What is Card Skimming and Who Does It?
 |
| Illustration courtesy of the Dearborn Police Department |
Data from Consumer Payment Cards
The first type of skimming event is the acquisition of payment data directly from the consumer’s payment device (payment card). This is normally accomplished through a small, portable card reader. Normally this occurs during a payment transaction conducted by the consumer at a merchant location and usually involves internal merchant personnel who have both criminal intent and direct access to the consumer payment device (payment card) with little or no observation at the time of payment. The majority of skimming attacks deal with the capture of payment data from magnetic-stripe payment cards.Data Capture from the Payment Infrastructure
The second type of skimming event results from the capture of payment data within the payment infrastructure at the merchant location, with a focus on compromised POS terminals and their respective infrastructures (terminal locations, wires, communication channels, switches, etc). Criminals will insert electronic equipment, by various means, into the terminal or the terminal infrastructure, in order to capture consumer account data. The skimming equipment can be very sophisticated, small, and difficult to identify. Often it is hidden within the terminal so neither the merchant nor the cardholder knows that the terminal has been compromised.Perpetrators and Skimming Targets
Understanding the lengths that criminals go to in order to obtain and compromise account data may help you understand the necessity of taking sufficient measures to make it significantly more difficult for the criminals to target your particular location.Who Does It?
Regardless of how it is achieved, skimming is a highly profitable criminal activity, difficult to prevent and detect. As a result, it appeals to both ends of the criminal spectrum:The most sophisticated and dedicated organized criminal elements, leading to very complex and surprisingly effective attacks on the merchant terminal infrastructure; and The intent of this document is to provide guidance to merchants in their efforts to securely process and appropriately maintain cardholder data. The most common, least sophisticated of criminal elements, who use readily available, simple technology and direct access to consumer payment cards. Criminals want a high and rapid rate of return, regardless of the type of theft they are considering. Skimming allows them to capture massive amounts of account details in a short amount of time, with low risk of detection. As a result, it often is their first and foremost consideration.
Targets of Skimmers
PIN Data
In addition to the acquisition of account data on the card, criminals are very interested in the acquisition of PIN data. The industry and law enforcement have seen significant efforts to acquire PINs at the payment terminal by the following means, among others:* “Shoulder-surfing” by individuals stationed nearby the POS device * Placement of fake PIN entry devices (PEDs), ATMs, or readers and CCTV cameras directed at the PED on the payment terminal Unattended or Temporarily Unmanned Terminals.
Merchant locations that for a wide variety of justifiable business needs have self-service terminals, unattended payment terminals, exterior payment terminals, and/or multiple terminal locations not manned all the time, for all shifts, are prime targets for intrusive terminal and terminal infrastructure attacks. Criminals will also target large multi-lane retailers where, during less busy periods, not all of the lanes are used and terminals are effectively left unattended. Criminals will steal terminals, compromise them, and then return them to either the same store or to another store in the same chain.
Kommentare
Kommentar veröffentlichen