SYSTEM AGAINST SKIMMING


What skimming actually is and the risk it represents for you.

 

For most users of credit cards, this concept is a total unknown. Although lately this term is starting to appear more and more frequently in police reports and by no means only in the Czech Republic.

It involves a set of devices that mostly well organized group first prepare or simply purchase on the Internet and then install them wherever credit cards are used (ATMs, payment terminals, ticket vending machines, refueling racks etc.).

The first step towards "successful" skimming of your card is to read data from the magnetic stripe. The perpetrator of this activity installs a reader on the inlet opening for the insertion / sliding in of a card to copy the relevant data that is directly loaded into the reader (flash disk), then the device is removed and the data from it is downloaded from it or transferred remotely (Wifi, Bluetooth) directly to the computer of the offender who will not be too far away from the given device.

The second, almost joined step is to determine the PIN of your card. An imitation keyboard installed is used for these purposes, for example, which is indistinguishable from the real thing, see photo. Or various hidden micro cameras, sensing the activity of your fingers and in the most expensive case focusing a thermal imager at the keyboard, after you leave the ATM.

Skimming equipment usually tends to be installed for a certain period of time, i.e. for several hours and then removed. The obtained data is processed in a short time and will be used mostly for the production of a duplicate of your credit card or online payment. Then the organized group withdraws the money from your account on the basis of the data obtained. The withdrawal is usually carried out in very distant destinations such as the USA, etc. Business is often done on the internet with the data from your payment card.

 

The risks associated with holding a credit card:

Skimming (electronic copying) of credit cards during their use for example during cash withdrawals, payments at a merchant, payments in hotels ... In order for the card to be misused, it is necessary to know the PIN code. That is known only by the cardholder. It is a very common misconception that the PIN is listed on the card, in the bank's database ... nothing like that is true. On the card a 5 character field (PVV) is indicated, which is combined with the entered PIN and according to a strictly secret polynomial, the value that is in the database of the bank is calculated. In addition to thieves and you nobody needs to know the PIN. Thieves get PINS using many tricks: by looking over one’s shoulder, mini-cameras, thermal imagers, fake keyboards, fake e-mails, fake banking pages...

The misuse of credit card information on the Internet.

If your card is activated for internet payments, then it is not the PIN that is used for payment authorization but the CVV2 (the three-digit number after the signature stripe). The skimmed data is exploitable when paying online if the CVV2 code is known. In reference to this, it is necessary to be careful when you use the card at hotels or for smaller merchants. Skimming occurs when a person pretends to drop the card and it is no problem to remember the three-digit number and write it down after you leave. This  is all it takes and you have lost control of your bank account


The misuse of data when making payments in large shopping centers.

 If organized criminals select a business chain where, for incomprehensible reasons, they archive your PIN after purchases (even encrypted), they smuggle malicious software into the server. After this, there is nothing you can do about it and you will lose all the money on your bank account. Such a case hasn’t occurred yet in the Czech Republic.


Card with the PIN code located in the vicinity of the card.

This is perhaps the worst variant. It would be better to just give your money away to charity. In the event of theft - immediately blocking of the card usually won’t help you in most cases.

It is good to read the scale of fees for payment card insurance and related regulations within the EU. Here you will learn about the amount of fees, insurance, deductibles and which cases the insurance covers and doesn’t cover.

 

Models of behavior:

1. Using a single bank account. First, obtain the scale of charges from the bank chosen by you. Affix a security stamp to the payment card. Determine whether the bank operates electronic banking, how much they charge for account management and for your most common banking operations. If you did not choose a bank with client-friendly behavior (see list of banks in the section Information about stamps), then see how much they charge for withdrawals from foreign ATMs. Refuse to activate your card for paying online. Replace that with electronic banking (simple and convenient). This model of behavior will easily protect you from the risks of the misuse of electronic data based on skimming. If in carelessness you tell anyone your PIN, or thieves somehow acquire it, it DOES NOT MATTER AT ALL, the security stamp will still reliably 

prevent the misuse of the data on the magnetic stripe of your card. However, you are not protected from the risk referred to in point 3.

2. Determine the amount of money that you can lose without fundamentally threatening your economic well-being. Keep this sum on your operating account that is associated with your payment card. Keep the rest of the funds on another account without a payment card. Otherwise the same as in point 1 applies.

3. If you do not want to change anything about your behavior and you are at a client-friendly banks, then at least affix a security stamp to your credit card. However, be aware that a thus secured credit card will protect your account by not allowing you to make withdrawals from improperly configured ATM networks. Stay far away from these ATM networks! So far, NOBODY understands the reluctance of unhelpful banks, why they doggedly insist on installing obsolete ATMs that do not respect the presence of the chip on the payment card. Meanwhile, setting up the network is fast and free.

4. If you don’t want to change your behavior and you are not at a client-friendly bank, then put a security stamp on your payment card and find out how much your bank will charge you for cash withdrawals from foreign ATMs.

5. If you often travel outside of Europe, then do not acquire a safety stamp. It protects data in a way that ATMs outside Europe (except for Australia) can not react to and they will not dispense cash. In order to get cash from non-European ATMs, peel off the sticker (remove any adhesive residue with alcohol), and you will get your required cash at the risk of the misuse of data.

6. Especially in Eastern Europe, find out in advance whether a dealer, restaurant operator, receptionist at the hotel, petrol station ... accepts chip payment cards. If they claim that their payment terminal only reads magnetic stripes - then the operator is untrustworthy and promptly leave the given area or remit the payment in cash. 

 

 

PERFECT PROTECTION.

 

When examining the magnetic stripe of payment cards in the forensic laboratory, a method that fully protects data stored on the magnetic stripe of credit cards which criminals don’t know how to handle was developed.

Bank experts argued that such protection does not exist because skimming devices receive data earlier than ATMs. Only a practical demonstration convinced them to the contrary.

It is a special security stamp, which is glued to the magnetic stripe of payment cards. And that's all! 

 

DOES THE METHOD HAVE SOME LIMITATIONS?

 

ATMs

 

There is a list of banks whose ATMs are set to the priority of reading data on the 'chip' and the glued on security stamp reliably protects the accounts of all clients who withdraw cash. PINs are declining in importance and are ceasing to be an essential security element. 

However, there is another list of banks whose ATMs have set the priority to "magnetic stripe" and in such cases the security stamp causes the card to be returned without having dispensed cash. In other words, "if a skimming device is mounted on the ATM, then you will certainly lose the funds on this account after the removal of the security stamp!"

Here you can download the attestation - special security stamps supplied by the manufacturer. 

 

Payment terminals

 

Since 1996 only dual payment terminals, i.e. which read both magnetic stripes and chips have been made . However if you find a "forgotten" merchant or a "forgotten" pumping station that operates a museum type payment terminal, then there is nothing else to do than to pay cash, and avoid them the next time. In no circumstances should you remove the stamp.

With a payment card protected in this way, you can’t pay in countries where they don’t  have experience with chips on payment cards (North and South America, African countries). Keep in mind that if you remove the stamp, you could lose all the funds on the account.

 

TECHNOLOGICAL LEAP

 

In forensic labs they are investigating secured skimming devices that were installed on ATMs in the Czech Republic. I must say that organized crime has made a huge technological leap in the area of skimming over for the past half year.

The tricks and current technical resources are almost perfect and the public no longer has almost any chance to determine whether a skimming device is installed on an ATM or not. The same applies to camera masking, thermal imagers and false keyboards whose task it is to find out the PINs of cards.

On the Internet, professional products with instructions on how to "earn" $ 50,000 per week in the area of skimming are offered to newly starting-out thieves.

 

ON BREACHING THE DATA STORED ON THE CARD CHIP

 

In Europe, there is no payment card issuing bank that issues cards without chips. The chip on a payment card is a single-purpose computer with all the trimmings and perhaps that is why organized crime hasn’t managed to read the data on it. In April in the year 2011 there were reports that British scientists had managed to break the secret of the chip. Maybe. But it's very distorted information. Because it is not about skimming but about stolen payment cards, on which some layers are ground away and under the microscope on precisely designated spots two wires are soldered on that are connected with a notebook to simulate that the correct PIN has been entered for a payment terminal. The required laboratory equipment is worth several million CZK, and it is certainly not possible to withdraw cash from ATMs to whose interior the payment card is inserted in this way.

From experience we can say that mounting expensive and unreliable anti-skimming devices on ATMs makes little sense and you can almost always find an ATM in the world that dispenses cash from payment cards without requiring a chip. For these cases, the term "financial tourism" is already being used.

Day 5 November 2013 in a Czech Radio journal broadcast on the programme "Czechs have developed safety stamps, which will protect payment cards from copying" it was said, and I quote:

"According to the Czech Banking Association, banks already know about the stamps. However, they still have reservations about them, because according to them the stamp restricts the function of cards. For example, in front of some ATMs there are still doors that are opened with precisely the magnetic stripe of the card. If the stripe is sealed with a stamp,  the customer can’t get to the ATM at all" ends the quote.

In the forensic laboratory we studied a skimming device that thieves did not put into an ATM, where they are normally found during the next replenishment of cash, but instead in the operation device controlling the entrance door to the ATM space, which remained undiscovered for a long time. The thieves had your bank data before you even got to the ATM. It was by far the "most successful" use of skimming in history. The damage was considerable. So, if the entrance door to the ATM area doesn’t let you in - do not despair and search for another network, since this is poorly set up and you run the risk of losing your money on the account. Reservations are not called for as the opposite is true. The stamp protects your money in this case as well.

Currently, the sale of stamps has been suspended. We are preparing a new marketing plan.