Invisible ATM Card skimming


  • Service Provider

    Internal devices skimming you ATM card and pin. This is a nasty thing. Am I supposed to scan Bluetooth before using every ATM?

    http://krebsonsecurity.com/2015/09/tracking-a-bluetooth-skimmer-gang-in-mexico/


  • Service Provider

    Hey Ho To Mexico!

    "Despite more head nods and a round of verbal agreement from the hotel staff that this was a good idea, to my surprise nobody at the hotel bothered to touch the machine for two more days."

    The problem is not that there are skimmers, the problem is no one wants to deal with it. It's up to the technical wizards in the background to fix these things.


  • Service Provider

    That's the kind of device that got us while we were in Morocco and no one responded or did anything about it while we were there either.



  • Yet another reason not to use ATM cards. Though for cash transactions while traveling, considering the high fees for cash withdrawls on CC's, I'm not sure what a person is to do.


  • Service Provider

    @Dashrender said:

    Yet another reason not to use ATM cards. Though for cash transactions while traveling, considering the high fees for cash withdrawls on CC's, I'm not sure what a person is to do.

    You use your ATM at an actual bank. Preferably a branch of your bank. For us, we bank with Citibank for day to day stuff and while Citibank Japan is a different sister company, there are no fees to use the ATM's there. So that is what we do.

    If you read his follow up articles, you will learn that this is mostly a single private ATM provider being affected right now, but only mostly. That said, no bank owned ATM's were currently infected. Likely due to the stricter policy enforcement of how changes happen.


  • Service Provider

    ATMs inside of banks would be the best option, the ones that are indoors inside a branch.

    It was a bank owned ATM where we got skimmed in Morocco, but one at a train station and not in a branch.


  • Service Provider

    If you are really paranoid, open a new temporary account with someone like bank of america a month before you travel and setup some methods to transfer cash online as needed.

    The side benefit there is also that some of these banks offer new customer incentives of like $100 if you open an account for 3 months and such.


  • Service Provider

    We move money out of our ATM account into an untouchable account so that the maximum that can be skimmed is pretty small.



  • @JaredBusch said:

    If you are really paranoid, open a new temporary account with someone like bank of america a month before you travel and setup some methods to transfer cash online as needed.

    The side benefit there is also that some of these banks offer new customer incentives of like $100 if you open an account for 3 months and such.

    That's a good idea. If I was an ATM user I would need to fine an international bank.


  • Service Provider

    @Dashrender said:

    @JaredBusch said:

    If you are really paranoid, open a new temporary account with someone like bank of america a month before you travel and setup some methods to transfer cash online as needed.

    The side benefit there is also that some of these banks offer new customer incentives of like $100 if you open an account for 3 months and such.

    That's a good idea. If I was an ATM user I would need to fine an international bank.

    You don't use ATMs?



  • @scottalanmiller said:

    @Dashrender said:

    @JaredBusch said:

    If you are really paranoid, open a new temporary account with someone like bank of america a month before you travel and setup some methods to transfer cash online as needed.

    The side benefit there is also that some of these banks offer new customer incentives of like $100 if you open an account for 3 months and such.

    That's a good idea. If I was an ATM user I would need to fine an international bank.

    You don't use ATMs?

    Nope, I haven't had an ATM card in 20 years. I don't trust that particular system - it's a me thing. CC's at least offer you a near guarantee of not paying fraudulent charges on your account, debit cards don't offer that protection in many cases, especially when the PIN is used (Though, do I recall correctly that your bank refunded your fraud?)

    *Edit - look at the Target issue, how long where your PIN numbers out in the wild before this was realized?

    The one thing that was frustrating about Europe to me was the inability to use my CC. Many places demanded cash only. This was a limiting factor as I had little to no way of getting cash once I was there.

    Perhaps I'll setup an account as you guys have suggested with just a few hundred in it and the ability to go online and transfer to it - but that also requires me to do something else I don't currently have - an account with online access. All of my accounts are currently setup to specifically deny online access. And over the phone transactions now require a password as well as normal account information to gain access (my bank informed me that someone was trying to call into the bank to gain access to my accounts). Considering the amount of resources it takes to make calls to a bank to do fraud, I was/am worried that someone was personally out to upset my situation.


  • Service Provider

    @Dashrender said:

    Nope, I haven't had an ATM card in 20 years.

    But you did before that? That's when they were just getting common.


  • Service Provider

    @Dashrender said:

    The one thing that was frustrating about Europe to me was the inability to use my CC. Many places demanded cash only. This was a limiting factor as I had little to no way of getting cash once I was there.

    Yeah, can't imagine living without immediate access to cash on demand.


  • Service Provider

    @Dashrender said:

    Nope, I haven't had an ATM card in 20 years. I don't trust that particular system - it's a me thing. CC's at least offer you a near guarantee of not paying fraudulent charges on your account, debit cards don't offer that protection in many cases, especially when the PIN is used (Though, do I recall correctly that your bank refunded your fraud?)

    My bank was able to block it, so it never happened. Someone else had it refunded.

    Credit cards are SO easy to skim, they have to refund you because they refuse to check if it is really you.


  • Service Provider

    @Dashrender said:

    *Edit - look at the Target issue, how long where your PIN numbers out in the wild before this was realized?

    Minor pet peeve.
    PIN - Personal Identification Number.
    Saying PIN number is just sounds uneducated.



  • @scottalanmiller said:

    @Dashrender said:

    Nope, I haven't had an ATM card in 20 years.

    But you did before that? That's when they were just getting common.

    I did, for less than 4 years. When I opened a checking account at the old age of 16, they put a debit card on my account. Back then you could only use them at ATMs for cash withdrawls. Not like today where you can use them for day to day purchases - frankly I'm unsure how they work in a non PIN fashion.

    I rarely used the ATM card then, opting instead to visit a branch (which was nearly as convenient as an ATM) to get cash when I needed. This was also a mechanism for me to curb my spending.

    Once I got a CC, I killed the ATM and never looked back.


  • Service Provider

    @Dashrender said:

    (my bank informed me that someone was trying to call into the bank to gain access to my accounts). Considering the amount of resources it takes to make calls to a bank to do fraud, I was/am worried that someone was personally out to upset my situation.

    In my opinion, this statement makes your objections just seem paranoia based objections.

    You do not use or do all these things that make your life more difficult. Yet you have been a target of fraud anyway.

    So instead of sticking your head in the sand, use the tools that are out there.



  • @scottalanmiller said:

    @Dashrender said:

    Nope, I haven't had an ATM card in 20 years. I don't trust that particular system - it's a me thing. CC's at least offer you a near guarantee of not paying fraudulent charges on your account, debit cards don't offer that protection in many cases, especially when the PIN is used (Though, do I recall correctly that your bank refunded your fraud?)

    My bank was able to block it, so it never happened. Someone else had it refunded.

    Credit cards are SO easy to skim, they have to refund you because they refuse to check if it is really you.

    Chip AND Pin would definitely cut down on the amount of fraud. I believe that Europe fully implemented that, I don't understand why the US skipped the Pin portion of it? How does plugging the card into a reader help? I suppose it keeps someone from just copying the mag strip. I wonder how much fraud will be reduced by the reduced use of the mag strip alone?


  • Service Provider

    @Dashrender said:

    @scottalanmiller said:

    @Dashrender said:

    Nope, I haven't had an ATM card in 20 years. I don't trust that particular system - it's a me thing. CC's at least offer you a near guarantee of not paying fraudulent charges on your account, debit cards don't offer that protection in many cases, especially when the PIN is used (Though, do I recall correctly that your bank refunded your fraud?)

    My bank was able to block it, so it never happened. Someone else had it refunded.

    Credit cards are SO easy to skim, they have to refund you because they refuse to check if it is really you.

    Chip AND Pin would definitely cut down on the amount of fraud. I believe that Europe fully implemented that, I don't understand why the US skipped the Pin portion of it? How does plugging the card into a reader help? I suppose it keeps someone from just copying the mag strip. I wonder how much fraud will be reduced by the reduced use of the mag strip alone?

    The US skipped the CHIP portion of it. Can't get a chipped card anywhere. I've asked and asked. Some people lie to get you to get their card and then it has no chip. I've been trying since 2007 to get one.

    In Europe it is a law to protect consumers, that's why they have it. In the US they have shown that the chip is too expensive and it is cheaper to have the fraud.


  • Service Provider

    Correct, the chip cannot be easily duplicated. And the PIN plus the cheap means that someone can't take it into a back room and make a purchase physically before returning your card to you. It is standard in Europe that the card never leaves your possession at all.


  • Service Provider

    @Dashrender said:

    I did, for less than 4 years. When I opened a checking account at the old age of 16, they put a debit card on my account. Back then you could only use them at ATMs for cash withdrawls. Not like today where you can use them for day to day purchases - frankly I'm unsure how they work in a non PIN fashion.

    Debit cards and ATM cards are not the same thing. An pure ATM card is still cash withdrawl only. A debit card tells the system that it is a credit card in cases where it does not use a pin and uses the standard Visa or MasterCard system to do the transaction.


  • Service Provider

    @Dashrender said:

    Once I got a CC, I killed the ATM and never looked back.

    If this was chip & pin and could also give me painless, feeless access to cash on demand, I would agree.


  • Service Provider

    @scottalanmiller said:

    The US skipped the CHIP portion of it.

    Misleading statement. The US banking industry successfully lobbied against it. Because they did not want to deal with the costs of upgrades. It took all the recent fraud/hacking stuff to finally get legislation through.

    Can't get a chipped card anywhere.

    False statement. Chip cards have been rolling out for the last couple years and all major banks will have them out to customers by the end of the year so they can start pushing fraud claims back up the chain to stores that do not use chip based readers.



  • @JaredBusch said:

    So instead of sticking your head in the sand, use the tools that are out there.

    You're equating my choice to not use that technology as the same as sticking my head in the sand?

    I think sticking your head in the sand would be comparable to the people who in the article where warned that the ATM they were about to use was hacked, yet they used it anyhow.

    Instead, I'm simply choosing to live a 'harder' life to try to keep myself a bit more secure.

    Before that attempt to access my bank account, I did not have a password requirement on my account. In fact I had called the bank in the past for account information, providing recent payments/deposits as additional proof of ownership, and felt those safeguards where good enough. Up to that point, they appeared to be, and in reality they still were - because the bank denied them access to my information for lack of this information, but it was really no bother to add the additional password for over the phone access.


  • Service Provider

    @Dashrender said:

    Instead, I'm simply choosing to live a 'harder' life to try to keep myself a bit more secure.

    That you think it makes you more secure is where he is equating it to the head in the sand. Is it more secure? Why is phone access harder to hack? Isn't it easier in most cases? That's normally the fastest path to breaking into someone's account.

    You've made your life harder, by a lot, for sure. But the question is, is it to make you more secure?



  • @scottalanmiller said:

    @Dashrender said:

    @scottalanmiller said:

    @Dashrender said:

    Nope, I haven't had an ATM card in 20 years. I don't trust that particular system - it's a me thing. CC's at least offer you a near guarantee of not paying fraudulent charges on your account, debit cards don't offer that protection in many cases, especially when the PIN is used (Though, do I recall correctly that your bank refunded your fraud?)

    My bank was able to block it, so it never happened. Someone else had it refunded.

    Credit cards are SO easy to skim, they have to refund you because they refuse to check if it is really you.

    Chip AND Pin would definitely cut down on the amount of fraud. I believe that Europe fully implemented that, I don't understand why the US skipped the Pin portion of it? How does plugging the card into a reader help? I suppose it keeps someone from just copying the mag strip. I wonder how much fraud will be reduced by the reduced use of the mag strip alone?

    The US skipped the CHIP portion of it. Can't get a chipped card anywhere. I've asked and asked. Some people lie to get you to get their card and then it has no chip. I've been trying since 2007 to get one.

    In Europe it is a law to protect consumers, that's why they have it. In the US they have shown that the chip is too expensive and it is cheaper to have the fraud.

    Well those things are changing. While the Chip cards aren't everywhere yet, they are coming (finally). My Amex has had one for 2 years now (all the longer I've had the card), but my Visa (local bank) does not.

    Starting in Oct, the vendor will be responsible for any in person fraud if the patron presents a chip based card but the vendor doesn't process it chip based.

    I'm sure there are several other things that have to be place for that as well, but it's a start.

    Walmart started requiring me to use the chip portion two months ago, assuming the card had a chip. I would swipe my Amex, and it would beep at me.. the cashier would ask - do you have a chip on the card? I'd say yes, they'd say - you have to insert the card into the bottom of the reader.


  • Service Provider

    @Dashrender said:

    Before that attempt to access my bank account, I did not have a password requirement on my account. In fact I had called the bank in the past for account information, providing recent payments/deposits as additional proof of ownership, and felt those safeguards where good enough. Up to that point, they appeared to be, and in reality they still were - because the bank denied them access to my information for lack of this information, but it was really no bother to add the additional password for over the phone access.

    So it sounds like you have far less security than we do with our online accounts. Why do you feel the extra effort is worth it to be less secure? What's the end goal?

    It's all personal stuff, so do what makes you happy. But I think you are imagining a security that you are not achieving.



  • @scottalanmiller said:

    @Dashrender said:

    Instead, I'm simply choosing to live a 'harder' life to try to keep myself a bit more secure.

    That you think it makes you more secure is where he is equating it to the head in the sand. Is it more secure? Why is phone access harder to hack? Isn't it easier in most cases? That's normally the fastest path to breaking into someone's account.

    You've made your life harder, by a lot, for sure. But the question is, is it to make you more secure?

    You don't think adding the password makes the account more secure? I suppose perhaps not, if the password was easily guessable, and the bank didn't require any of the previous account verifications.


  • Service Provider

    @Dashrender said:

    I think sticking your head in the sand would be comparable to the people who in the article where warned that the ATM they were about to use was hacked, yet they used it anyhow.

    Why? Cars have accidents but we still drive them. Understanding that risks exists is very important. Not panicking and treating them reasonably is a key thing that we do in IT. There are risks everywhere. Some are big, some are small. Knowing what they are and just how risky they are is very important. Extremely important.

    There are tradeoffs. And often reacting too much to one threat can create another risk that we overlooked.

    Knowing that I can get skimmed by an ATM is very important. Knowing which ATMS to use, where to use them, how to use them, etc. is important. Recognizing that I was skimmed and having my card shut off before it could be used was important. Having the available money in my account low was important. But I would not call that putting my head in the sand. I would call it a reasonable response to a small risk. I'm a high risk traveler and it's still a minor threat for me.



  • @scottalanmiller said:

    @Dashrender said:

    Before that attempt to access my bank account, I did not have a password requirement on my account. In fact I had called the bank in the past for account information, providing recent payments/deposits as additional proof of ownership, and felt those safeguards where good enough. Up to that point, they appeared to be, and in reality they still were - because the bank denied them access to my information for lack of this information, but it was really no bother to add the additional password for over the phone access.

    So it sounds like you have far less security than we do with our online accounts. Why do you feel the extra effort is worth it to be less secure? What's the end goal?

    It's all personal stuff, so do what makes you happy. But I think you are imagining a security that you are not achieving.

    Is my life more difficult - absolutely. Am I less secure than you - no way! Only if you've setup your accounts to not allow phone access, and only allow in person or online would you maybe be more secure. If you have two factor authentication on your bank account and disabled phone access, then I'd say you are more secure.


Log in to reply
 

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.