Security Resources

Stickers vs. Skimmers: Can’t We Do Better?

There is no doubt that securing the global infrastructure against card skimming is a critical task. Despite the cost and complexity of upgrading our technology, the U.S. has reached a point where we can no longer sit idly by while the frequency and sophistication of credit card thefts grows. This problem has always come down to cost. The sheer number of card reading devices in use today has made it economically unjustifiable to switch technologies, given the losses incurred by credit card issuers. It is estimated that bank losses from compromised cards is $2.4 Billion (not including losses borne by merchants themselves, which could be tens of billions), while replacing all payment cards, terminals, and ATM/gas pump readers would top $5.8 Billion.

The reluctance to switch to “EMV” or “Chip and PIN” cards, as many countries in Europe and elsewhere have done, seems shortsighted, but certainly not surprising where such large expenditures are involved. The trends in crime and loss, however, paint a much more serious picture – and will become the driving force to bring the U.S. closer to where we need to be. As one would expect, as countries around the world transitioned to more secure payment systems, crime shifted to the ones that did not – primarily the U.S. – and figures reported by some banks show that fraud has quintupled here in the past five years.

Compounding the problem is the availability of custom electronic devices, known as skimmers, that make reading cards are retrieving PINs easier than ever. Brian Krebs has a great collection of posts and photos of such equipment here (look for “All About Skimmers” in his Categories section). Skimmers can be designed to blend into the exterior of ATMs, mounted inside gas pumps, and attached to retail credit card terminals, making detection very difficult. The security industry has helped raise awareness, but realistically, there is little that can be done to protect the current technology. Applying tamper-evident tape to gas pump access panels, as the Association for Convenience and Fuel Retailing suggests, barely qualifies as a countermeasure, and Barnes & Noble’s PIN pads were compromised, despite being located in a busy public space (to be fair, it is unclear whether the B&N terminals were modified in-place or prior to installation). Even with a vigilant public and reliable tamper detection for these devices (neither of which exist today), the inherent insecurity of today’s magnetic stripe credit cards demands change. Consider the proliferation of low cost, high resolution cameras – some of which are already finding their way into skimmers. With cameras mounted on either side of a card reader, the potential exists to capture the card number, PIN, and verification code of a card without direct tampering of any kind – and at greater and greater distances.

The good news, as reported early in 2012, is that a program to support smart-card technology upgrades is in the works. The costs will likely be paid by both the merchants and card issuers through direct investment, and changes to the rules regarding security (PCI-DSS), auditing, and liability for fraud. More information can be found here. It is sure to be a long process, however, despite the fact that some retailers are already installing upgraded card readers.

Meanwhile, a press release this week from MasterCard makes it clear that card security will continue to advance. They announced a partnership with Standard Chartered Bank Singapore to roll out cards with an embedded keypad and one-time password generator (picture above). Don’t expect to find one of these in your (U.S.) mailbox anytime soon…

— UPDATE 12-11-2012 —

I decided to make this an anchor post, and will update it periodically with stories and information about skimmers and countermeasures.

12-07-2012 Article from NBC in Southern California about the widespread use of skimmers, including pictures of newer devices with Bluetooth capabilities. Here is one of the images:
skimmercloseup

 

8-13-2013 Well, we’re finally seeing some better options being deployed. Here is an article detailing a few of them.