As recent breaches at Home Depot, Target, and many other points of sale have shown, skimming is now something that consumers have become aware of –which is a good thing. Skimming, the extraction of a credit card’s magnetic stripe (and the PIN, if the bandit gets lucky), allows a black hat to create a clone of the card (if he or she so desires) and use it in a fraudulent purchase transaction. If the PIN has been obtained, ATMs can be used for fraudulent withdrawals.
Perhaps spurred by recent breaches, the PCI Council has published a new document illustrating examples of equipment used for skimming. The document should be required reading for all businesses that use payor cards, and businesses need to educate their employees on how to detect them.
Consumers also cannot be overly educated in identifying skimming, and cannot assume that even the most well-intentioned business can keep these skimming devices always at bay. The equipment can be extremely difficult to spot. For example, the ATM on the right has been altered with a device to read the magnetic card and a camera to record customers entering PINs. Even employees well-versed with the physical layout of an unaltered ATM might find it difficult to spot the skimming modifications themselves.
Credit card skimming will remain relatively easy to do (i.e. requiring only reading the magnetic strip and using a camera to record a PIN) until more sophisticated EMV cards using small microchips become widely used. Unfortunately, until then, the best defense is proactive businesses, well-educated employees being vigilant about point of sale card readers, and customers practicing a good dose of sophisticated paranoia.
The PCI document can be found at the PCI documents site. Search for “skim” in the “All Documents” view.
Feature Image, Courtesy of stockimages, freedigitalphotos.net.
Image, PCI Security Standards Council, Skimming Protection for Merchants.