Skimming Devices Target Debitcard Readers

To stop criminals from stealing credit card and debit card data, Stop & Shop supermarkets does not store the contained information. Once a shopper swipes his or her card at the counter, the data is sent to an external firm for processing.

However, Ahold NV and its clients had learned that such precautions do not assure the continued security of information. Debit card data for over 1,000 shoppers were reportedly stolen by criminals. They had covertly swapped some of the retailer’s card-swipe units with their own, which integrated electronic recording devices known as “skimmers.” Over $100,000 worth of fraudulent ATM withdrawals were made before the thieves were caught.

This blatant data breach emphasises a critical vulnerability of the computerised point-of-sale (POS) terminals used by retailers. Criminals using “skimming” units built with circuit boards and mobile wireless devices can intercept payment-card information from card-reader systems. Once the data has been stolen, it can be exploited to produce counterfeit credit cards or else sold to other thieves. These skimmers are mounted in ATMs as well, although such scams rely more on cameras.

Security professionals note that these POS-related data breaches are more widespread than, say, the type of incident experienced by off-price retailer TJX Corp, wherein hacker thieves gained access to their central database and made off with information on thousands of customers. Data fraud in the retail sector occurs more often than phishing exploits, wherein users online are tricked into revealing card and other financial details.

Robert McCullen is the CEO of AmbironTrustWave Holdings, a security firm based in Chicago that services some 30,000 businesses. He notes that within the last two years, his firm has responded to over 200 POS breaching incidents, for its 2006 caseload is twice that of the past year. Gartner analyst Avivah Litan recently reported that some 80% of all credit-card data fraud involves POS terminal and related equipment.

The few cases that do not involve skimming are frequently attributed to the theft of stored data, even though such storage of unprotected customer records violates credit-card firm regulations. As well, shops with internet-linked retail systems at times would neglect to change default passwords, or else fail to install antimalware protections or firewalls that harden systems against exploits.

One of the reasons why POS systems are so exposed is that, of the approximately 12 million machines in the U.S., almost all use four-decades-old magnetic stripe technologies. Industry experts know that these systems are hardly proof against the kind of high-tech devices now available to thieves.

Criminals can readily find skimming devices in open markets. “Right now, you could walk into a computer shop in Malaysia and purchase one of these units for about $200,” noted Kiran Gandhi, VP for business at MagTek, a Carson, CA maker of card-security systems.

This technology was innovated by International Business Machines (IBM), for use by the Central Intelligence Agency in limiting access to buildings. Widespread acceptance of magnetic stripe systems in the financial industry followed in the 1970s.

At a net cost of about 35 cents per card, magnetic stripe equipment is not that expensive to produce. However, every card contains just enough storage for the consumer’s name plus a few figures. “For bad people, these magnetic stripe and PIN systems represent a pot of treasure,” as Gartner analyst Ms. Litan noted.