Skimmers have matured over the years, from obvious devices that can be recognized by almost anyone looking for something out of the ordinary, to ones that even experts have a hard time spotting. Skimmers are often inserted inside device cabinetry, where they can't be seen. Some include wireless Bluetooth connections so that hackers can pull up a short distance away and retrieve all the stolen information, rather than having to retrieve the device itself.
Skimmers often insert dozens of devices in a common geographic area — often near highways for quick getaways — and use the stolen information to generate new, fraudulent cards. They then hire a large gang of people to withdraw money or use the cards — either in stores selling expensive merchandise that they can resell or return, or online. This is done quickly, usually within a few hours. By the time the card providers have detected or been notified of the fraud, the skimmers have made their profit and escaped capture.
Brian Krebs, who provides deep coverage of thelatest skimming devices and news, recently reported a victory of sortsagainst card-skimming technology. In this case, police hid GPS-tracking devices in active skimming devices they had discovered. When the bad guys showed up to remove their devices, the police were able to track and arrest them. Of course, as Krebs mentioned, when word of GPS tracking gets around, the bad guys will increase their use of Bluetooth communications to keep from having to physically remove their skimming devices. For now, the cops are in the fight.
Extreme hack No. 4: Wireless card hacking
If your credit or debit card contains an RFID "contactless" payment mechanism, such as MasterCard PayPass or American Express ExpressPay, its information can likely be read by a hacker who walks by your wallet or purse. This is because any nonprotected RFID device can be hacked, including RFID-enabled passports, building access cards, and product tracking stickers.
RFID transmitting devices contain almost no security. "Energize" the RFID transmitter, using low-voltage radio waves, and it will transmit the information it contains. Credit card magnetic stripes are as insecure and can be read by any magnetic stripe reader, which goes for about $15 and is readily available on the Internet. The difference is that RFID readers make it possible to scoop information without ever coming in contact with the card.
Walk withinthree feet of a malicious RFID reader, and you are hacked. Over time that distance will likely increase; some RFID hacking experts predict hacking distances of several hundred feet within five years, which would enable one malicious hacker to collect thousands of victim cards an hour simply by stationing themselves at a busy city intersection or building entrance.
Sign up for CIO Asia eNewsletters.