BitDepth 506 - January 10
07/01/09 09:51 Filed in: BitDepth - January 2006
ATM conmen apply social engineering to crude technology to seize cardholder information...
For plastic, high tech tools
This recreation of a successful card snatch was inspired by surveillance photos captured by ATM cameras. Photography by Mark Lyndersay.
Bankers have done a good job of eliminating checks from day to day commerce. These days it’s a toss-up between a sneer of contempt or a stifled laugh if you ask a cashier if they will accept a personal check. Some business places don’t even bother to post a note warning that they don’t accept checks any more. It’s as if check leaves had suddenly become a malodorous reminder of a simpler time, when trust was currency at the grocer’s or the parlour.
Well, those times are over now. The migration of commerce to plastic has brought greater sophistication to those who would separate the inattentive from their money.
Fraud perpetrated at the local level stings bankers particularly deeply, since limits on an acknowledged fraud situation leave them holding the bag when con men get hold of debit card information.
One favoured location for getting that crucial data is the ATM, where technology confusion meets reassuring guile with disastrous results.
ATM stalkers have enjoyed stunning success with the “Lebanese Loop” caper, a clever mix of technology crippling and social engineering that’s executed right in front of the watchful cameras built into ATM terminals.
Here’s how it works.
First, someone enters the ATM and inserts a strip of plastic into the machine and glues it into place. The strip, usually made of x-ray film is bent in the middle so that the card can’t advance into the machine and the magnetic strip can’t read it.
As the mark struggles with the card, someone offers to help. That someone, in recent incidents, has been a pregnant woman who offers to call the bank on their cell. The mark, trusting the veneer of innocence implied by the pregnancy accepts assistance, chats with the person on the phone and offers up their PIN in exchange for some tips that don’t help.
Once the mark is gone, the card is retrieved and matched up with the PIN and the spending and withdrawals begin. This particular exploit cost banks in Trinidad and Tobago half a million dollars in 2005.
What keeps Anthony St Clair and his peers at the other banks on the phone with each other is just how sophisticated and widespread this and other cons have become in recent years.
“Once it was a few people,” says St Clair, “and you could see the patterns. Now it’s more widespread and in a single night ATMs as far apart as St James and Penal will be targeted. There are more players in this game now, and lots of trainees being recruited.”
“We’re even more concerned by trends that suggest that this isn’t just a hustle. These incidents of fraud are just part of more organised and threatening criminal activity.”
There’s evidence that savvy crooks are using modern technology to create excellent copies of driver’s permits and ID cards, which lubricate the ease of spending that freshly captured debit cards can enjoy.
The only solution is smarter identification cards and permits, which embed machine readable data in harder to crack formats. Both Visa and Mastercard are pushing for the adoption locally of “smart cards” by 2007.
These enhanced credit cards use more sophisticated methods than a magnetic stripe to hold greater amounts of personal data.
But the greatest deterrent to fraud is always going to be a better informed card holder.
Tips for card holders.
Do not reveal your PIN to anyone. Nobody has a right to ask for it.
Memorise your pin. Any written reminder is a vulnerability.
Online, shop with larger, trusted institutions and be sure that your financial information is being entered on a secure area of the site (your browser will display a small lock and the web address should now begin with https).
Review your transaction statements carefully. Some exploits are “trickles” small amounts taken over a long time.
If you shop regularly online, consider an “Internet-only” card with a reduced balance that you can pay special attention to.
Don’t respond to e-mails that make tempting offers with clickable links that you are otherwise clueless about.
Be wary in an ATM outlet. Evaluate your surroundings and other people who may be in the space with you. Exercise discretion.
Shred old credit cards and destroy old financial statements carefully.
Report any potential misuse of your card or account to your bank’s card centre immediately. Don’t wait for Monday morning.
This recreation of a successful card snatch was inspired by surveillance photos captured by ATM cameras. Photography by Mark Lyndersay.
Bankers have done a good job of eliminating checks from day to day commerce. These days it’s a toss-up between a sneer of contempt or a stifled laugh if you ask a cashier if they will accept a personal check. Some business places don’t even bother to post a note warning that they don’t accept checks any more. It’s as if check leaves had suddenly become a malodorous reminder of a simpler time, when trust was currency at the grocer’s or the parlour.
Well, those times are over now. The migration of commerce to plastic has brought greater sophistication to those who would separate the inattentive from their money.
Fraud perpetrated at the local level stings bankers particularly deeply, since limits on an acknowledged fraud situation leave them holding the bag when con men get hold of debit card information.
One favoured location for getting that crucial data is the ATM, where technology confusion meets reassuring guile with disastrous results.
ATM stalkers have enjoyed stunning success with the “Lebanese Loop” caper, a clever mix of technology crippling and social engineering that’s executed right in front of the watchful cameras built into ATM terminals.
Here’s how it works.
First, someone enters the ATM and inserts a strip of plastic into the machine and glues it into place. The strip, usually made of x-ray film is bent in the middle so that the card can’t advance into the machine and the magnetic strip can’t read it.
As the mark struggles with the card, someone offers to help. That someone, in recent incidents, has been a pregnant woman who offers to call the bank on their cell. The mark, trusting the veneer of innocence implied by the pregnancy accepts assistance, chats with the person on the phone and offers up their PIN in exchange for some tips that don’t help.
Once the mark is gone, the card is retrieved and matched up with the PIN and the spending and withdrawals begin. This particular exploit cost banks in Trinidad and Tobago half a million dollars in 2005.
What keeps Anthony St Clair and his peers at the other banks on the phone with each other is just how sophisticated and widespread this and other cons have become in recent years.
“Once it was a few people,” says St Clair, “and you could see the patterns. Now it’s more widespread and in a single night ATMs as far apart as St James and Penal will be targeted. There are more players in this game now, and lots of trainees being recruited.”
“We’re even more concerned by trends that suggest that this isn’t just a hustle. These incidents of fraud are just part of more organised and threatening criminal activity.”
There’s evidence that savvy crooks are using modern technology to create excellent copies of driver’s permits and ID cards, which lubricate the ease of spending that freshly captured debit cards can enjoy.
The only solution is smarter identification cards and permits, which embed machine readable data in harder to crack formats. Both Visa and Mastercard are pushing for the adoption locally of “smart cards” by 2007.
These enhanced credit cards use more sophisticated methods than a magnetic stripe to hold greater amounts of personal data.
But the greatest deterrent to fraud is always going to be a better informed card holder.
Tips for card holders.
Do not reveal your PIN to anyone. Nobody has a right to ask for it.
Memorise your pin. Any written reminder is a vulnerability.
Online, shop with larger, trusted institutions and be sure that your financial information is being entered on a secure area of the site (your browser will display a small lock and the web address should now begin with https).
Review your transaction statements carefully. Some exploits are “trickles” small amounts taken over a long time.
If you shop regularly online, consider an “Internet-only” card with a reduced balance that you can pay special attention to.
Don’t respond to e-mails that make tempting offers with clickable links that you are otherwise clueless about.
Be wary in an ATM outlet. Evaluate your surroundings and other people who may be in the space with you. Exercise discretion.
Shred old credit cards and destroy old financial statements carefully.
Report any potential misuse of your card or account to your bank’s card centre immediately. Don’t wait for Monday morning.
blog comments powered by Disqus