Skimming
Skimming is an English term for a man-in-the-middle attack that illegally spies on credit card or bank card data for credit card fraud . “With skimming, card data is obtained illegally by reading data from magnetic strips and copying it onto counterfeit cards.” The counterfeit card is then used to withdraw or pay for the rightful cardholder.
Details
A typical attack pattern is the simultaneous spying of the magnetic stripe content of the credit or debit card together with the PIN at an ATM . The data on the EC card are then typically applied to an empty card blank (so-called white plastic ) with which the fraudsters can then - together with the PIN - withdraw cash from ATMs ( account pillage ). Since the card belonging to the owner remains the owner of the account noticed this attack as a rule only with picking up the bank statements or if the bank for overdraft credit facility intervene.
In the meantime, different variants have been described for ATMs, which have in common that the progressive miniaturization of the reading devices simplifies the manipulation of machines enormously. One variant is to attach a reader in the form of a small plastic frame to the slot directly at the ATM. The card is then simply pulled through the additional reader into the machine and the contents of the magnetic strip are read out. Alternatively, incidents are also reported in which an additional reader was installed in the door opener of the branch (often even access to the vestibule with the ATM requires the use of the card). With deep insert skimming , extremely thin “card reading bugs” are inserted directly into the card slot of an ATM. These bugs consist of a metal plate with a reading unit, memory chip and a very thin battery cell.
Entering the PIN is usually filmed with a small wireless camera, which is often hidden above the keyboard in a glued-on plastic bar (so-called "camera bar"). This is usually barely noticeable, even for suspicious users. Whole keypad dummies (skimmers) are also used, which are glued over the actual keypad and simply record the keystrokes. Even with thermal imaging cameras , the PIN can still be read from the keyboard after it has been entered.
These attack patterns are possible because access to the card data is controlled by the reader, not by the chip on the card itself , as is the case with modern smart cards . The card data is unprotected on the magnetic strip and can be read by anyone. This is different with smart cards: on the one hand, only part of the content can be read out; on the other hand, the card itself checks that the PIN is entered correctly and locks itself after a certain number of unsuccessful attempts. Since many ATMs abroad are not (yet) designed for smart cards (for example in North, Central and South America), many of the credit cards or bank cards issued still contain a magnetic strip for reasons of compatibility - even if they are equipped with a chip favors skimming.
The perpetrators proceed similarly with credit cards. Here the victim's card is z. B. when paying in a restaurant next to the regular card reader pulled through a second one.
Unless the victim acted with gross negligence, the respective bank will compensate for the damage incurred. If the data is suspected of being stolen , a card can be blocked at the central contact point for blocking electronic authorizations (emergency number 116116).
With anti-skimming modules, the combined use of several defense mechanisms can make skimming almost impossible.
statistics
| year | Germany | ||
|---|---|---|---|
| Manipulations | equipment | Damage incurred | |
| 2005 | 219 | 7 million euros | |
| 2006 | 308 | 11 million euros | |
| 2007 | 1,349 | 21 million euros | |
| 2008 | 2,387 | 40 million euros | |
| 2009 | 2,058 | 964 | 40 million euros |
| 2010 | 3,183 | 1,765 | 60 million euros |
See also
Web links
- Alexander Seidl: Debit Card Fraud: Criminal law aspects of so-called "Skimming" , ZIS 2012, 415 (PDF; 149 kB)
- Alexander Seidl, Katharina Fuchs: On the criminal liability of so-called "skimming" , HRRS 06/2011, 210.
- Attack of the card cloners, Heise-Security (status: 2007)
- Der Spiegel 50/1986: Hacking instead of cracking - Bank robbery a la carte (December 8, 1986)
- FAZ article: The process of withdrawing money and the possibility of skimming (from May 5, 2011)
- The case of the month in criminal law 01/2012: (preliminary) criminal liability of skimming (discussion of a decision of the Federal Court of Justice of August 11, 2011)
Individual evidence
- ↑ Press release of the BKA ( Memento of the original from March 4, 2016 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice.
- ↑ Fabian A. Scherschel: Almost undetectable: Skimming with deep insert bugs in ATMs , heise Security, May 9, 2016
- ↑ Fabian A. Scherschel: l + f: Deep-Insert-Bug at work in an ATM , heise Security, June 14, 2016
- ^ Daniel Bachfeld: Attack of the card cloners , heise Security, December 14, 2007
- ↑ Cem Güler: ATMs for criminals , Süddeutsche Zeitung, September 1, 2015
- ↑ http://www.itwissen.info/definition/lexikon/EC-Karte-EC-smartcard.html
- ↑ a b c d e f Answer of the Federal Government to the minor question from MPs Jan Korte, Karin Binder, Caren Lay, other MPs and the DIE LINKE parliamentary group. (PDF; 88 kB) Protection against PIN skimming. April 27, 2011, accessed June 13, 2011 .
- ↑ Skimming is increasing dramatically in Germany. Retrieved June 13, 2011 .
- ↑ a b c d e Attacks on ATMs are increasing by half. May 10, 2011, accessed June 13, 2011 .
- ↑ Thousands of customers are being ripped off at ATMs. May 10, 2011, accessed June 13, 2011 .
- ↑ Manipulated ATMs: Karlsruhe police give tips. June 13, 2011, accessed June 13, 2011 .
