Skimming Skimming (Shimming)

Skimming

One of the most popular methods of money theft in Europe and America: only from 2014 to 2015, the volume of hardware and software skimming increased 5.5 times (according to FICO Card Alert Service). However, in Russia its popularity is not so great. Firstly, due to the smaller number of ATMs in our country as a whole (in 2015, 200 thousand devices were recorded in Russia against 425 thousand in the United States), and secondly, due to the small number of payment terminals that accept cards with only a magnetic stripe. In most cases, universal terminals are used in Russia, which receive cards with a magnetic stripe and cards with a chip. One of the likely reasons for this is that the chip card was recognized by the Central Bank as more secure, and from July 1, 2015, the Central Bank obliged banks to issue settlement and credit cards equipped with^[1] microprocessor^[2]

For a long time, attackers successfully used physical overlays to commit thefts from ATMs. Their evolution can be traced from thin patches inside the ATM, to huge artificial panels that fully emulate the front panel of the ATM. The mechanics of theft are as simple as possible: a skimmer is superimposed on the ATM cardrider, with the help of which the attacker reads all the data from the magnetic strip. At the same time, some skimmers work on the principle of accumulating read information about users, while others immediately transmit information about cards to fraudsters via the radio channel (to a miniature receiving device or directly to their receiving equipment). In addition, a fake keyboard is attached to the ATM, pressing which the owner of the credit card transfers the PIN code to the fraudsters. Another means of obtaining information that is used zloumyshlenniki,─ hidden video cameras installed near the ATM.

Attackers do not always need to recognize the card PIN itself, since the main track of a magnetic bank card (Track2) is enough to create a copy of the card, which can often be used to pay in stores, POS terminals or for online payments. Track2 contains all card information: PAN - card number, expiry date - its expiration date, as well as an encrypted PIN.

The prevalence of such methods of embezzlement has led ATM manufacturers and third-party vendors to install active or passive anti-skimming tools, which makes it possible to effectively combat this type of theft. Although some anti-skimming equipment has not yet learned how to determine: for example, one of the most inconspicuous overlays is the one that stands in the bus between the card reader and the ATM computer and stores the data of read cards.

Another obstacle for lovers of physical skimming was the introduction of criminal liability for the theft of these cards at ATMs. For illegal actions, criminals now face penalties of various types, depending on the severity of the crime (from fines to imprisonment). That is why the most active hackers are gradually moving to a new level.

No contact

Card transactions at ATMs often involve the transmission of Track2 magnetic band data in open form. For example, if the network connection between the ATM and the processing is not protected by encryption, then stealing the card number is not a great difficulty: overlays that listen to traffic transmitted from the ATM to the processing center are much easier to organize than opening and modifying the ATM itself.

In this case, for example, video surveillance systems at the ATM, control over the opening of the service area and other means of physical protection will not work.

Hackers invented malware that can seamlessly remove card data for months. And this is not much more complicated than attacks using other malware, which, for example, "forces" the ATM to issue all the bills contained in it by special command.

general, there is a certain dependence: the more difficult it is to rob ATMs, the more attackers tend to the "long game" (which is now characteristic of APT attacks). The attacker sets himself the task of remaining unnoticed for as long as possible and all this time to withdraw card data from ATMs, which will be used for fraudulent operations in the future. By the way, according to statistics, in Russia there are more than 6,000 operations per ATM during the quarter. If we take each transaction as a potential "removal" of card data, then simple mathematical actions (multiplying by the number of ATMs covered and the time of presence in the network of an attacker) will predict a very significant amount of compromised data.

Using social engineering techniques or other attacks on the perimeter of the bank, hackers easily penetrate the banking network: according to our statistics, on average, up to a third of employees open letters with attachments that can infect their computers, and this despite the fact that it is enough to open a single letter for the success of the attack. In 47% of cases, the perimeter of the organization can be overcome using web application vulnerabilities.

After penetrating the bank's internal network, attackers are left to access a certain subnet of banking processing, where the data of the entire ATM network are located. There you can also find out which ATMs may not be protected from critical vulnerabilities or work without a firewall. This will infect any ATM and extract money from each of them at any time. According to a similar scenario, the GSB state bank in Thailand was robbed. By the way, in order to stop attempts to illegally withdraw money from a random ATM, in this particular case, half of the entire ATM network (more than 3,000 devices) had to be disconnected.

In October 2017^[3] was convicted in the United States^[4], a native of Jordan, Atef Alkhatib, who had been skimming for several years. Traveling around the cities of Southern California, he placed devices on ATMs to read information from magnetic strips of cards, and also installed hidden video cameras in the area of ​ ​ visibility of ATMs - this allowed him to recognize PIN codes. At home, the criminal arranged a workshop for making duplicates of compromised cards. For three years, a man stole financial information from more than 13 thousand customers of Wells Fargo and other American banks. The damage amounted to several million dollars.

Often skimming schemes are implemented by organized crime. The police of Abu Dhabi in 2016 arrested four hackers of Asian origin who abducted^[5] information on credit cards with use of espionage devices. The total amount of losses of credit card owners amounted to more than a million Emirati dirham (about $270 thousand). It should be noted that the victims previously posted information about their credit cards on electronic trading platforms, which facilitated the "work" of attackers.

Often^[6] are engaged in criminal fishing] - criminals from other countries. For example, at the end of 2017, Indian police detained two groups of Romanian citizens at once. Arriving in India on tourist visas, they did not devote time to studying sights and culture, but set up skimming devices. As a result, more than 1000 people lost about 6.6 million rupees (about $100 thousand).

In addition to ATMs, quite popular objects for skimmers are payment terminals at gas stations. So, a group of 12 fraudsters was neutralized^[7] in Colorado. They traded at gas stations in several states. Members of the criminal group managed to compromise the financial data of more than 8 thousand victims, causing damage of about $2.5 million. In addition, it turned out that the arrested were involved in an international money laundering network.

Recommendations

When visiting the ATM, carefully examine its front side for the presence of overlays on the keyboard, on the card receiver and other suspicious devices. By typing a PIN, cover the keyboard with your free hand - so you will protect your financial information if the ATM is under the supervision of scammers' video cameras. Try to withdraw money from ATMs located in bank branches or in well-protected offices. As a rule, skimmers choose street terminals for their fishing. It is also better to refrain from paying with a card at unfamiliar gas stations, in suspicious cafes and shops.

Shimmers

Since 2015, a new threat has arisen - the so-called shimmers. These are thin, virtually inconspicuous devices located in the cardriders themselves for reading information from chip cards in ATMs. A shimmer is a thin "pad" that is located between a chip on a card and a chip reader in an ATM or terminal - and records data from the chip when the terminal reads it. The data collected during such an operation cannot be used to make a new chip, but it can be used to clone the magnetic strip of the card.

A loophole that bypasses chip card security mechanisms such as iCVV (this mechanism provides protection against copying the magnetic strip of the card and creating its double) is the fact that the process of issuing chip cards in a number of banks still does not fully comply with the chip card security standard known as EMV (Europay, Mastercard and Visa). This vulnerability was taken advantage of by the creators of shimming.

"Only those cards whose issuing bank neglects the mandatory automatic verification of CVV when receiving each request for payment fall into the risk zone for shimmers NCR ," Corp reports. "All issuers must conduct checks in this direction in order to eliminate the possibility of fraudulent transactions on cards whose data were stolen using shimmers. In general, shimming does not pose a danger to chip cards and does not require the introduction of additional protection mechanisms on payment terminals and ATMs. "

The first shimmers appeared back in 2015 in Mexico and since then they have gained special "popularity" in Canada. Many companies processing card data are concerned that they may soon spread to the US market due to the law on mandatory chipping of credit and debit cards.

Security experts urge store and ATM owners to check cardriders daily to be sure that there are no third-party devices. However, the main responsibility towards eliminating the new threat lies with the issuing banks. Only full compliance with the security standards of international payment systems will protect their customers from financial risks.

Chronicle

2022: Elusive skimming campaigns unfold on the Internet

On May 24, 2022, it became known that according to to data experts from, Microsoft malefactors they disguised the skimming script, encoding it into a PHP script embedded file in images. This trick harmful executes the code when the site index page is loaded. Some skimming scripts also included mechanisms from protection debugging.

Illustration: securitylab.ru

Web skimming is a criminal method of collecting information payment visitors to websites during time checkout. Swindlers used vulnerabilities in platforms e-commerce and to CMS implement a skimming script on an electronic store page. In some cases, attackers can exploit vulnerabilities in installed third-party plugins and topics to implement malicious scripts.

"During the study, we encountered two cases of downloading malicious images on, server hosted on. Magento Both images had the same JavaScript code, but were slightly different in the implementation of the PHP script. The first image was disguised as favicon and available on the VirusTotal, and the second was the usual - WebPfile found by our team, "- says in a report published by Microsoft.

Microsoft also noticed attackers using malicious JavaScript code in Base64 format to replace Google Analytics and Meta Pixel scripts to avoid detection. Experts noted that the hackers behind the Meta Pixel substitution used recently registered domains with HTTPS.

At the end of the report, Microsoft recommends that organizations upgrade CMS and installed plugins to the latest versions and make sure that all third-party plugins and services are loaded only from verified sources.^[8]

2016: Russian cybercriminals refuse phishing in favor of skimming

In connection with the measures taken to strengthen the security of mobile and online services, the popularity of the cardinal is growing. According to Izvestia, citing experts from Zecurion, attackers are increasingly stealing bank card data using skimmers installed in ATMs, not phishing.

For the period from January to June 2016, the cardinal accounted for 87% of all stolen funds of Russians. The remaining 13% of cybercriminals "earned" using phishing. According to experts, the number of crimes carried out on the Internet, compared to last year, decreased by 3%. The share of offline crimes increased by exactly the same amount.

In January-June 2016, skimming brought attackers income in the amount of 900 million rubles, while phishing - 140 million rubles. Due to lack of awareness of security issues, pensioners are most often the victims of carders. As the head of the analytical center explained, Zecurion Ulyanov Vladimir in addition to data from the magnetic stripes of their cards, attackers can often also receive PIN a code (for example, looking from behind the shoulder or even asking).

According to Alexei Sizov, an expert at Jet Infosystems, the cardinal attracts criminals by the fact that, unlike online fraud, very little time passes between stealing data before directly receiving money. Setting the skimmer takes a few minutes or even seconds, and about five minutes takes to clone the card. The process of obtaining funds using phishing takes much longer. It is not enough to find out only the credentials, you still need to get a duplicate SIM card, since SMS messages with one-time passwords for transactions come to the mobile device.

Notes

• By materials PayOnline