November 16, 2016
Skimming devices discovered earlier this month at several Primark clothing stores, including two locations in the Philadelphia suburbs, highlighted an advancing criminal front in the battle to protect consumers from fraud.
Criminals have targeted ATM machines for years, installing skimming devices that steal card information. But now skimming devices are beginning to appear on point-of-sale terminals inside retail outlets, as they did at Primark stores at the Willow Grove Park and King of Prussia shopping malls.
They're also becoming much harder to detect. So much so that Special Agent Brian T. Herrick, who has worked cybersecurity cases for the FBI for 14 years, said the Primark devices might have fooled him.
"Some of the initial devices we would find on ATMs were pretty primitive," said Herrick, who heads the FBI's Philadelphia cyber crime division. "Really, if you just took a close look at the ATM, you could probably see the paint color didn't match and a different kind of material was used in the skimmer versus what was on the machine. Now, they're getting so good, they're really hard to distinguish."
Skimming devices discreetly fit over card readers, enabling criminals to steal an owner's digital payment information – and their money. Many skimming devices are smaller than a deck of cards. But others, like the ones used at Primark, fit snuggly over a point-of-sale terminal.
Herrick sat down with PhillyVoice last week to highlight the advances made in skimming technology and offer advice on what consumers can do to protect themselves.
With the holiday shopping season almost upon us, here's what you should know:
Previously, law enforcement officials would urge consumers to be mindful of the ATM card readers they used. If the colors of the card reader didn't match the machine, or duct tape or wiring was hanging out, it probably is not a safe place to insert your card.
That advice still applies, but criminals have gotten better at disguising skimming devices on the machines they target. They've been helped by increased popularity of 3D printers, Herrick said.
"You can, really in your basement, manufacture certain products that had to have been manufactured in a true manufacturing process before," Herrick said. "With a 3D printer, you can create things in different shapes and dimensions that you can lay circuitry over. Now, you've got an insert that you can put into a machine that fits perfectly."
Built to specifications, skimming devices are easier to place over point-of-sale terminals.
"You're looking at a device that, on the front, looks like every other device you'd use at the Acme," Herrick said. "But on the inside ... it's just recording all of the information off of it. Obviously, it's recording the magstripe as well."
That magnetic stripe contains vital information, including your account number, personal information and PIN number.
Additionally, many criminals are installing small, pinhole cameras that capture users inputting their PIN numbers as the skimming device simultaneously records the card information.
"It's one thing to take the data off of the card, but without the PIN, it's kind of useless," Herrick said.
Sometimes, Herrick said, criminals need to make a modification to the ATM they have selected to install a skimmer. They might need to drill a hole into the machine to force a plate onto it, thereby damaging the machine.
But perfectly-fitted skimming devices can be installed within seconds.
"You just have to wait for the cashier to turn around for a second," Herrick said. "'Price check in Aisle Three.' Now this device was just laid right in place. They just let it run all day and come back ... and pull it right off."
Criminals often work in tandem, Herrick said. One might serve as a lookout as the other installs the device. Or, if someone has access to a retail outlet, they can install it after hours.
Skimming devices are not left attached for more than 12 to 24 hours, Herrick said. Most devices don't have the battery power to last much longer. Plus, the longer it remains attached to a device, the higher likelihood someone will discover it.
Anyone who witnesses someone tampering with an ATM or point-of-sale terminal should contact police, Herrick said. But he warned against intervening, noting they are criminals.
"We don't want people to be heroes," Herrick said. "We want people to be good witnesses."
For several years, banks and credit card companies have been issuing chip cards that store encrypted personal information within a microchip. The technology offers "infinitely" more security than the Mac stripe, Herrick said.
But that doesn't mean criminals aren't trying to get around it.
Herrick displayed a skimming device, used at a point-of-sale terminal, that included a slot to insert chip cards.
"This one doesn't read anything, but they're designing them to have the slot in them to be able to read that information," Herrick said. "That information is encrypted, which is a good thing, but I don't think it's going to be that long before that information is decrypted and readable."
The criminals installing skimming devices onto ATMs and point-of-sale terminals typically are not acting on their own, Herrick said. Often, they have some connection to an organized criminal group.
"If we trace the money, if we trace the activity, it goes back to a lot of Eastern European crime syndicates," Herrick said. "They're these groups that go all over the country."
Organized crime groups, long known for making money via threats of violence, have grown more sophisticated, Herrick said. Now, they're recognizing the money computer hackers can bring them. Skimming is part of that.
"Those same criminal groups realized the money that computer hackers can bring it," Herrick said. "It pales in comparison to the amount of money they get from knocking people up with baseball bats. So the organized criminal groups have gotten in bed with the computer hackers. ... They do it a lot safer, because there's no violence, there no physical interaction with the people that have been victimized."
"We want the public to be aware that this exists," Herrick said. "The best way to protect against it used to be by looking at (devices). Nowadays, it's just making sure you're checking your accounts really often."
Today's technology enables people to check their bank and credit card statements at any time. Consumers no longer have to wait for a 30-day statement to arrive in the mail. If people are regularly checking their accounts, fraud can be caught much faster.
Banks and credit card companies also utilize geolocation technology to flag suspicious transactions. But criminals know this, so cardholders cannot solely depend on banks to alert them to all potentially fraudulent purchases.
"They're going to go and commit fraud using white plastic in places that are proximal to your address of record," Herrick said. "Because they know that the banks are going to cut transactions off, if they're not in a certain geographic area."
If a consumer sees a suspicious transaction, he should contact his bank, Herrick said.
"Work with the bank and their fraud detection department to try to figure out where it came from," Herrick said. "Then they'll work with local police to try to identify where your card may have been used. Typically, they can see with pretty good specificity the last place your card was used."
Law enforcement officials then can inspect the ATMs or point-of-sale devices for skimming devices, potentially preventing other people from being victimized.