Friday, March 29, 2013

Card skimming goes viral

It should come as no surprise that if most computer criminals are interested in money, they would go where the money is. As a report this morning indicates, often that means either banks or points of sale.

That in itself is nothing new. For years gas pumps and ATMs have been targeted, often by hiding tiny magnetic readers that read the data on your credit or debit card when you insert it into the machine.  As technology progresses, those once easily-recognized additions have gotten smaller and smaller, to the point that they may be very difficult to recognize, or even be inside the machine where you cannot see them.

Today's report highlights a different approach, one that is far more difficult to detect. Russian-based security company Group-IB recently discovered malware called “Dump Memory Grabber,” which it believes has already been used to steal debit and credit card information from customers using major US banks. Unlike most malware (commonly called computer viruses) you may be familiar with, this malware is actually installed on the ATM or the point of sale registers/kiosks. It harvests everything the device obtains from the user - including everything from the mag stripe as well as potentially the PIN.
What is the paranoid consumer to do? Well, there isn't much you can do to avoid this kind of fraud if the device you use has been compromised, but the same tips often spoken apply here. Only use well-lit, well-travelled ATMs and kiosks; if tamper-evident tape is used on the device, look to be sure it has not been tampered with; and walk away if something feels wrong.

These steps won't guarantee your card will never be swiped though. I do a few additional things to minimize the personal risk. First and foremost, I NEVER use a debit card or ATM card for purchases. Consumer protections laws (in the US at least) for debit cards are not nearly as strong as the same for credit cards, and a debit card is linked directly to a checking account. With a debit card, if a thief gets the number and my PIN, they have direct access to drain my account. With a credit card (paid in full every month! no sense in trading illegal scams for the perfectly legal trap of interest-laden revolving credit...), there is a degree of separation between purchase transactions and my bank account.

Additionally, I use Quicken financial management software (there are a few others that would work) that downloads transactions daily, so I know within a day or two of a fraudulent charge and can do something about it immediately, rather than finding out at the end of the month.

Bottom line: be smart and keep a healthy degree of paranoia about you.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at), or hit me up on Twitter at @dnlongen