Credit Card Fraud: Harvesting Pin Numbers
Author: John Published Under: Information Security
Credit card fraud is the most costly type of fraud, which affects millions of people every year. One of the biggest hurdles for the criminal is getting the credit card numbers, expiration dates, and pins. Once this is overcome, it is simply a matter in investing in some printing equipment or using an expired credit card and the criminal is ready to go. More and more, criminals are looking to the ATM as their source of credit card numbers, as they are often not well protected and easy to manipulate.
What is a Pin Number?
One of the most dangerous things that a credit card thief can get their hands on is your pin number. The pin number is usually a random set of numbers, which when used in combination with the credit car, allow the user to take out money at any of the millions of Automated Teller Machines(ATM) across the country.
For a criminal, having the PIN number makes committing credit card fraud much easier, as they can simply goto an ATM with some sort of mask on and withdraw money, without ever having to speak to anyone. If they do not have the PIN, then it becomes necessary to commit Card not Present Fraud or actually go into a merchant and use a fake copy of the credit card.
While the ATM is the most common place to use ones PIN, many people use them when they goto grocery stores, gas stations, and other brick and mortar retailers. This, however, is not necessary, because you can instead run the card as credit, which requires a signature, instead of entering the PIN.
The reason the ATM fraud is more common that grocery store fraud is that it is still necessary to obtain a copy of the credit card number, which, unless the thief is an employee at the store, is much more difficult than setting up a card skimmer on an unprotected ATM.
Going through the Mail
Since millions of people use ATMs everyday, this becomes the easiest source of both credit card numbers and credit card pins for criminals. However, the exception to this is when the criminal will actually steal a copy of the PIN number, which is usually only sent by the bank once, when the credit card is ordered.
Usually, the bank will send the credit card through the mail on one day, with the PIN following in a separate letter a few days later. This does thwart some types of credit card fraud, as the criminal can not just steal the credit card, but must also steal the separate pin number letter.
In some cases though, the criminal will perpetrate this type of theft, but it is only usually common if they A) know their victim or B) have already compromised their victims account and order the new card/PIN themselves, with the intention of intercepting it.
Shoulder Surfing and Friendly Faces
Since stealing the PIN from the mail is usually not only dangerous, but also very time consuming for the criminal, they instead go for the weakest point, which is, of course the credit card holder themselves. Shoulder surfing simply refers to when the criminal waits in line at an ATM and peeks over the shoulder of the victim as they enter their PIN number. At this point, they have already set up a credit card skimming device, so it is simply a matter of keeping track of the time that the card was entered and matching it with the PIN later.
Shoulder surfing is much easier in grocery stores and gas stations, as it is often possible to observe the victim from a distance, rather than standing right behind them. Of course, as stated above, it is also necessary to have a copy of the credit card, so the ATM is again a more common source, as to its ease of abuse.
Often, the criminal will start up a conversation with the victim or cause the ATM to malfunction, at which point they might tell the victim that they had similar problems last week and ended up having to enter their pin number several times. This puts the victim off their guard and might also cause the victim to enter their pin number consecutively, offering two chances of seeing it, instead of just one.
Cameras
Using a camera is in many ways similar to shoulder surfing, but instead of a person looking over the victims shoulder, the camera does the work. The criminal will install a camera at such an angle that it has a clear view of the ATMs key pad, so that whenever someone uses it, there is a video of them entering their PIN number.
There are many variations on the camera technique, with some criminals being as audacious to use cell phone cameras. Most, however, install a remote camera that transmits the video feed to a nearby computer. The camera may be physically attached to the ATM, often hidden under a packet of bank brochures, but it is also possible to use a camera with a powerful lens to view the keypad from a distance.
Camera fraud is also often committed in retail stores, as the security camera can usually be positioned in a manner that covers the cash register and keypad. Usually this type of credit card fraud is committed by an employee, rather than the actual owner of the store, but many stores leave their security systems largely open, so it is possible that a criminal may have figured out how to hack store security as well.
Cameras are not only used to capture PIN numbers, but also can be used to get the credit card number itself, although this method is typically only used by credit card thieves much lower on the pecking order.
Ghost Keypads
In a similar approach to the credit card skimmer, which is placed over the ATM's card slot, so that when a card is entered it is first scanned to the criminals computer, ghost keypads are becoming more common. The ghost keypad, or keypad overlay, is simply a fake keypad that is placed over the ATM's key pad.
When the victim keys in their pin, they press the ghost keypad, which sends the pin to the criminal, at the same time as using the real keypad. However, the type of ghost keypads that still allow the ATM's keypad to work are much less common, with most disabling the ATM's keypad, so that the victim enters their PIN number, but is not actually able to withdraw any money. They then leave to goto a different ATM, not realizing they have already given the criminal all they need.
Hacking the ATM
It is also possible for the criminal to physically hack the ATM, installing software that acts as a key logger, recording the PIN Number and Credit Card Details, before sending it off to the bank. Since, for all intensive purposes, looks completely legitimate, this type of ATM Fraud is very hard to detect, short of a physical audit of the machines software.
Often, due to the need for physical access to the ATM, this is perpetrated by the owner of the ATM, with some crime organizations setting up their own ATM Business with the express purpose of harvesting credit card details. In these cases, they offer higher fees for the merchants as an incentive to get their ATMs placed in the store.
However, since many ATMs run on Windows Software, there are a number of blatant security holes that a hacker could exploit with ease. It is not uncommon for the software to be out of date and to be running in Administrator mode, which means that anyone who access the system can install or change whatever software they want. This can be achieved by simply plugging in a USB stick, assuming auto-run has not been disabled. A number of recent cases in Europe have popped up, where ATMs running Windows were compromised.
The practice of criminals setting up their own ATM service has also become a very profitable endeavor. The criminal will purchase several ATMs and then ask store owners to place them in the store, usually in return for a higher percentage than legitimate ATM companies use.