back to article Card skimmers targeting more than ATMs, says EU

Crooks are branching out beyond bank ATMs by installing card skimming devices on a payment terminals ranging from train ticket kiosks to parking meters, according to European anti-fraud experts. At least five countries have logged skimming attacks against railway, bus or metro ticket machines, the European ATM Security Team ( …

COMMENTS

This topic is closed for new posts.

Page:

Funny Stuff

From the very inception of the "Pin Code" we have been laughing at how insecure this system is.

Using your card to pay for anything has become a gamble, who know where that reader you are given has come from? Its so easy to make your own its not funny.

The whole point of "Chip and Pin" is to move the ownership of loss and fraud to the account holder, it has nothing to do with security,

When last did anyone check the card itself? I've been using my wife joint account card by mistake (same pin) for months, yet it has her premarital name and the word "Miss" on it.

Whats a more pertinent question is just how did the banks get this through, and who greased the wheels, or turned a blind eye to the blatant self serving nature of the system.

12
8
Anonymous Coward

Re: Funny Stuff

1) Care to suggest anything better than a PIN? Something workable, easy to remember and reliable (typically a bank wouldn't touch something without 5x9s.)

2) Card fraud by is going down, in countries which use chip and pin.

3) Liability for fraud lies with the bank, unless it can be proven that the customer was at fault - this includes a stolen card with PIN being used, unless the bank can show that the customer wrote down their PIN.

4) People not checking the card is hardly a criticism of chip and pin, it's the merchant's problem and them who has to deal with it, should there be fraud.

5) It's not a conspiracy, just looking at the card present fraud numbers can show you that.

6
7
Bronze badge
Alert

Re: Funny Stuff

3) Liability for fraud lies with the bank, unless it can be proven that the customer was at fault - this includes a stolen card with PIN being used, unless the bank can show that the customer wrote down their PIN.

Read the news stories about how banks have treated fraud victims with C&P cards.

17
2
Silver badge

Re: Funny Stuff

Answers:-

1) Biometrics, although they have their own risks. Various other options have been looked at over time, but banks also like something cheap. This removes some options. I think some people would disagree that PINs are easy to remember.

2) This is partially a case of damn statistics. Reported card fraud is partially going down due to banks pretty much not accepting anything as fraud if the PIN is entered unless you can absolutely and categorically prove it couldn't be you. They're using the old cashpoint excuse of right PIN entered, therefore it has to be you!! So, fraud isn't declining by as much as they make out. They're partially at least, manipulating the figures.

3) Theoretically true, but easily got round. The bank simply shows the PIN was used and therefore it's your fault!! Simple as that. If you were skimmed at a cashpoint and the PIN recorded (say by camera), most banks will claim future withdrawals etc. were you regardless. Of course, they have cameras on the ATMs etc. themselves, but you can't get to that footage without their permission.......sort of chicken and egg.

4) People not checking the card has always been an issue, but is worse now because chip and PIN supposedly sorts everything!! It's always been a fault of human nature. The more 'foolproof' something is claimed to be, the less people check it!! I remember working on a checkout in the school holidays etc. (yes, some time ago) and catching fake/stolen etc. cards was a money maker. £50 each. Result.

5) I have worked for banks in the past and I can assure you part of the point of chip and PIN is to make the retailer or cardholder liable for the fraud. Always has been. Not to say that chip and PIN doesn't help, but if that wasn't the case, why have the fraud rules changed since chip and PIN? In theory, if the retailer touches your card during the transaction, they've taken liability from the bank!! The whole point of chip and PIN (and strict interpretation of the rules), is that the only person who touches the card should be the cardholder. Where does this happen? I'm not saying it is a total conspiracy, but the banks have their agenda as well.

9
1
Anonymous Coward

Re: Funny Stuff

Cite sources.

I know there have been a few examples, but it's only a few and the banks involved have been given a serious arse-kicking by the regulator. There are also a few examples where banks have treated customers badly, but because they've been trying to defraud the banks, these are often held up as cases where the banks are bastards, but usually they're just trying to protect their investors/customers from fraud.

3
5
Anonymous Coward

Re: Funny Stuff

1) Biometrics are slow an unreliable, expensive and can be faked.

2) The burden of proof lies with the banks, they're not allowed to use "the right PIN was used" as proof.

3) See 2

4) That's hardly the fault of the banks, it's the merchants all the instructions from banks say that you must check the card.

5) I've worked for banks too, I can assure you that this is not the case.

5
5
Silver badge
Thumb Down

Re: Funny Stuff

> Read the news stories about how banks have treated fraud victims with C&P cards.

Better, ask the real victims. I was defrauded of ~ 1500 euros on a chip & PIN card, which had been cloned or skimmed and was used for online purchases. I was reimbursed by my bank in under a month, with no problems whatsoever.

5
0
Silver badge

Re: Funny Stuff

"1) Biometrics are slow an unreliable, expensive and can be faked.

2) The burden of proof lies with the banks, they're not allowed to use "the right PIN was used" as proof.

3) See 2

4) That's hardly the fault of the banks, it's the merchants all the instructions from banks say that you must check the card.

5) I've worked for banks too, I can assure you that this is not the case."

1) Absolute nonsense. Used to be, but not really now. The issue is it's part of you and the lengths some people will go to.

2) They have a long and glorious history of doing so, starting with the original ATM cards till today. I've heard it many times before and know loads of people who have been told this.

3) See 2.

4) Agreed. Merchants should do what they're told. However, implementing a system that ignores the basics of human nature is not really that smart. It was obvious from the start these checks wouldn't occur, so relying on them is willful blindness at minimum.

5) In what departments? I worked in IT and it was common knowledge. Even worked on one of the first big smart card trials - Mondex for NatWest. Ever read the terms for that one as well? Interesting!!

2
1
Gold badge
Meh

Re: Funny Stuff

"3) Liability for fraud lies with the bank, unless it can be proven that the customer was at fault - this includes a stolen card with PIN being used, unless the bank can show that the customer wrote down their PIN."

That statement, and posting AC, got my down vote.

4
4
Silver badge

Re: Funny Stuff

>From the very inception of the "Pin Code" we have been laughing at how insecure this system is.

That's all well and good, but the risk has to be compared to the alternatives. I haven't done the sums on the risk of losing money through card fraud versus the risk of losing money through losing your wallet, or having a £20 slip from your pocket.

0
0
FAIL

Re: Funny Stuff

"The whole point of "Chip and Pin" is to move the ownership of loss and fraud to the account holder, it has nothing to do with security,"

FAIL.

It's to move liability to the merchant. Also yes, it has a lot to do with security, and despite a few attacks being published, has largely succeeded in at least part of its mission to reduce card copying and related fraud.

2
0
Anonymous Coward

Re: Funny Stuff

In general I only post as AC, but in this situation even if I didn't I wouldn't have posted as my name because I have about 15years history working in financial services IT and I don't want to jeopordise that or reveal my employer.

1
2
Anonymous Coward

Re: Funny Stuff

Exactly right. Plus the problem is also the uncontrolled migration of crooks from Eastern Europe to the UK. That's not to say all people coming here are crooks, but the dodgier characters seem to know where all the easy money to rob is.

I see this as a design flaw in modern ATMs. Some of the older generation machines had a plexiglass cover that lifted up when you inserted your card in. Obviously this only hinders tampering, but it is better than what we have now.

I would propose these ideas too:

1. Have the ATM machine inside a booth/reception area which you can only gain access to by swiping your card.

2. CCTV inside the booth.

3. If the machine is tampered with, lock the door (slight problem if someone else is in there at the time though).

4. A way of reading the card without a slot. Maybe a tray or just swipe it?

0
0
Anonymous Coward

Re: Funny Stuff

Biometrics can work, they've been using finger scans (vein patterns) successfully elsewhere.

But it does mean that if you are accessing services for someone else (as you are caring for them) that you also need to be registered.

0
0
Bronze badge
Holmes

Re: Funny Stuff

Well every time I use them, I don't think Tesco would be please if I attempted to pay for things with my Nectar Card.

0
0
Silver badge

Re: Funny Stuff

"But it does mean that if you are accessing services for someone else (as you are caring for them) that you also need to be registered."

That would need to be the case anyway. The PIN is for the holder only and nobody else for any reason. It's in the T's and C's. So, someone disclosing their PIN to another immediately makes them liable, regardless of the reason.

So, being able to store several means of identification (whether PINs or biometrics) for a card would make caring for the disabled etc. much easier.

0
0
Silver badge

Re: Funny Stuff

"5) I've worked for banks too, I can assure you that this is not the case."

You might want to read the card agreement that came with the chip and pin cards. At least in Canada there are paragraphs of text that boil down to chip and pin is perfect, it's your fault. All of this text was new for chip and pin cards. In any case where chip and pin is used they assume you gave your card to a "friend" who bought stuff while you setup proof that you were someplace else at the time, then got the card back later.

0
1
Happy

Re: Funny Stuff - RE: AC

"1. Have the ATM machine inside a booth/reception area which you can only gain access to by swiping your card."

Guess where the fraudsters attach their skimming device then?

I'm not even kidding, I saw this one on tv years ago!

0
0
Meh

Re: Funny Stuff - Tom 35

You might want to read the card agreement that came with the chip and pin cards. At least in Canada there are paragraphs of text that boil down to chip and pin is perfect, it's your fault. All of this text was new for chip and pin cards. In any case where chip and pin is used they assume you gave your card to a "friend" who bought stuff while you setup proof that you were someplace else at the time, then got the card back later.

In the UK it is their responsibility to prove that the transaction was not fraud if you say it was. With credit cards they are a party to the debt and this is their legal resposibility as lenders - return the money now, investigate later. With debit I'm less sure, but the banking code tends to support the same thing.

0
0
Silver badge
Boffin

@Gordon

From the very inception of the "Pin Code" we have been laughing at how insecure this system is.

True, but my humor wasn't aimed at the pin code itself but the usage of a magnetic strip which got swiped, thus very easily read and copied.

Which basically supports your criticism in my opinion; the sheer time alone before certain banks finally switched from using the magnetic strip to the chip itself, some took ages. The fun part was that at a given time my creditcard (visa) had already implemented this system way before the "common" banks had.

But there's another aspect... In theory I think "chipping" (electronic wallet) is much more secure than pinning. After all; with an electronic wallet you can only loose what's on the wallet itself, people can't easily copy your card and gain access to your whole bank account. Another pro, in my opinion, is that you can pay by simply clicking "yes". No pin or such required at all, only when transferring money.

Yet the electronic wallet is something which according to many people has to go (here in Holland at least). In most places you can only pay with your pin code and no longer with the "chipknip" (Dutch name for electronic wallet).

Which makes me conclude that a lot of banks and electronic payment providers don't have safety and security at the top of their priorities list. It needs to be cheap, it needs to work and it needs to provide them with revenue.

0
0
Silver badge

Re: Funny Stuff

You aren't the victim.

Whoever sold 1500 euro of stuff is, because they're now out of pocket for the goods AND got whacked with punitive extra charges by the bank as well. Banks are more than happy to reimburse you, because they're taking it back from the merchants.

It's fairly reliably estimated that banks make substantially more from card fraud incidents than they do from genuine sales - which is one reason they're not in any hurry to change the system.

0
0

Playing devils advocate or just being bloody minded?

Care to suggest anything better than a PIN?

Hows about a signature and a look at the card to see if the user looks like the name on the card?

Card fraud is going down, true, because its not being reported as card fraud. Your pin was used, so its not fraud, its your fault.

"People not checking the card is hardly a criticism of chip and pin"

Actually, its a direct result of taking the onus away from the merchant and instilling misplaced trust in the transaction.

Anyway, you carry on sticking your card into a reader at a pub, restaurant or any other outlet and take the risk.

Oh yeah, I wont even go into the fun to be had with contact-less payment, where you don't even need to know the pin, yet the transaction is reported as chip and pin. (on top of that the £15 a day limit is also toss, having used it myself at to at least £40 in a single day)

1
3
Bronze badge

Re: Playing devils advocate or just being bloody minded?

Signature? Oh please, how many times have you tried signing "M Mouse" to see if it works? Always, in my experience. Unless the girl behind the till has a degree in graphology signatures are a joke.

As for biometrics, I look forward to the day the queue at the cashpoint is moving as quickly as the queue at the Heathrow IRIS line.

3
0
Anonymous Coward

Re: Playing devils advocate or just being bloody minded?

Signatures are rubbish, easily forged. The whole point of chip and pin is "something you have and something you know." If the something you have has the something you know recorded on it, that's a piss-poor solution.

The transaction is not reported as chip and pin, the transactional limit tends to be £15 not the daily limit, and number of uses is reset each time you pin auth at an ATM or PED.

I'm happy to use my card, I'm aware that anything is not zero risk - particularly carrying round wads of cash because I'm too paranoid to use plastic - what could possibly go wrong.

4
0
Stop

Re: Playing devils advocate or just being bloody minded?

"Oh yeah, I wont even go into the fun to be had with contact-less payment, where you don't even need to know the pin, yet the transaction is reported as chip and pin. (on top of that the £15 a day limit is also toss, having used it myself at to at least £40 in a single day)"

Your limit is personal to you and is more about transaction limits than daily limits.

It is absolutely not reported as Chip and Pin though it is processed in much the same way.

The liability is between the bank and the merchant, so it really shouldn't worry you.

2
0
Silver badge

Re: Playing devils advocate or just being bloody minded?

Contactless has always confused me a lot.

What's the point in going through all the PIN upgrade and then creating cards that only have to be swiped near a sensor and payment is made? Yes, the fraud may not be great, but it's dead easy and your chances of being caught, pretty close to zero. Obviously, PINs are still used for higher values, but I'd rather use PINs for all values and get my card caught as soon as possible!! I don't even want small value fraudulent transactions...........

2
0
Anonymous Coward

Re: Playing devils advocate or just being bloody minded?

I remember, back in the middle ages when this were all fields and I were a lad, I bought a load of CDs in Our Price (for those who weren't alive 20 years ago, Our Price was a chain of music stores). The guy in front of me had at least 20 CDs (which were at least £10 each), and paid for them all by cheque. He signed the cheque "Ronald McDonald". The cashier just accepted the cheque with the Guarantee card (no idea what name that was under). By the time I got to the counter and told the cashier what I'd seen, the guy had already vanished.

0
0

Re: Playing devils advocate or just being bloody minded?

"I don't even want small value fraudulent transactions..........."

Are many cards actually stolen? Contactless still prevents skimming, which I think was the major target of EMV and Contactless.

Nobody *wants* fraudulent transactions. The banks figure that using their cryptographic protections ensures a card must be genuine, and that the constraints "must be a genuine card" and "can only be used for small amounts" fall within the level of acceptable risk for them.

And if you're not passing your card into/through any sort of reader at all then nobody gets to read and copy the mag stripe.

1
0

Re: Playing devils advocate or just being bloody minded?

I love the reporting systems the banks have for classing the transaction as chip and pin.

I've had problems with fraud, I contact the bank, and I'm told the fraudulent transaction was verified by chip and pin.

Only problem - I don't have a chip and pin card!

2
0
Bronze badge
Coat

Re: Playing devils advocate or just being bloody minded?

Heh, he said onus.

0
0
Anonymous Coward

Re: Playing devils advocate or just being bloody minded?

sorry, but you're going to have to do a lot better than that - Anyone can just say things like this, but there are far too many questions, here are a few for a start:

Did you or the person you spoke to misunderstand what you were talking about.

Did the person you spoke to just see "authorised" on their screen an mis-read it.

Do you actually have a piece of paper saying chip and pin authorised and a matching mag stripe card?

etc.

etc.

0
0
Silver badge

Re: Playing devils advocate or just being bloody minded?

"Are many cards actually stolen? Contactless still prevents skimming, which I think was the major target of EMV and Contactless.

Nobody *wants* fraudulent transactions. The banks figure that using their cryptographic protections ensures a card must be genuine, and that the constraints "must be a genuine card" and "can only be used for small amounts" fall within the level of acceptable risk for them.

And if you're not passing your card into/through any sort of reader at all then nobody gets to read and copy the mag stripe."

Yes, a huge number of cards are stolen. It's a very big business. With a chip in the card, skimming of cards should be pretty pointless. After all, the systems should be expecting a chip and they're very difficult to copy....so what's the point of skimming? I know a lot of this goes to countries that don't use chip and PIN but some still occurs in this country. Surely, it would be more sensible for banks to issue people cards without stripes unless specifically asked to include them for reasons such as going abroad etc. There are a huge number of cards that are never used outside of the UK, let alone outside of the chip and PIN areas.

0
0
Silver badge

Re: Playing devils advocate or just being bloody minded?

"I love the reporting systems the banks have for classing the transaction as chip and pin.

I've had problems with fraud, I contact the bank, and I'm told the fraudulent transaction was verified by chip and pin.

Only problem - I don't have a chip and pin card!"

So, is this an example of the banks systems being so poor they don't know who has chip and pin and who doesn't, or is it an example of the banks trying to bullsh*t you off until you push them?

Either way, not exactly and endorsement of banks.

P.S.

I have personal experience of my employers (a bank) ransacking my current account without my permission and telling me that as an employee they had every right!!

0
0
Silver badge

Re: Playing devils advocate or just being bloody minded?

"at least 20 CDs (which were at least £10 each)...accepted the cheque with the Guarantee card"

20 years ago, a cheque guarantee card would only authorise up to £50, maybe as much as a £100.

0
0
Stop

Re: Playing devils advocate or just being bloody minded?

"Yes, a huge number of cards are stolen. It's a very big business. With a chip in the card, skimming of cards should be pretty pointless. After all, the systems should be expecting a chip and they're very difficult to copy....so what's the point of skimming?"

You have your wires crossed. I meant actually, physically stolen cards.

We were talking about contactless cards and the ability for small-scale fraud, I was noting that in order to do this you need the *actual* card, you can't just skim.

0
0

This post has been deleted by its author

Silver badge

@AC 10:35 re: Ronald McDonald

How do you know the guy's name wasn't actually Ronald McDonald? Just because a major hamburger chain uses the name doesn't mean that nobody else was ever christened that. McDonald is a very common Scottish surname to start with, and Ronald isn't exactly rare either.

Like my own name. Yes, Steven Roper is my real name; it is on my birth certificate. I'm also very aware of the American syndicated comic strip Steve Roper, intrepid photographer, and his dependable sidekick Chief Wahoo. It's been a cause of people questioning my identity before now, and no doubt will again. In fact, I actually like it, because it means that people Googling me will find loads of pages relating to the comic strip, or to men of the name Steven Roper who are more successful and/or famous than I, long before they come across anything of mine (and even then it most likely will only be links to my comments on El Reg!)

So don't be too quick to assume that guy with the cheque was using a fake name, just because it happens to be linked to a famous brand. I wonder how many Michael Jacksons there are, or John Lennons? I imagine they also must have a hard time of it with people thinking they're using fake names.

0
0
Devil

Funny that this type of fraud...

...seems to be the exclusive domain of a certain section of the Romanian population.

1
4
Silver badge

How to address skimming?

ATMs are designed to be tough, hard to smash and easy to clean. Perhaps they also need to design them so that it's hard to fit a false front? Any ideas?

It won't be that hard to shape them so that a cover can't be fitted over them without it being obvious, or just have an optical sensor that switches off the machine & triggers a visual alarm if covered?

Add a hologram to the front surface?

Change the card slot so that it reads the chip, and only when the card is fully inserted (2cm or so), so that a fake front can't see enough card to skim the stripe?

2
0
Anonymous Coward

Re: How to address skimming?

@Phil - The card slot does read the chip, but because there are still areas where only magstripe is used ALL global ATMs need to support magstripe for the cards that aren't chipped. That said, you'll generally find that if a card has a chip (or should have a chip) many ATMs won't allow it to be used with magstripe.

0
0
Anonymous Coward

Re: How to address skimming?

That said, you'll generally find that if a card has a chip (or should have a chip) many ATMs won't allow it to be used with magstripe.

The crooks solved that one too. A bit of nail varnish will ensure the EVM is not sensed, and so the terminal can fall back on mag swipe :(

0
1
Anonymous Coward

Re: How to address skimming?

Like I said - if a card SHOULD HAVE a chip, it usually won't be able to be used with magstripe, certainly not in high risk areas.

0
0
Stop

Re: How to address skimming?

"The crooks solved that one too. A bit of nail varnish will ensure the EVM is not sensed, and so the terminal can fall back on mag swipe :("

At which point the liability is with the terminal operator, because there is a code on the stripe that says "I'm a chip card, process me at your peril".

1
0
Silver badge

Re: How to address skimming?

"At which point the liability is with the terminal operator, because there is a code on the stripe that says "I'm a chip card, process me at your peril"."

Bearing in mind how easy it is to change the mag stripe, isn't that code about as much use as a chocolate fireguard? They nail varnish the chip contacts and then change the stripe. Easy. It would be much better if the cashpoint contacted the bank with the card number etc. and was then told 'you'd better ensure this is a chip transaction..........'

Putting it on the mag stripe is absolutely pointless.

2
0
Bronze badge

Re: How to address skimming?

> ATMs are designed to be tough, hard to smash and easy to clean. Perhaps they also need to design them so that it's hard to fit a false front? Any ideas?

If ATMs are so tough to smash, maybe we should be equipping each one with a sledgehammer, and encouraging customers to wail on the machines before use? That should sort out any false fascia - or at least increase the costs significantly for the crims making them.

0
0
Anonymous Coward

Re: How to address skimming?

@Mad Mike - For someone who claims to know about this sort of thing and have been involved in the projects, you do seem to know sod all about it.

You can easily clone or change a magstripe, yes, but you can't easily construct a valid magstripe to read what you want it to and not what you don't. For example, you can't just make it fail to mention that there isn't a chip. If the magstripe has been changed and somehow is valid, this will still be picked up by an online transaction in any case.

1
0

Protect yourself, kill the mag stripe

The last I heard on BBC radio's "Moneybox" programme, banks have to supply your card with a working magnetic stripe, but you don't have to keep it that way. I used a magnetic bulk eraser on mine, or you could probably just file it off. If the bad guys can't read your mag stripe then you're probably safe.

If you do find an ATM set up for skimming, bear in mind that the bad guys are probably nearby reading data wirelessly, and if you interfere with it, they may switch to Plan B of mugging you. Likewise if you get your phone out at the machine. You could be OK if you pre-emptively go nuts and beat the hell out of the machine when it doesn't give you money, but make sure that skimming is the reason for that.

1
0
Anonymous Coward

Re: Protect yourself, kill the mag stripe

@Robert - that's fine, until you need to use your card in another country, such as the USA.

Also never physically alter your card - it's not yours, it's your bank's and it should be retained by a merchant and certainly will be by your bank if it's damaged.

1
0
WTF?

Re: How to address skimming?

If ATMs are so tough to smash, maybe we should be equipping each one with a sledgehammer, and encouraging customers to wail on the machines before use? That should sort out any false fascia - or at least increase the costs significantly for the crims making them.

You don't need to "wail" on it with a sledgehammer.

Maybe just give the area around the card slot a good tug if it seems suspicious?

0
0
Silver badge

Re: How to address skimming?

"ATMs are designed to be tough, hard to smash and easy to clean. Perhaps they also need to design them so that it's hard to fit a false front? Any ideas?"

People should probably watch the video of an ATM being attacked in a petrol station in Hampshire. After the explosion, money was showered everywhere. Bit of a design flaw there methinks. Bearing in mind they used gas, I assume the gas was injected into the ATM through cracks etc. and then ignited. The pressure wave produced would blow the ATM apart, hence the cash just laying around.

A side reference to The Italian Job is obviously required here.

2
0

Page:

This topic is closed for new posts.

Forums