green Skimmers Skimming Green’, above n 354.
491 Wahyu Satriani Ari Wulan, 'Inilah Ciri ATM Anti-'Skimming' [This is Typical ATM Anti-
'Skimming']', Kompas (online), 22 January 2010
111 However, the implementation of anti-skimming devices has not been without controversy. When banks first introduced anti-skimmer devices, the implementation was not accompanied by any consumer education. To make things even worse, a bank can have multiple brands of ATMs. As a result, the shape and colour of anti-ATM skimmers on the ATMs also vary.
Bank consumers are finally learning from the mass media or by ‘word of mouth’ that the ‘coloured plastic thing’ installed at an ATM card reader slot is actually an anti- skimmer device. However, fraudsters continually improve and modify their fraud techniques. In the case of ATM anti-skimming devices fraudsters have in no time circumvented them by devising ‘anti-skimmer skimmer’ devices (see Figure 13 below). Now many fraudsters ‘simply [craft] their skimmers to look exactly like the anti- skimming devices’.492
A skimmer found in a Chase Bank branch in West Hills (California), for example, was an ‘all in one’ skimmer (a skimmer that includes a magnetic stripe skimmer and also a pinhole camera device) designed to fit over the card acceptance slot. Authorities believe that this type of sophisticated, professional-grade ATM skimmer was made with the help of a 3D printer.493 Therefore, more consumers might be deceived by this new skimmer fraud since they believe that they have deliberately performed their ATM transactions at a secure ATM, just as was being encouraged by banks.
Figure 13: ATM Anti-Skimmer Skimmer and Skimmer
Anti-skimmer skimmer
Anti-skimmer skimmer device removed from ATM anti-skimmer device.
492 Krebs, ‘Green Skimmers Skimming Green’, above n 354.
493 Brian Krebs, Pro Grade (3D Printer-Made?) ATM Skimmer (2011)
<https://krebsonsecurity.com/2011/12/pro-grade-3d-printer-made-atm-
skimmer/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+KrebsOnSecurity+% 28Krebs+on+Security%29>.
112
Skimmer that looks like anti-skimmer device The bottom of the skimmer with PIN hole camera
Device to wirelessly send stolen PIN and Card data via SMS or Bluetooth
Skimmer panel from behind with flash storage device. Double-sided tape used to stick
skimmer to ATM. Source: Brian Krebs494
In most cases, cardholders are frequently unaware that there is a skimming device on the consumer-activated terminal and their data has been stolen at the time of transaction. If a cardholder victim fails to check their bank statements frequently, a criminal can repeatedly withdraw money to the maximum limit every day until the account is drained or cancelled.495 When the consumer finally becomes aware, they have difficulty in pinpointing the timing and location of this skimming attack.496
Even though some banks have urged consumers to take precautions when conducting ATM transactions, nonetheless ‘customers are not sure what they are looking for when it comes to compromised machines, and a lot of the externally attached equipment is high quality and extremely subtle’.497
Furthermore, consumer vigilance is ineffective because there is also a wide variety of ATMs and anti-skimmer models, which make it impossible for consumers either to
494
Krebs,’Green Skimmers Skimming Green’, above n 354. See also Krebs, ‘Pro Grade (3D Printer- Made?) ATM Skimmer’, above n 493.
495 Kirk, ‘Criminals Turn to ‘Card Trapping’, above n 434.
496 Diebold Incorporated, White Paper: Battling Card Fraud through Chip and PIN Technology, above n
209, 2.
113 memorise the details for every ATM model or to immediately notice when there is a fraudster’s device attached. As Barwise and Bachfeld argued, ‘the untrained eye will hardly notice this mini-scanner, which is adapted to the ATM’s design. Sometimes, the criminals even put a completely new front panel on the ATM.’498
2. Malware
An ATM basically is just an ordinary computer inside a custom-built case.499 Therefore, any attack that happens to an ordinary computer might also occur to an ATM computer. Unrestricted physical access to ATMs makes every ATM component — both outside and inside the ATM case — vulnerable to attack. Specifically about the vulnerabilities of ATM components inside the ATM cabinet, Telford and Kulik observe that:
The components inside the locked ATM cabinet, but outside the safe, are also vulnerable to compromise from both hardware and software attacks such as plugging in a USB or even a DVD drive, replacing components inside the ATM – even removing the ATM computer and replacing it with an attacker’s computer. Physical access allows any software or hardware component to be replaced; protecting physical access to ATMs starts with security of the site and use of unique keys for ATM cabinets.500