Monday, November 20, 2006

ATM Skimming Case Travels to 19 Countries on 5 Continents

Skimming device (courtesy of the "ATM Pool" at Flickr)


Police in the United Kingdom are calling an ATM skimming case, one of the biggest of it's kind. ATM skimming is where a debit-card's magnetic stripe is counterfeited (cloned) and the PIN (personal identification number) is compromised - normally with a hidden camera.

Official's estimate the fraud has already netted about $4.5 million and the counterfeit cards have been used in 19 countries and five continents.

According to the story published in the SundayMirror.co.uk:

The scam was uncovered after police launched an investigation - codenamed Operation Turner - after receiving 560 complaints. Detective Sergeant Dick Bollard, who is leading the probe, said: "This is one of the biggest scams of its kind. It's a very large and complex investigation which is expected to take a considerable amount of time.

"The investigation is ongoing and we are looking into a number of leads in the UK and abroad." A spokesman for trade organisation APACS, which helps banks fight fraud, said: "These scams have involved copying a card's magnetic strip and in cases filming a driver keying in a PIN number by using some sort of hidden camera.

SundayMirror.co.uk story, here.

Two suspected dishonest employees at BP gas stations (where the devices were planted) have been arrested. One of them might be an illegal immigrant, also.

If the cards have been used in 19 countries so far, it's safe to assume that the people behind this are pretty organized. Although no one ever knows for sure, there might be Internet chatrooms (forums) - where Internet fraudsters gather to barter and sell stolen information spreading the activity.

The UK has had a lot of this skimming lately and I did a recent post about it where Romanian Illegal Immigrants were to blame.

And the UK isn't the only place that is having problems with debit-card skimming at gas stations. A similar case happened at Arco stations in California and there have been many other instances, worldwide.

BP owns Arco in the United States.

Although a lot of skimming is attributed to devices being placed on (self service) point-of-sale terminals and ATM machines, there has been recent evidence cards are also being cloned after databases have been hacked at retailers.

Some who investigate this believe that the people behind this intentionally hold on to the stolen information before using it to frustrate investigative efforts that would discover their techniques, or operations. In some recent cases, the authorities could only speculate, which of the known breaches, an individual person's information was stolen in.

Skimming can also be accomplished by retail, or restaurant employees using portable "encoding devices." Unfortunately, most of the technology used is legal and can even be bought on eBay.

It pays to keep an eye on your card to make sure it isn't being swiped more than once.

There's probably not much an individual person can do when entire databases are compromised, but an individual can shield their PIN when using their debit card (strongly recommended).

At least if they don't have your PIN, they can't get cash; however they might still be able to use the card number for signature based, or e-commerce transactions. Note that credit-cards are cloned for the same purpose.

Last, but not least - debit cards don't offer the same protection as credit cards do. If you expect to recover your money, the allowed time frame to file a claim is a lot less than with a credit card.
It's a good idea to watch your statement carefully.

If you would like a more visual demonstration of how skimming occurs, Visa has a pretty telling page (portable devices), here.

Flickr has a link to a public group pictures of ATM machines, including skimming devices, here.

There are a lot of eyes out there (customers and employees) that might spot a suspicious device - if you do - never touch it and make sure you report it to law enforcement (immediately). Since the activity normally occurs in public (retail) spaces, an educated individual could very well make the difference in cracking one of these cases. Remember that anyone near the device - no matter how official they look - might be involved, themselves.

No comments: