Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Banks Weak Against Credit Card Skimming Attacks

Gartner warns that anti-skimming standards and technologies aren't keeping up with recent spate of attacks, which can quickly net individual gangs $500,000 a month.

19 Gadgets That Changed The World
(click image for larger view)
Slideshow: 19 Gadgets That Changed The World

Want to make a cool $500,000 per month for you and your mules? Try card-skimming attacks.

Indeed, while Zeus-related exploits have lately been making headlines, "almost no focus has been given to a new type of flash attack that has hit several banks and payment processors I talked with over the last couple of weeks," said Avivah Litan, a VP and distinguished analyst at Gartner Research.

Such attacks are simple: crooks attach a credit card skimmer -- typically disguised to resemble the face of the targeted device -- to point-of-sale terminals, gas station pumps, or automatic teller machines (ATMs). According to the U.S. Secret Service, card skimming attacks already cost consumers and businesses at least $8 billion annually.

What's changing, however, is the scale and sophistication of such attacks. Rather than targeting a small group of stores, criminals may target chains of retailers and large numbers of stores, crossing state lines or geographical regions. Such an attack recently targeted Aldi stores in 11 Midwestern states.

The stolen card data is then compiled, condensed, and used to create fake ATM cards with PINs helpfully taped to the front. Next, at multiple locations across the country, money mules simultaneously make small withdrawals, using approximately five stolen cards in turn. Within 10 minutes, a gang can amass $100,000, said Litan. "Repeat this exercise a few times more over the course of the month. At the end of the month, the total heist can add up to $500,000.

One underlying issue is that many stolen credit card numbers don't appear to be going out of circulation. "One banker just told me that his bank is still seeing fraud on cards allegedly stolen during the Heartland Payment Systems breach," she said. For the record, the Heartland breach occurred in January 2009.

How can skimming attacks be stopped? "The only successful fraud mitigation strategy I've seen that works in practice today is that once the first round of fraud is discovered, an acquiring processor or a payment network tries to figure out the point-of-compromise for these cards," said Litan, then blocks those cards and issues new ones. While this approach can be costly, she says it's a far better alternative to seeing consumers' accounts drained.

Going forward, however, the best solution will be "stronger cardholder authentication," such as adding chip and PIN microchips to credit and debit cards, she said. While widely used in Europe, credit card issuers have yet to introduce similar security technology in the United States or Canada.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Data Loss Spikes Under COVID-19 Lockdowns
Seth Rosenblatt, Contributing Writer,  5/28/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13777
PUBLISHED: 2020-06-04
GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TL...
CVE-2020-10548
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10549
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10546
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10547
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.