BALTIMORE—At the USENIX Security Symposium here today, University of Florida researcher Nolen Scaife presented the results of a research project he undertook with Christian Peeters and Patrick Traynor to effectively detect some types of "skimmers"—maliciously placed devices designed to surreptitiously capture the magnetic stripe data and PIN codes of debit and credit cards as they are inserted into automated teller machines and point-of-sale systems. The researchers developed SkimReaper, a device that can sense when multiple read heads are present—a telltale sign of the presence of a skimmer.
Nolen and his fellow researchers worked with data provided by the New York City Police Department (NYPD) to assess the types of credit-card-skimming gear currently in the wild. They uncovered four broad categories of skimming gear:
- Overlays—devices that get placed on top of the slot for the ATM or point-of-sale system. They can be modeled to match a specific ATM type's card slot or, in some cases, overlay an entire device such as a credit card reader at a retail point of sale. Overlays on ATM machines are sometimes accompanied by a keypad that is placed atop the actual keypad to collect PIN data.
- Deep inserts—skimmers engineered to be jammed deep into the card reader slots themselves. They're thin enough to fit under the card as it is inserted or drawn in to be read. An emerging version of this is a "smart chip" skimmer that reads EMV transactions passively, squeezed between the card slot and the EMV sensor.
- Wiretap skimmers—devices that get installed between a terminal and the network they connect to. This suggests there's a fundamental security problem to begin with.
- Internal skimmers—devices installed in-line between the card reader of a terminal and the rest of its hardware. These, Scaife said, are more common in gas-pump card readers, where the attacker has a greater chance of being able to gain access to the internals without being discovered.
Overlays and deep inserts are by far the most common types of skimmers—and are increasingly difficult to detect. Police, Scaife noted, often find them only by looking for the cameras used by skimmers to capture PIN numbers, because most of the common detection tips—including trying to shake the card slot to see if it dislodges—are ineffective.
SkimReaper is aimed specifically at overlays and inserts. It uses a card-shaped sensor with a printed circuit that, when powered, can detect the voltage spikes created by coming in contact with magnetic reader heads. If it detects two or more, there's a skimmer in play.
Testing against skimmers collected by the NYPD, the SkimReaper yielded a 100-percent detection rate. The NYPD has adopted SkimReaper and has already discovered one skimmer in the wild with the device; another seven police departments have also signed on for the SkimReaper, and Scaife says that demand exceeds his team's ability to manufacture them.
But the payoff is huge in terms of damage to skimming operators. Card-skimming devices are costly and custom-manufactured for each type of targeted machine, and stopping and retrieving a skimmer can put a serious dent in the skimmer's profits. Detection in place also offers law enforcement an opportunity to catch the skimmer or an accomplice in the act of trying to remove the device after data is collected.
[contf] [contfnew]
Ars Technica
[contfnewc] [contfnewc]